[
https://issues.apache.org/jira/browse/QPID-8616?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17680947#comment-17680947
]
ASF GitHub Bot commented on QPID-8616:
--------------------------------------
dakirily opened a new pull request, #172:
URL: https://github.com/apache/qpid-broker-j/pull/172
This PR addresses
[QPID-8616](https://issues.apache.org/jira/browse/QPID-8616), preventing heap
inspection in ManagedUser class
> [Broker-J] Privacy Violation: Heap Inspection in ManagedUser
> ------------------------------------------------------------
>
> Key: QPID-8616
> URL: https://issues.apache.org/jira/browse/QPID-8616
> Project: Qpid
> Issue Type: Improvement
> Components: Broker-J
> Affects Versions: qpid-java-broker-9.0.0
> Reporter: Daniil Kirilyuk
> Priority: Minor
> Fix For: qpid-java-broker-9.0.1
>
>
> Sensitive data (such as passwords) stored in memory can be leaked if memory
> is not cleared after use. Often, Strings are used store sensitive data,
> however, since String objects are immutable, removing the value of a String
> from memory can only be done by the JVM garbage collector. The garbage
> collector is not required to run unless the JVM is low on memory, so there is
> no guarantee as to when garbage collection will take place. In the event of
> an application crash, a memory dump of the application might reveal sensitive
> data.
> Approach used in QPID-8583 should be applied to class ManagedUser.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@qpid.apache.org
For additional commands, e-mail: dev-h...@qpid.apache.org
