activemq-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Daniel Kulp <dk...@apache.org>
Subject Re: [ANNOUNCE] Apache ActiveMQ 5.13.0 Released
Date Mon, 07 Dec 2015 13:39:26 GMT

> On Dec 7, 2015, at 8:16 AM, Claus Ibsen <claus.ibsen@gmail.com> wrote:
> 
> Also if the java class name is in a JMS header ( I think there is a
> standard for that, JMSType is it not?) maybe the client/server can use
> that out of the box to know at least packages from that class is okay
> to use.


Doesn’t that defeat the purpose though?  I could craft a message that contains “MyBadClass”
and add that JMS header to say MyBadClass should be allowed.  MyBadClass is loaded and security
problem.  It really needs to be something configured, not something part of the message. 


Dan


> 
> 
> On Mon, Dec 7, 2015 at 2:15 PM, Claus Ibsen <claus.ibsen@gmail.com> wrote:
>> Hi
>> 
>> Thanks.
>> 
>> Yeah this must be easier from client pov. Having to set a JVM system
>> property is sometimes hard for people, eg they deploy to an existing
>> running app server which they cannot restart.
>> 
>> And then they need to add some code hack to set the system property
>> from their java app before AMQ bootstrap.
>> 
>> Looking forward to a 5.13.1 release. Hopefully with a nice and easy
>> way for clients, and a speedy release so users can upgrade more
>> easily.
>> 
>> 
>> 
>> On Mon, Dec 7, 2015 at 1:52 PM, Dejan Bosanac <dejan@nighttale.net> wrote:
>>> Hi Claus,
>>> 
>>> here’s the test fix for the current implementation
>>> https://github.com/dejanb/camel/commit/138186ffa40381c8c082d69917cbb29181ab4abc
>>> 
>>> The thing is that the same security issues can occur in the client
>>> applications, when folks call getObject() method, so I think it’s the right
>>> approach for people to while-list only the packages they trust.
>>> 
>>> I agree that we can improve user experience by making it easier to
>>> configure all this in the client apps. I think it might be good allow easy
>>> configuration on the connection factory and using connection urls. I’ll
>>> raise a new Jira for that and we can deliver this in 5.13.1. If you have
>>> any more concerns and ideas on how to improve this, please let me know.
>>> 
>>> I’ll go ahead next and create more docs around this.
>>> 
>>> 
>>> Regards
>>> --
>>> Dejan Bosanac
>>> about.me/dejanb
>>> 
>>> On Mon, Dec 7, 2015 at 11:24 AM, Dejan Bosanac <dejan@nighttale.net> wrote:
>>> 
>>>> I’ll give it a try now. Thanks!
>>>> 
>>>> Regards
>>>> --
>>>> Dejan Bosanac
>>>> about.me/dejanb
>>>> 
>>>> On Mon, Dec 7, 2015 at 11:16 AM, Claus Ibsen <claus.ibsen@gmail.com>
>>>> wrote:
>>>> 
>>>>> Yes a number of test fails in camel-jms, if you test with 5.13.0. You
>>>>> can try yourself by changing the activemq-version in the
>>>>> parent/pom.xml.
>>>>> 
>>>>> 
>>>>> 
>>>>> On Mon, Dec 7, 2015 at 11:04 AM, Dejan Bosanac <dejan@nighttale.net>
>>>>> wrote:
>>>>>> Hi Claus,
>>>>>> 
>>>>>> restrictions were necessary for the CVE that was reported. We’re
about
>>>>> to
>>>>>> disclose it fully now after the release.
>>>>>> 
>>>>>> AFAIK the change should not affect ObjectMessages in general, just
the
>>>>>> cases where those objects are serialized/unserialized inside of the
>>>>> broker,
>>>>>> like web console or stomp transformations. I’ll create a proper
