activemq-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Dejan Bosanac <de...@nighttale.net>
Subject Re: [ANNOUNCE] Apache ActiveMQ 5.13.0 Released
Date Mon, 14 Dec 2015 13:15:59 GMT
Hi Claus,

I implemented a fix for this in
https://issues.apache.org/jira/browse/AMQ-6077. If you can give it a look
and see if anything else is missing, it would greatly appreciated.

Here are the proposed changes to the Camel once we have 5.13.1 release
https://github.com/dejanb/camel/commit/6c942f4bac18ab84c76411515d1e87caaf7705a4

BTW. We should change version of the current master to 5.14-SNAPSHOT now
that 5.13.0 is out.

Regards
--
Dejan Bosanac
about.me/dejanb

On Mon, Dec 7, 2015 at 2:39 PM, Daniel Kulp <dkulp@apache.org> wrote:

>
> > On Dec 7, 2015, at 8:16 AM, Claus Ibsen <claus.ibsen@gmail.com> wrote:
> >
> > Also if the java class name is in a JMS header ( I think there is a
> > standard for that, JMSType is it not?) maybe the client/server can use
> > that out of the box to know at least packages from that class is okay
> > to use.
>
>
> Doesn’t that defeat the purpose though?  I could craft a message that
> contains “MyBadClass” and add that JMS header to say MyBadClass should be
> allowed.  MyBadClass is loaded and security problem.  It really needs to be
> something configured, not something part of the message.
>
> Dan
>
>
> >
> >
> > On Mon, Dec 7, 2015 at 2:15 PM, Claus Ibsen <claus.ibsen@gmail.com>
> wrote:
> >> Hi
> >>
> >> Thanks.
> >>
> >> Yeah this must be easier from client pov. Having to set a JVM system
> >> property is sometimes hard for people, eg they deploy to an existing
> >> running app server which they cannot restart.
> >>
> >> And then they need to add some code hack to set the system property
> >> from their java app before AMQ bootstrap.
> >>
> >> Looking forward to a 5.13.1 release. Hopefully with a nice and easy
> >> way for clients, and a speedy release so users can upgrade more
> >> easily.
> >>
> >>
> >>
> >> On Mon, Dec 7, 2015 at 1:52 PM, Dejan Bosanac <dejan@nighttale.net>
> wrote:
> >>> Hi Claus,
> >>>
> >>> here’s the test fix for the current implementation
> >>>
> https://github.com/dejanb/camel/commit/138186ffa40381c8c082d69917cbb29181ab4abc
> >>>
> >>> The thing is that the same security issues can occur in the client
> >>> applications, when folks call getObject() method, so I think it’s the
> right
> >>> approach for people to while-list only the packages they trust.
> >>>
> >>> I agree that we can improve user experience by making it easier to
> >>> configure all this in the client apps. I think it might be good allow
> easy
> >>> configuration on the connection factory and using connection urls. I’ll
> >>> raise a new Jira for that and we can deliver this in 5.13.1. If you
> have
> >>> any more concerns and ideas on how to improve this, please let me know.
> >>>
> >>> I’ll go ahead next and create more docs around this.
> >>>
> >>>
> >>> Regards
> >>> --
> >>> Dejan Bosanac
> >>> about.me/dejanb
> >>>
> >>> On Mon, Dec 7, 2015 at 11:24 AM, Dejan Bosanac <dejan@nighttale.net>
> wrote:
> >>>
> >>>> I’ll give it a try now. Thanks!
> >>>>
> >>>> Regards
> >>>> --
> >>>> Dejan Bosanac
> >>>> about.me/dejanb
> >>>>
> >>>> On Mon, Dec 7, 2015 at 11:16 AM, Claus Ibsen <claus.ibsen@gmail.com>
> >>>> wrote:
> >>>>
> >>>>> Yes a number of test fails in camel-jms, if you test with 5.13.0.
You
> >>>>> can try yourself by changing the activemq-version in the
> >>>>> parent/pom.xml.
> >>>>>
> >>>>>
> >>>>>
> >>>>> On Mon, Dec 7, 2015 at 11:04 AM, Dejan Bosanac <dejan@nighttale.net>
> >>>>> wrote:
> >>>>>> Hi Claus,
> >>>>>>
> >>>>>> restrictions were necessary for the CVE that was reported. We’re
> about
> >>>>> to
> >>>>>> disclose it fully now after the release.
