ZOOKEEPER-1688 On Tuesday, April 22, 2014, Flavio Junqueira <[email protected]> wrote:
> I've created ZK-1917 for this. > > I think it is referring to the txn logs. If so, SSL encryption alone isn't > going to do it. > > -Flavio > > On 22 Apr 2014, at 18:55, Patrick Hunt <[email protected] <javascript:;>> > wrote: > > > On Tue, Apr 22, 2014 at 10:14 AM, Michi Mutsuzaki > > <[email protected]<javascript:;>> > wrote: > >> That's a great idea. > >> > >> The link talks about one specific vulnerability (password being logged > >> in a cleartext :( ), but I'm interested in securing ZooKeeper in > >> general. I've seen projects staying away from ZooKeeper because it > >> doesn't support SSL, for example. > >> > > > > That was one of the reasons why we were trying to add netty support - > > it would greatly simplify enabling SSL encryption. > > > > Patrick > > > >> > >> On Tue, Apr 22, 2014 at 9:32 AM, Flavio Junqueira > >> <[email protected]<javascript:;>> > wrote: > >>> Some of you may have noticed that there is a CVE entry for ZK: > >>> > >>> http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0085 > >>> > >>> I've never perceived ZK as a project particularly strong on the > security > >>> side, but I was wondering how folks in the list feel about creating a > jira > >>> and working something out. > >>> > >>> -Flavio > > -- Best regards, - Andy Problems worthy of attack prove their worth by hitting back. - Piet Hein (via Tom White)
