[
https://issues.apache.org/jira/browse/ZOOKEEPER-2405?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Michael Han updated ZOOKEEPER-2405:
-----------------------------------
Attachment: ZOOKEEPER-2405.patch
Update patch to remove the null check against tickets retrieved from subject
credential set. There was an issue in JDK which states there were legal actions
to make the credential set in a bad state (e.g. null element in the set) [1],
and now it looks like the contract has been fixed [2], so it's safe to remove
the null check in application code.
[1] https://bugs.openjdk.java.net/browse/JDK-8015081
[2] http://hg.openjdk.java.net/jdk9/dev/jdk/rev/36a0438a6631
> getTGT() in Login.java mishandles confidential information
> ----------------------------------------------------------
>
> Key: ZOOKEEPER-2405
> URL: https://issues.apache.org/jira/browse/ZOOKEEPER-2405
> Project: ZooKeeper
> Issue Type: Bug
> Components: kerberos, security, server
> Affects Versions: 3.4.8, 3.5.1, 3.6.0
> Reporter: Patrick Hunt
> Assignee: Michael Han
> Priority: Blocker
> Fix For: 3.4.9, 3.5.2, 3.6.0
>
> Attachments: ZOOKEEPER-2405.patch, ZOOKEEPER-2405.patch,
> ZOOKEEPER-2405.patch
>
>
> We're logging the kerberos ticket when in debug mode, probably not the best
> idea. This was identified as a "critical" issue by Fortify.
> {noformat}
> for(KerberosTicket ticket: tickets) {
> KerberosPrincipal server = ticket.getServer();
> if (server.getName().equals("krbtgt/" + server.getRealm() + "@" +
> server.getRealm())) {
> LOG.debug("Found tgt " + ticket + ".");
> return ticket;
> }
> }
> {noformat}
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
