Great! Could you also inquire on how they fixed this? Patrick
On Wed, Apr 23, 2014 at 4:31 PM, Michi Mutsuzaki <[email protected]> wrote: > I commented on the bugzilla ticket. > > https://bugzilla.redhat.com/show_bug.cgi?id=1067265 > > > On Wed, Apr 23, 2014 at 4:05 PM, Patrick Hunt <[email protected]> wrote: >> I scanned through the client and server code, I don't see where we log >> the password to the log4j log. I'm not as familiar with the sasl code >> though. >> >> Did anyone reach out to the OP on that issue? Perhaps we can reach out >> and get more detail (both on the original issue and how it was fixed). >> >> Patrick >> >> On Wed, Apr 23, 2014 at 11:14 AM, Andrew Purtell <[email protected]> wrote: >>> If you like. The protoype on that JIRA has more than a single configuration >>> toggle, but another revision could do that. In lieu of a simple >>> configuration change there could be a chapter on setting up filesystem >>> encryption on Linux and Windows. This wouldn't protect against leaks due to >>> improper filesystem level permissions. >>> >>> >>> On Wed, Apr 23, 2014 at 10:58 AM, Michi Mutsuzaki >>> <[email protected]>wrote: >>> >>>> I'm all for encrypting txn logs/snapshots, but shouldn't we use some >>>> existing file system encryption instead of implementing our own? >>>> >>>> On Wed, Apr 23, 2014 at 8:56 AM, Andrew Purtell <[email protected]> >>>> wrote: >>>> > ZOOKEEPER-1688 >>>> > >>>> > On Tuesday, April 22, 2014, Flavio Junqueira <[email protected]> >>>> wrote: >>>> > >>>> >> I've created ZK-1917 for this. >>>> >> >>>> >> I think it is referring to the txn logs. If so, SSL encryption alone >>>> isn't >>>> >> going to do it. >>>> >> >>>> >> -Flavio >>>> >> >>>> >> On 22 Apr 2014, at 18:55, Patrick Hunt <[email protected]<javascript:;>> >>>> >> wrote: >>>> >> >>>> >> > On Tue, Apr 22, 2014 at 10:14 AM, Michi Mutsuzaki < >>>> [email protected]<javascript:;>> >>>> >> wrote: >>>> >> >> That's a great idea. >>>> >> >> >>>> >> >> The link talks about one specific vulnerability (password being >>>> logged >>>> >> >> in a cleartext :( ), but I'm interested in securing ZooKeeper in >>>> >> >> general. I've seen projects staying away from ZooKeeper because it >>>> >> >> doesn't support SSL, for example. >>>> >> >> >>>> >> > >>>> >> > That was one of the reasons why we were trying to add netty support - >>>> >> > it would greatly simplify enabling SSL encryption. >>>> >> > >>>> >> > Patrick >>>> >> > >>>> >> >> >>>> >> >> On Tue, Apr 22, 2014 at 9:32 AM, Flavio Junqueira <[email protected] >>>> <javascript:;>> >>>> >> wrote: >>>> >> >>> Some of you may have noticed that there is a CVE entry for ZK: >>>> >> >>> >>>> >> >>> http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0085 >>>> >> >>> >>>> >> >>> I've never perceived ZK as a project particularly strong on the >>>> >> security >>>> >> >>> side, but I was wondering how folks in the list feel about creating >>>> a >>>> >> jira >>>> >> >>> and working something out. >>>> >> >>> >>>> >> >>> -Flavio >>>> >> >>>> >> >>>> > >>>> > -- >>>> > Best regards, >>>> > >>>> > - Andy >>>> > >>>> > Problems worthy of attack prove their worth by hitting back. - Piet Hein >>>> > (via Tom White) >>>> >>> >>> >>> >>> -- >>> Best regards, >>> >>> - Andy >>> >>> Problems worthy of attack prove their worth by hitting back. - Piet Hein >>> (via Tom White)
