activemq-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Claus Ibsen <claus.ib...@gmail.com>
Subject Re: [ANNOUNCE] Apache ActiveMQ 5.13.0 Released
Date Wed, 16 Dec 2015 15:24:43 GMT
Thanks Dejan

I logged a ticket at Camel with your instructions
https://issues.apache.org/jira/browse/CAMEL-9429

On Mon, Dec 14, 2015 at 2:15 PM, Dejan Bosanac <dejan@nighttale.net> wrote:
> Hi Claus,
>
> I implemented a fix for this in
> https://issues.apache.org/jira/browse/AMQ-6077. If you can give it a look
> and see if anything else is missing, it would greatly appreciated.
>
> Here are the proposed changes to the Camel once we have 5.13.1 release
> https://github.com/dejanb/camel/commit/6c942f4bac18ab84c76411515d1e87caaf7705a4
>
> BTW. We should change version of the current master to 5.14-SNAPSHOT now
> that 5.13.0 is out.
>
> Regards
> --
> Dejan Bosanac
> about.me/dejanb
>
> On Mon, Dec 7, 2015 at 2:39 PM, Daniel Kulp <dkulp@apache.org> wrote:
>
>>
>> > On Dec 7, 2015, at 8:16 AM, Claus Ibsen <claus.ibsen@gmail.com> wrote:
>> >
>> > Also if the java class name is in a JMS header ( I think there is a
>> > standard for that, JMSType is it not?) maybe the client/server can use
>> > that out of the box to know at least packages from that class is okay
>> > to use.
>>
>>
>> Doesn’t that defeat the purpose though?  I could craft a message that
>> contains “MyBadClass” and add that JMS header to say MyBadClass should be
>> allowed.  MyBadClass is loaded and security problem.  It really needs to be
>> something configured, not something part of the message.
>>
>> Dan
>>
>>
>> >
>> >
>> > On Mon, Dec 7, 2015 at 2:15 PM, Claus Ibsen <claus.ibsen@gmail.com>
>> wrote:
>> >> Hi
>> >>
>> >> Thanks.
>> >>
>> >> Yeah this must be easier from client pov. Having to set a JVM system
>> >> property is sometimes hard for people, eg they deploy to an existing
>> >> running app server which they cannot restart.
>> >>
>> >> And then they need to add some code hack to set the system property
>> >> from their java app before AMQ bootstrap.
>> >>
>> >> Looking forward to a 5.13.1 release. Hopefully with a nice and easy
>> >> way for clients, and a speedy release so users can upgrade more
>> >> easily.
>> >>
>> >>
>> >>
>> >> On Mon, Dec 7, 2015 at 1:52 PM, Dejan Bosanac <dejan@nighttale.net>
>> wrote:
>> >>> Hi Claus,
>> >>>
>> >>> here’s the test fix for the current implementation
>> >>>
>> https://github.com/dejanb/camel/commit/138186ffa40381c8c082d69917cbb29181ab4abc
>> >>>
>> >>> The thing is that the same security issues can occur in the client
>> >>> applications, when folks call getObject() method, so I think it’s
the
>> right
>> >>> approach for people to while-list only the packages they trust.
>> >>>
>> >>> I agree that we can improve user experience by making it easier to
>> >>> configure all this in the client apps. I think it might be good allow
>> easy
>> >>> configuration on the connection factory and using connection urls. I’ll
>> >>> raise a new Jira for that and we can deliver this in 5.13.1. If you
>> have
>> >>> any more concerns and ideas on how to improve this, please let me know.
>> >>>
>> >>> I’ll go ahead next and create more docs around this.
>> >>>
>> >>>
>> >>> Regards
>> >>> --
>> >>> Dejan Bosanac
>> >>> about.me/dejanb
>> >>>
>> >>> On Mon, Dec 7, 2015 at 11:24 AM, Dejan Bosanac <dejan@nighttale.net>
>> wrote:
>> >>>
>> >>>> I’ll give it a try now. Thanks!
>> >>>>
>> >>>> Regards
>> >>>> --
>> >>>> Dejan Bosanac
>> >>>> about.me/dejanb
>> >>>>
>> >>>> On Mon, Dec 7, 2015 at 11:16 AM, Claus Ibsen <claus.ibsen@gmail.com>
>> >>>> wrote:
>> >>>>
>> >>>>> Yes a number of test fails in camel-jms, if you test with 5.13.0.
You
>> >>>>> can try yourself by changing the activemq-version in the
>> >>>>> parent/pom.xml.
>> >>>>>
>> >>>>>
>> >>>>>
>> >>>>> On Mon, Dec 7, 2015 at 11:04 AM, Dejan Bosanac <dejan@nighttale.net>
>> >>>>> wrote:
>> >>>>>> Hi Claus,
>> >>>>>>
>> >>>>>> restrictions were necessary for the CVE that was reported.
We’re
>> about