docs for
>>>>>> the change now and the security aspect of it and we can see later
whet
>>>>> else
>>>>>> we can do to improve the user experience.
>>>>>> 
>>>>>> Are there any Camel related tests that fails due to this change?
I can
>>>>> take
>>>>>> a look at that as well.
>>>>>> 
>>>>>> 
>>>>>> Regards
>>>>>> --
>>>>>> Dejan Bosanac
>>>>>> about.me/dejanb
>>>>>> 
>>>>>> On Sat, Dec 5, 2015 at 11:19 AM, Claus Ibsen <claus.ibsen@gmail.com>
>>>>> wrote:
>>>>>> 
>>>>>>> I really think you guys should add something about those object
>>>>>>> serialization resitrcitions. Any end users that uses java objects
over
>>>>>>> JMS is affected. Nothing works anymore.
>>>>>>> 
>>>>>>> Its because of
>>>>>>> https://issues.apache.org/jira/browse/AMQ-6013
>>>>>>> 
>>>>>>> So there should be some text in the release notes, and ideally
AMQ
>>>>>>> broker / client should have some kind of INFO logging that openwire
>>>>>>> with objects is restricted or not. Otherwise its even harder
for end
>>>>>>> users to spot what is going on.
>>>>>>> 
>>>>>>> 
>>>>>>> 
>>>>>>> On Fri, Dec 4, 2015 at 3:57 PM, Timothy Bish <tabish121@gmail.com>
>>>>> wrote:
>>>>>>>> It's probably a good idea to add a new page in the "New Features"
>>>>> section
>>>>>>>> on the site to cover the additions in 5.13.0.  I know you
added the
>>>>>>> 'auto'
>>>>>>>> transport along with some other work for some additional
metrics
>>>>> etc, all
>>>>>>>> good things that would be nice to advertise a bit.
>>>>>>>> 
>>>>>>>> See: http://activemq.apache.org/new-features.html
>>>>>>>> 
>>>>>>>> On Thu, Dec 3, 2015 at 3:51 PM, Christopher Shannon <
>>>>>>>> christopher.l.shannon@gmail.com> wrote:
>>>>>>>> 
>>>>>>>>> Hi everyone,
>>>>>>>>> 
>>>>>>>>> Apache ActiveMQ 5.13.0 has now been released.
>>>>>>>>> 
>>>>>>>>> This release contains a number of resolved issues and
new features
>>>>> since
>>>>>>>>> the 5.12.1 release.
>>>>>>>>> 
>>>>>>>>> A list of issues resolved in this release is available
here:
>>>>>>>>> 
>>>>>>>>> 
>>>>>>> 
>>>>> https://issues.apache.org/jira/secure/ReleaseNote.jspa?projectId=12311210&version=12329848
>>>>>>>>> 
>>>>>>>>> The Wiki page for the release is here:
>>>>>>>>> http://activemq.apache.org/activemq-5130-release.html
>>>>>>>>> 
>>>>>>>>> API documentation for 5.12.1 is located here:
>>>>>>>>> http://activemq.apache.org/maven/5.13.0/apidocs/index.html
>>>>>>>>> 
>>>>>>>> 
>>>>>>>> 
>>>>>>>> 
>>>>>>>> --
>>>>>>>> --
>>>>>>>> Tim Bish
>>>>>>> 
>>>>>>> 
>>>>>>> 
>>>>>>> --
>>>>>>> Claus Ibsen
>>>>>>> -----------------
>>>>>>> http://davsclaus.com @davsclaus
>>>>>>> Camel in Action 2: https://www.manning.com/ibsen2
>>>>>>> 
>>>>> 
>>>>> 
>>>>> 
>>>>> --
>>>>> Claus Ibsen
>>>>> -----------------
>>>>> http://davsclaus.com @davsclaus
>>>>> Camel in Action 2: https://www.manning.com/ibsen2
>>>>> 
>>>> 
>>>> 
>> 
>> 
>> 
>> --
>> Claus Ibsen
>> -----------------
>> http://davsclaus.com @davsclaus
>> Camel in Action 2: https://www.manning.com/ibsen2
> 
> 
> 
> -- 
> Claus Ibsen
> -----------------
> http://davsclaus.com @davsclaus
> Camel in Action 2: https://www.manning.com/ibsen2

-- 
Daniel Kulp
dkulp@apache.org - http://dankulp.com/blog
Talend Community Coder - http://coders.talend.com


Mime
View raw message