> >>>>>>
> >>>>>> AFAIK the change should not affect ObjectMessages in general,
just
> the
> >>>>>> cases where those objects are serialized/unserialized inside
of the
> >>>>> broker,
> >>>>>> like web console or stomp transformations. I’ll create a proper
> docs for
> >>>>>> the change now and the security aspect of it and we can see
later
> whet
> >>>>> else
> >>>>>> we can do to improve the user experience.
> >>>>>>
> >>>>>> Are there any Camel related tests that fails due to this change?
I
> can
> >>>>> take
> >>>>>> a look at that as well.
> >>>>>>
> >>>>>>
> >>>>>> Regards
> >>>>>> --
> >>>>>> Dejan Bosanac
> >>>>>> about.me/dejanb
> >>>>>>
> >>>>>> On Sat, Dec 5, 2015 at 11:19 AM, Claus Ibsen <claus.ibsen@gmail.com
> >
> >>>>> wrote:
> >>>>>>
> >>>>>>> I really think you guys should add something about those
object
> >>>>>>> serialization resitrcitions. Any end users that uses java
objects
> over
> >>>>>>> JMS is affected. Nothing works anymore.
> >>>>>>>
> >>>>>>> Its because of
> >>>>>>> https://issues.apache.org/jira/browse/AMQ-6013
> >>>>>>>
> >>>>>>> So there should be some text in the release notes, and ideally
AMQ
> >>>>>>> broker / client should have some kind of INFO logging that
openwire
> >>>>>>> with objects is restricted or not. Otherwise its even harder
for
> end
> >>>>>>> users to spot what is going on.
> >>>>>>>
> >>>>>>>
> >>>>>>>
> >>>>>>> On Fri, Dec 4, 2015 at 3:57 PM, Timothy Bish <tabish121@gmail.com>
> >>>>> wrote:
> >>>>>>>> It's probably a good idea to add a new page in the "New
Features"
> >>>>> section
> >>>>>>>> on the site to cover the additions in 5.13.0.  I know
you added
> the
> >>>>>>> 'auto'
> >>>>>>>> transport along with some other work for some additional
metrics
> >>>>> etc, all
> >>>>>>>> good things that would be nice to advertise a bit.
> >>>>>>>>
> >>>>>>>> See: http://activemq.apache.org/new-features.html
> >>>>>>>>
> >>>>>>>> On Thu, Dec 3, 2015 at 3:51 PM, Christopher Shannon
<
> >>>>>>>> christopher.l.shannon@gmail.com> wrote:
> >>>>>>>>
> >>>>>>>>> Hi everyone,
> >>>>>>>>>
> >>>>>>>>> Apache ActiveMQ 5.13.0 has now been released.
> >>>>>>>>>
> >>>>>>>>> This release contains a number of resolved issues
and new
> features
> >>>>> since
> >>>>>>>>> the 5.12.1 release.
> >>>>>>>>>
> >>>>>>>>> A list of issues resolved in this release is available
here:
> >>>>>>>>>
> >>>>>>>>>
> >>>>>>>
> >>>>>
> https://issues.apache.org/jira/secure/ReleaseNote.jspa?projectId=12311210&version=12329848
> >>>>>>>>>
> >>>>>>>>> The Wiki page for the release is here:
> >>>>>>>>> http://activemq.apache.org/activemq-5130-release.html
> >>>>>>>>>
> >>>>>>>>> API documentation for 5.12.1 is located here:
> >>>>>>>>> http://activemq.apache.org/maven/5.13.0/apidocs/index.html
> >>>>>>>>>
> >>>>>>>>
> >>>>>>>>
> >>>>>>>>
> >>>>>>>> --
> >>>>>>>> --
> >>>>>>>> Tim Bish
> >>>>>>>
> >>>>>>>
> >>>>>>>
> >>>>>>> --
> >>>>>>> Claus Ibsen
> >>>>>>> -----------------
> >>>>>>> http://davsclaus.com @davsclaus
> >>>>>>> Camel in Action 2: https://www.manning.com/ibsen2
> >>>>>>>
> >>>>>
> >>>>>
> >>>>>
> >>>>> --
> >>>>> Claus Ibsen
> >>>>> -----------------
> >>>>> http://davsclaus.com @davsclaus
> >>>>> Camel in Action 2: https://www.manning.com/ibsen2
> >>>>>
> >>>>
> >>>>
> >>
> >>
> >>
> >> --
> >> Claus Ibsen
> >> -----------------
> >> http://davsclaus.com @davsclaus
> >> Camel in Action 2: https://www.manning.com/ibsen2
> >
> >
> >
> > --
> > Claus Ibsen
> > -----------------
> > http://davsclaus.com @davsclaus
> > Camel in Action 2: https://www.manning.com/ibsen2
>
> --
> Daniel Kulp
> dkulp@apache.org - http://dankulp.com/blog
> Talend Community Coder - http://coders.talend.com
>
>

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message