activemq-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Dejan Bosanac <de...@nighttale.net>
Subject Re: [ANNOUNCE] Apache ActiveMQ 5.13.0 Released
Date Wed, 16 Dec 2015 16:28:14 GMT
Thanks Claus, here’s some more docs for it
http://activemq.apache.org/objectmessage.html#ObjectMessage-Clients

I’ll create a proper PR once we have 5.13.1

Regards
--
Dejan Bosanac
about.me/dejanb

On Wed, Dec 16, 2015 at 4:24 PM, Claus Ibsen <claus.ibsen@gmail.com> wrote:

> Thanks Dejan
>
> I logged a ticket at Camel with your instructions
> https://issues.apache.org/jira/browse/CAMEL-9429
>
> On Mon, Dec 14, 2015 at 2:15 PM, Dejan Bosanac <dejan@nighttale.net>
> wrote:
> > Hi Claus,
> >
> > I implemented a fix for this in
> > https://issues.apache.org/jira/browse/AMQ-6077. If you can give it a
> look
> > and see if anything else is missing, it would greatly appreciated.
> >
> > Here are the proposed changes to the Camel once we have 5.13.1 release
> >
> https://github.com/dejanb/camel/commit/6c942f4bac18ab84c76411515d1e87caaf7705a4
> >
> > BTW. We should change version of the current master to 5.14-SNAPSHOT now
> > that 5.13.0 is out.
> >
> > Regards
> > --
> > Dejan Bosanac
> > about.me/dejanb
> >
> > On Mon, Dec 7, 2015 at 2:39 PM, Daniel Kulp <dkulp@apache.org> wrote:
> >
> >>
> >> > On Dec 7, 2015, at 8:16 AM, Claus Ibsen <claus.ibsen@gmail.com>
> wrote:
> >> >
> >> > Also if the java class name is in a JMS header ( I think there is a
> >> > standard for that, JMSType is it not?) maybe the client/server can use
> >> > that out of the box to know at least packages from that class is okay
> >> > to use.
> >>
> >>
> >> Doesn’t that defeat the purpose though?  I could craft a message that
> >> contains “MyBadClass” and add that JMS header to say MyBadClass should
> be
> >> allowed.  MyBadClass is loaded and security problem.  It really needs
> to be
> >> something configured, not something part of the message.
> >>
> >> Dan
> >>
> >>
> >> >
> >> >
> >> > On Mon, Dec 7, 2015 at 2:15 PM, Claus Ibsen <claus.ibsen@gmail.com>
> >> wrote:
> >> >> Hi
> >> >>
> >> >> Thanks.
> >> >>
> >> >> Yeah this must be easier from client pov. Having to set a JVM system
> >> >> property is sometimes hard for people, eg they deploy to an existing
> >> >> running app server which they cannot restart.
> >> >>
> >> >> And then they need to add some code hack to set the system property
> >> >> from their java app before AMQ bootstrap.
> >> >>
> >> >> Looking forward to a 5.13.1 release. Hopefully with a nice and easy
> >> >> way for clients, and a speedy release so users can upgrade more
> >> >> easily.
> >> >>
> >> >>
> >> >>
> >> >> On Mon, Dec 7, 2015 at 1:52 PM, Dejan Bosanac <dejan@nighttale.net>
> >> wrote:
> >> >>> Hi Claus,
> >> >>>
> >> >>> here’s the test fix for the current implementation
> >> >>>
> >>
> https://github.com/dejanb/camel/commit/138186ffa40381c8c082d69917cbb29181ab4abc
> >> >>>
> >> >>> The thing is that the same security issues can occur in the client
> >> >>> applications, when folks call getObject() method, so I think it’s
> the
> >> right
> >> >>> approach for people to while-list only the packages they trust.
> >> >>>
> >> >>> I agree that we can improve user experience by making it easier
to
> >> >>> configure all this in the client apps. I think it might be good
> allow
> >> easy
> >> >>> configuration on the connection factory and using connection urls.
> I’ll
> >> >>> raise a new Jira for that and we can deliver this in 5.13.1. If
you
> >> have
> >> >>> any more concerns and ideas on how to improve this, please let
me
> know.
> >> >>>
> >> >>> I’ll go ahead next and create more docs around this.
> >> >>>
> >> >>>
> >> >>> Regards
> >> >>> --
> >> >>> Dejan Bosanac
> >> >>> about.me/dejanb
> >> >>>
> >> >>> On Mon, Dec 7, 2015 at 11:24 AM, Dejan Bosanac <dejan@nighttale.net
> >
> >> wrote:
> >> >>>
> >> >>>> I’ll give it a try now. Thanks!
> >> >>>>
> >> >>>> Regards
> >> >>>> --
> >> >>>> Dejan Bosanac
> >> >>>> about.me/dejanb
> >> >>>>
> >> >>>> On Mon, Dec 7, 2015 at 11:16 AM, Claus Ibsen <
> claus.ibsen@gmail.com>
> >> >>>> wrote:
> >> >>>>
> >> >>>>> Yes a number of test fails in camel-jms, if you test with
5.13.0.
> You
> >> >>>>> can try yourself by changing the activemq-version in the
> >> >>>>> parent/pom.xml.
> >> >>>>>
> >> >>>>>
> >> >>>>>
> >> >>>>> On Mon, Dec 7, 2015 at 11:04 AM, Dejan Bosanac <
> dejan@nighttale.net>
> >> >>>>> wrote:
> >> >>>>>> Hi Claus,