>> >>>>> to
>> >>>>>> disclose it fully now after the release.
>> >>>>>>
>> >>>>>> AFAIK the change should not affect ObjectMessages in general,
just
>> the
>> >>>>>> cases where those objects are serialized/unserialized inside
of the
>> >>>>> broker,
>> >>>>>> like web console or stomp transformations. I’ll create
a proper
>> docs for
>> >>>>>> the change now and the security aspect of it and we can
see later
>> whet
>> >>>>> else
>> >>>>>> we can do to improve the user experience.
>> >>>>>>
>> >>>>>> Are there any Camel related tests that fails due to this
change? I
>> can
>> >>>>> take
>> >>>>>> a look at that as well.
>> >>>>>>
>> >>>>>>
>> >>>>>> Regards
>> >>>>>> --
>> >>>>>> Dejan Bosanac
>> >>>>>> about.me/dejanb
>> >>>>>>
>> >>>>>> On Sat, Dec 5, 2015 at 11:19 AM, Claus Ibsen <claus.ibsen@gmail.com
>> >
>> >>>>> wrote:
>> >>>>>>
>> >>>>>>> I really think you guys should add something about those
object
>> >>>>>>> serialization resitrcitions. Any end users that uses
java objects
>> over
>> >>>>>>> JMS is affected. Nothing works anymore.
>> >>>>>>>
>> >>>>>>> Its because of
>> >>>>>>> https://issues.apache.org/jira/browse/AMQ-6013
>> >>>>>>>
>> >>>>>>> So there should be some text in the release notes, and
ideally AMQ
>> >>>>>>> broker / client should have some kind of INFO logging
that openwire
>> >>>>>>> with objects is restricted or not. Otherwise its even
harder for
>> end
>> >>>>>>> users to spot what is going on.
>> >>>>>>>
>> >>>>>>>
>> >>>>>>>
>> >>>>>>> On Fri, Dec 4, 2015 at 3:57 PM, Timothy Bish <tabish121@gmail.com>
>> >>>>> wrote:
>> >>>>>>>> It's probably a good idea to add a new page in the
"New Features"
>> >>>>> section
>> >>>>>>>> on the site to cover the additions in 5.13.0.  I
know you added
>> the
>> >>>>>>> 'auto'
>> >>>>>>>> transport along with some other work for some additional
metrics
>> >>>>> etc, all
>> >>>>>>>> good things that would be nice to advertise a bit.
>> >>>>>>>>
>> >>>>>>>> See: http://activemq.apache.org/new-features.html
>> >>>>>>>>
>> >>>>>>>> On Thu, Dec 3, 2015 at 3:51 PM, Christopher Shannon
<
>> >>>>>>>> christopher.l.shannon@gmail.com> wrote:
>> >>>>>>>>
>> >>>>>>>>> Hi everyone,
>> >>>>>>>>>
>> >>>>>>>>> Apache ActiveMQ 5.13.0 has now been released.
>> >>>>>>>>>
>> >>>>>>>>> This release contains a number of resolved issues
and new
>> features
>> >>>>> since
>> >>>>>>>>> the 5.12.1 release.
>> >>>>>>>>>
>> >>>>>>>>> A list of issues resolved in this release is
available here:
>> >>>>>>>>>
>> >>>>>>>>>
>> >>>>>>>
>> >>>>>
>> https://issues.apache.org/jira/secure/ReleaseNote.jspa?projectId=12311210&version=12329848
>> >>>>>>>>>
>> >>>>>>>>> The Wiki page for the release is here:
>> >>>>>>>>> http://activemq.apache.org/activemq-5130-release.html
>> >>>>>>>>>
>> >>>>>>>>> API documentation for 5.12.1 is located here:
>> >>>>>>>>> http://activemq.apache.org/maven/5.13.0/apidocs/index.html
>> >>>>>>>>>
>> >>>>>>>>
>> >>>>>>>>
>> >>>>>>>>
>> >>>>>>>> --
>> >>>>>>>> --
>> >>>>>>>> Tim Bish
>> >>>>>>>
>> >>>>>>>
>> >>>>>>>
>> >>>>>>> --
>> >>>>>>> Claus Ibsen
>> >>>>>>> -----------------
>> >>>>>>> http://davsclaus.com @davsclaus
>> >>>>>>> Camel in Action 2: https://www.manning.com/ibsen2
>> >>>>>>>
>> >>>>>
>> >>>>>
>> >>>>>
>> >>>>> --
>> >>>>> Claus Ibsen
>> >>>>> -----------------
>> >>>>> http://davsclaus.com @davsclaus
>> >>>>> Camel in Action 2: https://www.manning.com/ibsen2
>> >>>>>
>> >>>>
>> >>>>
>> >>
>> >>
>> >>
>> >> --
>> >> Claus Ibsen
>> >> -----------------
>> >> http://davsclaus.com @davsclaus
>> >> Camel in Action 2: https://www.manning.com/ibsen2
>> >
>> >
>> >
>> > --
>> > Claus Ibsen
>> > -----------------
>> > http://davsclaus.com @davsclaus
>> > Camel in Action 2: https://www.manning.com/ibsen2
>>
>> --
>> Daniel Kulp
>> dkulp@apache.org - http://dankulp.com/blog
>> Talend Community Coder - http://coders.talend.com
>>
>>



-- 
Claus Ibsen
-----------------
http://davsclaus.com @davsclaus
Camel in Action 2: https://www.manning.com/ibsen2

Mime
View raw message