Return-Path: X-Original-To: apmail-activemq-dev-archive@www.apache.org Delivered-To: apmail-activemq-dev-archive@www.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id B45671808F for ; Wed, 16 Dec 2015 15:25:22 +0000 (UTC) Received: (qmail 96852 invoked by uid 500); 16 Dec 2015 15:25:22 -0000 Delivered-To: apmail-activemq-dev-archive@activemq.apache.org Received: (qmail 96793 invoked by uid 500); 16 Dec 2015 15:25:22 -0000 Mailing-List: contact dev-help@activemq.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: dev@activemq.apache.org Delivered-To: mailing list dev@activemq.apache.org Received: (qmail 96781 invoked by uid 99); 16 Dec 2015 15:25:21 -0000 Received: from Unknown (HELO spamd3-us-west.apache.org) (209.188.14.142) by apache.org (qpsmtpd/0.29) with ESMTP; Wed, 16 Dec 2015 15:25:21 +0000 Received: from localhost (localhost [127.0.0.1]) by spamd3-us-west.apache.org (ASF Mail Server at spamd3-us-west.apache.org) with ESMTP id 6A1511804FD for ; Wed, 16 Dec 2015 15:25:21 +0000 (UTC) X-Virus-Scanned: Debian amavisd-new at spamd3-us-west.apache.org X-Spam-Flag: NO X-Spam-Score: -0.1 X-Spam-Level: X-Spam-Status: No, score=-0.1 tagged_above=-999 required=6.31 tests=[DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1] autolearn=disabled Authentication-Results: spamd3-us-west.apache.org (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com Received: from mx1-eu-west.apache.org ([10.40.0.8]) by localhost (spamd3-us-west.apache.org [10.40.0.10]) (amavisd-new, port 10024) with ESMTP id BJ_-jB09hyLC for ; Wed, 16 Dec 2015 15:25:05 +0000 (UTC) Received: from mail-ig0-f180.google.com (mail-ig0-f180.google.com [209.85.213.180]) by mx1-eu-west.apache.org (ASF Mail Server at mx1-eu-west.apache.org) with ESMTPS id F0B7F2059C for ; Wed, 16 Dec 2015 15:25:04 +0000 (UTC) Received: by mail-ig0-f180.google.com with SMTP id to4so69059269igc.0 for ; Wed, 16 Dec 2015 07:25:04 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :content-type:content-transfer-encoding; bh=cqaS1RzvINgIU5slXakHXN48Rv48Ji7Mgb/Yj+eBJeg=; b=BJV5K50SxFab6I0qUq47gQ4UUhaVp4kNJl1XfU9Shrrwk5A9ocwBvUDFdhh0Pr9dF0 +yhxzZiz+K+HUfRh75yVImEnZNPKnHP2+d5JL6Wi7JdXULvxbPaO9ob3/SbQ5pnGORmq baakyNy5qyy4WOiaW+RRDAc15ZqhJ1YBQDY3+z4SQ5hod7nFSRCj5C1IORMVkmwWG9AR wclPXQr29m4KFMpP9NjOJd7sVSSeC6OfOLIBbhLn86fFFFC8/opkcGF7T61HiK2DzO/N VNfQjPxpmEpaDyRO/24VqqDlmN9sOrEVy3BTLt8bS6W+4/KX+Me4hRftZGsovMD0GqH8 iFNQ== X-Received: by 10.50.79.202 with SMTP id l10mr11147636igx.46.1450279503629; Wed, 16 Dec 2015 07:25:03 -0800 (PST) MIME-Version: 1.0 Received: by 10.79.0.149 with HTTP; Wed, 16 Dec 2015 07:24:43 -0800 (PST) In-Reply-To: References: From: Claus Ibsen Date: Wed, 16 Dec 2015 16:24:43 +0100 Message-ID: Subject: Re: [ANNOUNCE] Apache ActiveMQ 5.13.0 Released To: dev@activemq.apache.org Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable Thanks Dejan I logged a ticket at Camel with your instructions https://issues.apache.org/jira/browse/CAMEL-9429 On Mon, Dec 14, 2015 at 2:15 PM, Dejan Bosanac wrote: > Hi Claus, > > I implemented a fix for this in > https://issues.apache.org/jira/browse/AMQ-6077. If you can give it a look > and see if anything else is missing, it would greatly appreciated. > > Here are the proposed changes to the Camel once we have 5.13.1 release > https://github.com/dejanb/camel/commit/6c942f4bac18ab84c76411515d1e87caaf= 7705a4 > > BTW. We should change version of the current master to 5.14-SNAPSHOT now > that 5.13.0 is out. > > Regards > -- > Dejan Bosanac > about.me/dejanb > > On Mon, Dec 7, 2015 at 2:39 PM, Daniel Kulp wrote: > >> >> > On Dec 7, 2015, at 8:16 AM, Claus Ibsen wrote: >> > >> > Also if the java class name is in a JMS header ( I think there is a >> > standard for that, JMSType is it not?) maybe the client/server can use >> > that out of the box to know at least packages from that class is okay >> > to use. >> >> >> Doesn=E2=80=99t that defeat the purpose though? I could craft a message= that >> contains =E2=80=9CMyBadClass=E2=80=9D and add that JMS header to say MyB= adClass should be >> allowed. MyBadClass is loaded and security problem. It really needs to= be >> something configured, not something part of the message. >> >> Dan >> >> >> > >> > >> > On Mon, Dec 7, 2015 at 2:15 PM, Claus Ibsen >> wrote: >> >> Hi >> >> >> >> Thanks. >> >> >> >> Yeah this must be easier from client pov. Having to set a JVM system >> >> property is sometimes hard for people, eg they deploy to an existing >> >> running app server which they cannot restart. >> >> >> >> And then they need to add some code hack to set the system property >> >> from their java app before AMQ bootstrap. >> >> >> >> Looking forward to a 5.13.1 release. Hopefully with a nice and easy >> >> way for clients, and a speedy release so users can upgrade more >> >> easily. >> >> >> >> >> >> >> >> On Mon, Dec 7, 2015 at 1:52 PM, Dejan Bosanac >> wrote: >> >>> Hi Claus, >> >>> >> >>> here=E2=80=99s the test fix for the current implementation >> >>> >> https://github.com/dejanb/camel/commit/138186ffa40381c8c082d69917cbb2918= 1ab4abc >> >>> >> >>> The thing is that the same security issues can occur in the client >> >>> applications, when folks call getObject() method, so I think it=E2= =80=99s the >> right >> >>> approach for people to while-list only the packages they trust. >> >>> >> >>> I agree that we can improve user experience by making it easier to >> >>> configure all this in the client apps. I think it might be good allo= w >> easy >> >>> configuration on the connection factory and using connection urls. I= =E2=80=99ll >> >>> raise a new Jira for that and we can deliver this in 5.13.1. If you >> have >> >>> any more concerns and ideas on how to improve this, please let me kn= ow. >> >>> >> >>> I=E2=80=99ll go ahead next and create more docs around this. >> >>> >> >>> >> >>> Regards >> >>> -- >> >>> Dejan Bosanac >> >>> about.me/dejanb >> >>> >> >>> On Mon, Dec 7, 2015 at 11:24 AM, Dejan Bosanac >> wrote: >> >>> >> >>>> I=E2=80=99ll give it a try now. Thanks! >> >>>> >> >>>> Regards >> >>>> -- >> >>>> Dejan Bosanac >> >>>> about.me/dejanb >> >>>> >> >>>> On Mon, Dec 7, 2015 at 11:16 AM, Claus Ibsen >> >>>> wrote: >> >>>> >> >>>>> Yes a number of test fails in camel-jms, if you test with 5.13.0. = You >> >>>>> can