Agree. We should fix this. Would be worthy of a 3.4.7 imo. I'm having some trouble understanding the problem though.
afaict from the linked bug/reports it seems that "An admin user's password appeared in plaintext in binary log files." Do they mean to say in the txnlog? Or just in the log4j log? The bug report here https://bugzilla.redhat.com/show_bug.cgi?id=1067265 says that the issue has been addressed, however I can't tell what they did to address it. Anyone have more insight? Patrick On Tue, Apr 22, 2014 at 10:15 AM, Camille Fournier <[email protected]> wrote: > We should at least address it in some way. A jira is probably in order. > > > On Tue, Apr 22, 2014 at 12:32 PM, Flavio Junqueira <[email protected]> wrote: > >> Some of you may have noticed that there is a CVE entry for ZK: >> >> http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0085 >> >> I've never perceived ZK as a project particularly strong on the security >> side, but I was wondering how folks in the list feel about creating a jira >> and working something out. >> >> -Flavio >>
