If logging is higher than DEBUG level, the message will not print. The
Log.debug() method will check the log level internally. Adding the
external check is simply a potential performance optimization.
Thanks.
On Mon, Aug 12, 2019, 10:41 PM Xiaoqin Fu wrote:
> Dear developers:
> I am a
Dear developers:
I am a Ph.D. student at Washington State University. I applied dynamic
taint analyzer (distTaint) to Apache Zookeeper (version 3.4.11). And then I
find a security vulnerability, that exists from 3.4.11-3.4.14 and 3.5.5,
from tainted paths.
An information leakage from
Hello Xiaoqin,
My understanding is that log guards is used for performance reasons. I
don't see how it can prevent information leakage.
I'd also like to add, that please use the security mailing list first if
you think you found a CVE. - secur...@zookeeper.apache.org
More info here:
On Fri, Aug 9, 2019 at 9:34 AM Enrico Olivelli wrote:
> Those points do not seem a security issue
>
>
Agree. First off the data is not sensitive. Also it's debug level and
logged on the server. See
https://issues.apache.org/jira/browse/ZOOKEEPER-3488 - similar situation
although in this case
Those points do not seem a security issue
Enrico
Il ven 9 ago 2019, 17:52 Fu, Xiaoqin ha scritto:
> Dear developers:
> I am a Ph.D. student at Washington State University. I applied
> dynamic taint analyzer (distTaint) to Apache Zookeeper (version 3.4.11).
> And then I find a security
Dear developers:
I am a Ph.D. student at Washington State University. I applied dynamic
taint analyzer (distTaint) to Apache Zookeeper (version 3.4.11). And then I
find a security vulnerability, that exists from 3.4.11-3.4.14 and 3.5.5, from
tainted paths.
Possible information leakage