I commented on the bugzilla ticket. https://bugzilla.redhat.com/show_bug.cgi?id=1067265
On Wed, Apr 23, 2014 at 4:05 PM, Patrick Hunt <[email protected]> wrote: > I scanned through the client and server code, I don't see where we log > the password to the log4j log. I'm not as familiar with the sasl code > though. > > Did anyone reach out to the OP on that issue? Perhaps we can reach out > and get more detail (both on the original issue and how it was fixed). > > Patrick > > On Wed, Apr 23, 2014 at 11:14 AM, Andrew Purtell <[email protected]> wrote: >> If you like. The protoype on that JIRA has more than a single configuration >> toggle, but another revision could do that. In lieu of a simple >> configuration change there could be a chapter on setting up filesystem >> encryption on Linux and Windows. This wouldn't protect against leaks due to >> improper filesystem level permissions. >> >> >> On Wed, Apr 23, 2014 at 10:58 AM, Michi Mutsuzaki >> <[email protected]>wrote: >> >>> I'm all for encrypting txn logs/snapshots, but shouldn't we use some >>> existing file system encryption instead of implementing our own? >>> >>> On Wed, Apr 23, 2014 at 8:56 AM, Andrew Purtell <[email protected]> >>> wrote: >>> > ZOOKEEPER-1688 >>> > >>> > On Tuesday, April 22, 2014, Flavio Junqueira <[email protected]> >>> wrote: >>> > >>> >> I've created ZK-1917 for this. >>> >> >>> >> I think it is referring to the txn logs. If so, SSL encryption alone >>> isn't >>> >> going to do it. >>> >> >>> >> -Flavio >>> >> >>> >> On 22 Apr 2014, at 18:55, Patrick Hunt <[email protected]<javascript:;>> >>> >> wrote: >>> >> >>> >> > On Tue, Apr 22, 2014 at 10:14 AM, Michi Mutsuzaki < >>> [email protected]<javascript:;>> >>> >> wrote: >>> >> >> That's a great idea. >>> >> >> >>> >> >> The link talks about one specific vulnerability (password being >>> logged >>> >> >> in a cleartext :( ), but I'm interested in securing ZooKeeper in >>> >> >> general. I've seen projects staying away from ZooKeeper because it >>> >> >> doesn't support SSL, for example. >>> >> >> >>> >> > >>> >> > That was one of the reasons why we were trying to add netty support - >>> >> > it would greatly simplify enabling SSL encryption. >>> >> > >>> >> > Patrick >>> >> > >>> >> >> >>> >> >> On Tue, Apr 22, 2014 at 9:32 AM, Flavio Junqueira <[email protected] >>> <javascript:;>> >>> >> wrote: >>> >> >>> Some of you may have noticed that there is a CVE entry for ZK: >>> >> >>> >>> >> >>> http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0085 >>> >> >>> >>> >> >>> I've never perceived ZK as a project particularly strong on the >>> >> security >>> >> >>> side, but I was wondering how folks in the list feel about creating >>> a >>> >> jira >>> >> >>> and working something out. >>> >> >>> >>> >> >>> -Flavio >>> >> >>> >> >>> > >>> > -- >>> > Best regards, >>> > >>> > - Andy >>> > >>> > Problems worthy of attack prove their worth by hitting back. - Piet Hein >>> > (via Tom White) >>> >> >> >> >> -- >> Best regards, >> >> - Andy >> >> Problems worthy of attack prove their worth by hitting back. - Piet Hein >> (via Tom White)
