activemq-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Claus Ibsen <claus.ib...@gmail.com>
Subject Re: [ANNOUNCE] Apache ActiveMQ 5.13.0 Released
Date Mon, 07 Dec 2015 13:16:32 GMT
Also if the java class name is in a JMS header ( I think there is a
standard for that, JMSType is it not?) maybe the client/server can use
that out of the box to know at least packages from that class is okay
to use.


On Mon, Dec 7, 2015 at 2:15 PM, Claus Ibsen <claus.ibsen@gmail.com> wrote:
> Hi
>
> Thanks.
>
> Yeah this must be easier from client pov. Having to set a JVM system
> property is sometimes hard for people, eg they deploy to an existing
> running app server which they cannot restart.
>
> And then they need to add some code hack to set the system property
> from their java app before AMQ bootstrap.
>
> Looking forward to a 5.13.1 release. Hopefully with a nice and easy
> way for clients, and a speedy release so users can upgrade more
> easily.
>
>
>
> On Mon, Dec 7, 2015 at 1:52 PM, Dejan Bosanac <dejan@nighttale.net> wrote:
>> Hi Claus,
>>
>> here’s the test fix for the current implementation
>> https://github.com/dejanb/camel/commit/138186ffa40381c8c082d69917cbb29181ab4abc
>>
>> The thing is that the same security issues can occur in the client
>> applications, when folks call getObject() method, so I think it’s the right
>> approach for people to while-list only the packages they trust.
>>
>> I agree that we can improve user experience by making it easier to
>> configure all this in the client apps. I think it might be good allow easy
>> configuration on the connection factory and using connection urls. I’ll
>> raise a new Jira for that and we can deliver this in 5.13.1. If you have
>> any more concerns and ideas on how to improve this, please let me know.
>>
>> I’ll go ahead next and create more docs around this.
>>
>>
>> Regards
>> --
>> Dejan Bosanac
>> about.me/dejanb
>>
>> On Mon, Dec 7, 2015 at 11:24 AM, Dejan Bosanac <dejan@nighttale.net> wrote:
>>
>>> I’ll give it a try now. Thanks!
>>>
>>> Regards
>>> --
>>> Dejan Bosanac
>>> about.me/dejanb
>>>
>>> On Mon, Dec 7, 2015 at 11:16 AM, Claus Ibsen <claus.ibsen@gmail.com>
>>> wrote:
>>>
>>>> Yes a number of test fails in camel-jms, if you test with 5.13.0. You
>>>> can try yourself by changing the activemq-version in the
>>>> parent/pom.xml.
>>>>
>>>>
>>>>
>>>> On Mon, Dec 7, 2015 at 11:04 AM, Dejan Bosanac <dejan@nighttale.net>
>>>> wrote:
>>>> > Hi Claus,
>>>> >
>>>> > restrictions were necessary for the CVE that was reported. We’re about
>>>> to
>>>> > disclose it fully now after the release.
>>>> >
>>>> > AFAIK the change should not affect ObjectMessages in general, just the
>>>> > cases where those objects are serialized/unserialized inside of the
>>>> broker,
>>>> > like web console or stomp transformations. I’ll create a proper docs
for
>>>> > the change now and the security aspect of it and we can see later whet
>>>> else
>>>> > we can do to improve the user experience.
>>>> >
>>>> > Are there any Camel related tests that fails due to this change? I can
>>>> take
>>>> > a look at that as well.
>>>> >
>>>> >
>>>> > Regards
>>>> > --
>>>> > Dejan Bosanac
>>>> > about.me/dejanb
>>>> >
>>>> > On Sat, Dec 5, 2015 at 11:19 AM, Claus Ibsen <claus.ibsen@gmail.com>
>>>> wrote:
>>>> >
>>>> >> I really think you guys should add something about those object
>>>> >> serialization resitrcitions. Any end users that uses java objects
over
>>>> >> JMS is affected. Nothing works anymore.
>>>> >>
>>>> >> Its because of
>>>> >> https://issues.apache.org/jira/browse/AMQ-6013
>>>> >>
>>>> >> So there should be some text in the release notes, and ideally AMQ
>>>> >> broker / client should have some kind of INFO logging that openwire
>>>> >> with objects is restricted or not. Otherwise its even harder for
end
>>>> >> users to spot what is going on.
>>>> >>
>>>> >>
>>>> >>
>>>> >> On Fri, Dec 4, 2015 at 3:57 PM, Timothy Bish <tabish121@gmail.com>
>>>> wrote:
>>>> >> > It's probably a good idea to add a new page in the "New Features"
>>>> section
>>>> >> > on the site to cover the additions in 5.13.0.  I know you added
the
>>>> >> 'auto'
>>>> >> > transport along with some other work for some additional metrics
>>>> etc, all
>>>> >> > good things that would be nice to advertise a bit.
>>>> >> >
>>>> >> > See: http://activemq.apache.org/new-features.html
>>>> >> >
>>>> >> > On Thu, Dec 3, 2015 at 3:51 PM, Christopher Shannon <
>>>> >> > christopher.l.shannon@gmail.com> wrote:
>>>> >> >
>>>> >> >> Hi everyone,
>>>> >> >>
>>>> >> >> Apache ActiveMQ 5.13.0 has now been released.
>>>> >> >>
>>>> >> >> This release contains a number of resolved issues and new
features
>>>> since
>>>> >> >> the 5.12.1 release.
>>>> >> >>
>>>> >> >> A list of issues resolved in this release is available
here:
>>>> >> >>
>>>> >> >>
>>>> >>
>>>> https://issues.apache.org/jira/secure/ReleaseNote.jspa?projectId=12311210&version=12329848
>>>> >> >>
>>>> >> >> The Wiki page for the release is here:
>>>> >> >> http://activemq.apache.org/activemq-5130-release.html
>>>> >> >>
>>>> >> >> API documentation for 5.12.1 is located here:
>>>> >> >> http://activemq.apache.org/maven/5.13.0/apidocs/index.html
>>>> >> >>
>>>> >> >
>>>> >> >
>>>> >> >
>>>> >> > --
>>>> >> > --
>>>> >> > Tim Bish
>>>> >>
>>>> >>
>>>> >>
>>>> >> --
>>>> >> Claus Ibsen
>>>> >> -----------------
>>>> >> http://davsclaus.com @davsclaus
>>>> >> Camel in Action 2: https://www.manning.com/ibsen2
>>>> >>
>>>>
>>>>
>>>>
>>>> --
>>>> Claus Ibsen
>>>> -----------------
>>>> http://davsclaus.com @davsclaus
>>>> Camel in Action 2: https://www.manning.com/ibsen2
>>>>
>>>
>>>
>
>
>
> --
> Claus Ibsen
> -----------------
> http://davsclaus.com @davsclaus
> Camel in Action 2: https://www.manning.com/ibsen2



-- 
Claus Ibsen
-----------------
http://davsclaus.com @davsclaus
Camel in Action 2: https://www.manning.com/ibsen2

Mime
View raw message