> >> >>>>>>
> >> >>>>>> restrictions were necessary for the CVE that was reported.
We’re
> >> about
> >> >>>>> to
> >> >>>>>> disclose it fully now after the release.
> >> >>>>>>
> >> >>>>>> AFAIK the change should not affect ObjectMessages in
general,
> just
> >> the
> >> >>>>>> cases where those objects are serialized/unserialized
inside of
> the
> >> >>>>> broker,
> >> >>>>>> like web console or stomp transformations. I’ll create
a proper
> >> docs for
> >> >>>>>> the change now and the security aspect of it and we
can see later
> >> whet
> >> >>>>> else
> >> >>>>>> we can do to improve the user experience.
> >> >>>>>>
> >> >>>>>> Are there any Camel related tests that fails due to
this change?
> I
> >> can
> >> >>>>> take
> >> >>>>>> a look at that as well.
> >> >>>>>>
> >> >>>>>>
> >> >>>>>> Regards
> >> >>>>>> --
> >> >>>>>> Dejan Bosanac
> >> >>>>>> about.me/dejanb
> >> >>>>>>
> >> >>>>>> On Sat, Dec 5, 2015 at 11:19 AM, Claus Ibsen <
> claus.ibsen@gmail.com
> >> >
> >> >>>>> wrote:
> >> >>>>>>
> >> >>>>>>> I really think you guys should add something about
those object
> >> >>>>>>> serialization resitrcitions. Any end users that
uses java
> objects
> >> over
> >> >>>>>>> JMS is affected. Nothing works anymore.
> >> >>>>>>>
> >> >>>>>>> Its because of
> >> >>>>>>> https://issues.apache.org/jira/browse/AMQ-6013
> >> >>>>>>>
> >> >>>>>>> So there should be some text in the release notes,
and ideally
> AMQ
> >> >>>>>>> broker / client should have some kind of INFO logging
that
> openwire
> >> >>>>>>> with objects is restricted or not. Otherwise its
even harder for
> >> end
> >> >>>>>>> users to spot what is going on.
> >> >>>>>>>
> >> >>>>>>>
> >> >>>>>>>
> >> >>>>>>> On Fri, Dec 4, 2015 at 3:57 PM, Timothy Bish <
> tabish121@gmail.com>
> >> >>>>> wrote:
> >> >>>>>>>> It's probably a good idea to add a new page
in the "New
> Features"
> >> >>>>> section
> >> >>>>>>>> on the site to cover the additions in 5.13.0.
 I know you added
> >> the
> >> >>>>>>> 'auto'
> >> >>>>>>>> transport along with some other work for some
additional
> metrics
> >> >>>>> etc, all
> >> >>>>>>>> good things that would be nice to advertise
a bit.
> >> >>>>>>>>
> >> >>>>>>>> See: http://activemq.apache.org/new-features.html
> >> >>>>>>>>
> >> >>>>>>>> On Thu, Dec 3, 2015 at 3:51 PM, Christopher
Shannon <
> >> >>>>>>>> christopher.l.shannon@gmail.com> wrote:
> >> >>>>>>>>
> >> >>>>>>>>> Hi everyone,
> >> >>>>>>>>>
> >> >>>>>>>>> Apache ActiveMQ 5.13.0 has now been released.
> >> >>>>>>>>>
> >> >>>>>>>>> This release contains a number of resolved
issues and new
> >> features
> >> >>>>> since
> >> >>>>>>>>> the 5.12.1 release.
> >> >>>>>>>>>
> >> >>>>>>>>> A list of issues resolved in this release
is available here:
> >> >>>>>>>>>
> >> >>>>>>>>>
> >> >>>>>>>
> >> >>>>>
> >>
> https://issues.apache.org/jira/secure/ReleaseNote.jspa?projectId=12311210&version=12329848
> >> >>>>>>>>>
> >> >>>>>>>>> The Wiki page for the release is here:
> >> >>>>>>>>> http://activemq.apache.org/activemq-5130-release.html
> >> >>>>>>>>>
> >> >>>>>>>>> API documentation for 5.12.1 is located
here:
> >> >>>>>>>>> http://activemq.apache.org/maven/5.13.0/apidocs/index.html
> >> >>>>>>>>>
> >> >>>>>>>>
> >> >>>>>>>>
> >> >>>>>>>>
> >> >>>>>>>> --
> >> >>>>>>>> --
> >> >>>>>>>> Tim Bish
> >> >>>>>>>
> >> >>>>>>>
> >> >>>>>>>
> >> >>>>>>> --
> >> >>>>>>> Claus Ibsen
> >> >>>>>>> -----------------
> >> >>>>>>> http://davsclaus.com @davsclaus
> >> >>>>>>> Camel in Action 2: https://www.manning.com/ibsen2
> >> >>>>>>>
> >> >>>>>
> >> >>>>>
> >> >>>>>
> >> >>>>> --
> >> >>>>> Claus Ibsen
> >> >>>>> -----------------
> >> >>>>> http://davsclaus.com @davsclaus
> >> >>>>> Camel in Action 2: https://www.manning.com/ibsen2
> >> >>>>>
> >> >>>>
> >> >>>>
> >> >>
> >> >>
> >> >>
> >> >> --
> >> >> Claus Ibsen
> >> >> -----------------
> >> >> http://davsclaus.com @davsclaus
> >> >> Camel in Action 2: https://www.manning.com/ibsen2
> >> >
> >> >
> >> >
> >> > --
> >> > Claus Ibsen
> >> > -----------------
> >> > http://davsclaus.com @davsclaus
> >> > Camel in Action 2: https://www.manning.com/ibsen2
> >>
> >> --
> >> Daniel Kulp
> >> dkulp@apache.org - http://dankulp.com/blog
> >> Talend Community Coder - http://coders.talend.com
> >>
> >>
>
>
>
> --
> Claus Ibsen
> -----------------
> http://davsclaus.com @davsclaus
> Camel in Action 2: https://www.manning.com/ibsen2
>

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message