[jira] [Updated] (ZOOKEEPER-2405) getTGT() in Login.java mishandles confidential information

Michael Han (JIRA) Tue, 17 May 2016 15:19:41 -0700

     [ 
https://issues.apache.org/jira/browse/ZOOKEEPER-2405?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]


Michael Han updated ZOOKEEPER-2405:
-----------------------------------
    Attachment: ZOOKEEPER-2405-br3.4.patch

Attach patch for 3.4 branch which is using an older version of logger that 
leads to previous patch target trunk does not apply cleanly.

> getTGT() in Login.java mishandles confidential information
> ----------------------------------------------------------
>
>                 Key: ZOOKEEPER-2405
>                 URL: https://issues.apache.org/jira/browse/ZOOKEEPER-2405
>             Project: ZooKeeper
>          Issue Type: Bug
>          Components: kerberos, security, server
>    Affects Versions: 3.4.8, 3.5.1, 3.6.0
>            Reporter: Patrick Hunt
>            Assignee: Michael Han
>            Priority: Blocker
>             Fix For: 3.4.9, 3.5.2, 3.6.0
>
>         Attachments: ZOOKEEPER-2405-br3.4.patch, ZOOKEEPER-2405.patch, 
> ZOOKEEPER-2405.patch, ZOOKEEPER-2405.patch
>
>
> We're logging the kerberos ticket when in debug mode, probably not the best 
> idea. This was identified as a "critical" issue by Fortify.
> {noformat}
>         for(KerberosTicket ticket: tickets) {
>             KerberosPrincipal server = ticket.getServer();
>             if (server.getName().equals("krbtgt/" + server.getRealm() + "@" + 
> server.getRealm())) {
>                 LOG.debug("Found tgt " + ticket + ".");
>                 return ticket;
>             }
>         }
> {noformat}



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

[jira] [Updated] (ZOOKEEPER-2405) getTGT() in Login.java mishandles confidential information

Reply via email to