I scanned through the client and server code, I don't see where we log the password to the log4j log. I'm not as familiar with the sasl code though.
Did anyone reach out to the OP on that issue? Perhaps we can reach out and get more detail (both on the original issue and how it was fixed). Patrick On Wed, Apr 23, 2014 at 11:14 AM, Andrew Purtell <[email protected]> wrote: > If you like. The protoype on that JIRA has more than a single configuration > toggle, but another revision could do that. In lieu of a simple > configuration change there could be a chapter on setting up filesystem > encryption on Linux and Windows. This wouldn't protect against leaks due to > improper filesystem level permissions. > > > On Wed, Apr 23, 2014 at 10:58 AM, Michi Mutsuzaki > <[email protected]>wrote: > >> I'm all for encrypting txn logs/snapshots, but shouldn't we use some >> existing file system encryption instead of implementing our own? >> >> On Wed, Apr 23, 2014 at 8:56 AM, Andrew Purtell <[email protected]> >> wrote: >> > ZOOKEEPER-1688 >> > >> > On Tuesday, April 22, 2014, Flavio Junqueira <[email protected]> >> wrote: >> > >> >> I've created ZK-1917 for this. >> >> >> >> I think it is referring to the txn logs. If so, SSL encryption alone >> isn't >> >> going to do it. >> >> >> >> -Flavio >> >> >> >> On 22 Apr 2014, at 18:55, Patrick Hunt <[email protected]<javascript:;>> >> >> wrote: >> >> >> >> > On Tue, Apr 22, 2014 at 10:14 AM, Michi Mutsuzaki < >> [email protected]<javascript:;>> >> >> wrote: >> >> >> That's a great idea. >> >> >> >> >> >> The link talks about one specific vulnerability (password being >> logged >> >> >> in a cleartext :( ), but I'm interested in securing ZooKeeper in >> >> >> general. I've seen projects staying away from ZooKeeper because it >> >> >> doesn't support SSL, for example. >> >> >> >> >> > >> >> > That was one of the reasons why we were trying to add netty support - >> >> > it would greatly simplify enabling SSL encryption. >> >> > >> >> > Patrick >> >> > >> >> >> >> >> >> On Tue, Apr 22, 2014 at 9:32 AM, Flavio Junqueira <[email protected] >> <javascript:;>> >> >> wrote: >> >> >>> Some of you may have noticed that there is a CVE entry for ZK: >> >> >>> >> >> >>> http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0085 >> >> >>> >> >> >>> I've never perceived ZK as a project particularly strong on the >> >> security >> >> >>> side, but I was wondering how folks in the list feel about creating >> a >> >> jira >> >> >>> and working something out. >> >> >>> >> >> >>> -Flavio >> >> >> >> >> > >> > -- >> > Best regards, >> > >> > - Andy >> > >> > Problems worthy of attack prove their worth by hitting back. - Piet Hein >> > (via Tom White) >> > > > > -- > Best regards, > > - Andy > > Problems worthy of attack prove their worth by hitting back. - Piet Hein > (via Tom White)
