https://bz.apache.org/bugzilla/show_bug.cgi?id=61114
Bug ID: 61114 Summary: startup.VersionLoggerListener may leak sensitive information Product: Tomcat 8 Version: 8.0.28 Hardware: PC OS: Linux Status: NEW Severity: normal Priority: P2 Component: Catalina Assignee: dev@tomcat.apache.org Reporter: juergen.herm...@1und1.de Target Milestone: ---- Related to https://bz.apache.org/bugzilla/show_bug.cgi?id=56401 When passwords or similar are part of the JVM command line, they end up in logs that might be shipped to locations where you don't want that information to end up in. At least well-known cases should be handled (-Djavax.net.ssl.trustStorePassword=...). Possible remedies: * Provide an option to not log command line args (but the other information). * Handle well-known cases via a blacklist of substrings / regex that prevent logging ("javax.net.ssl.trustStorePassword", or "password" and "secret" in general). Or course, removing the listener also works, but at the price of removing *all* of its logging. -- You are receiving this mail because: You are the assignee for the bug. --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org