try yourself by changing the activemq-version in the >> >>>>> parent/pom.xml. >> >>>>> >> >>>>> >> >>>>> >> >>>>> On Mon, Dec 7, 2015 at 11:04 AM, Dejan Bosanac >> >>>>> wrote: >> >>>>>> Hi Claus, >> >>>>>> >> >>>>>> restrictions were necessary for the CVE that was reported. We=E2= =80=99re >> about >> >>>>> to >> >>>>>> disclose it fully now after the release. >> >>>>>> >> >>>>>> AFAIK the change should not affect ObjectMessages in general, jus= t >> the >> >>>>>> cases where those objects are serialized/unserialized inside of t= he >> >>>>> broker, >> >>>>>> like web console or stomp transformations. I=E2=80=99ll create a = proper >> docs for >> >>>>>> the change now and the security aspect of it and we can see later >> whet >> >>>>> else >> >>>>>> we can do to improve the user experience. >> >>>>>> >> >>>>>> Are there any Camel related tests that fails due to this change? = I >> can >> >>>>> take >> >>>>>> a look at that as well. >> >>>>>> >> >>>>>> >> >>>>>> Regards >> >>>>>> -- >> >>>>>> Dejan Bosanac >> >>>>>> about.me/dejanb >> >>>>>> >> >>>>>> On Sat, Dec 5, 2015 at 11:19 AM, Claus Ibsen > > >> >>>>> wrote: >> >>>>>> >> >>>>>>> I really think you guys should add something about those object >> >>>>>>> serialization resitrcitions. Any end users that uses java object= s >> over >> >>>>>>> JMS is affected. Nothing works anymore. >> >>>>>>> >> >>>>>>> Its because of >> >>>>>>> https://issues.apache.org/jira/browse/AMQ-6013 >> >>>>>>> >> >>>>>>> So there should be some text in the release notes, and ideally A= MQ >> >>>>>>> broker / client should have some kind of INFO logging that openw= ire >> >>>>>>> with objects is restricted or not. Otherwise its even harder for >> end >> >>>>>>> users to spot what is going on. >> >>>>>>> >> >>>>>>> >> >>>>>>> >> >>>>>>> On Fri, Dec 4, 2015 at 3:57 PM, Timothy Bish >> >>>>> wrote: >> >>>>>>>> It's probably a good idea to add a new page in the "New Feature= s" >> >>>>> section >> >>>>>>>> on the site to cover the additions in 5.13.0. I know you added >> the >> >>>>>>> 'auto' >> >>>>>>>> transport along with some other work for some additional metric= s >> >>>>> etc, all >> >>>>>>>> good things that would be nice to advertise a bit. >> >>>>>>>> >> >>>>>>>> See: http://activemq.apache.org/new-features.html >> >>>>>>>> >> >>>>>>>> On Thu, Dec 3, 2015 at 3:51 PM, Christopher Shannon < >> >>>>>>>> christopher.l.shannon@gmail.com> wrote: >> >>>>>>>> >> >>>>>>>>> Hi everyone, >> >>>>>>>>> >> >>>>>>>>> Apache ActiveMQ 5.13.0 has now been released. >> >>>>>>>>> >> >>>>>>>>> This release contains a number of resolved issues and new >> features >> >>>>> since >> >>>>>>>>> the 5.12.1 release. >> >>>>>>>>> >> >>>>>>>>> A list of issues resolved in this release is available here: >> >>>>>>>>> >> >>>>>>>>> >> >>>>>>> >> >>>>> >> https://issues.apache.org/jira/secure/ReleaseNote.jspa?projectId=3D12311= 210&version=3D12329848 >> >>>>>>>>> >> >>>>>>>>> The Wiki page for the release is here: >> >>>>>>>>> http://activemq.apache.org/activemq-5130-release.html >> >>>>>>>>> >> >>>>>>>>> API documentation for 5.12.1 is located here: >> >>>>>>>>> http://activemq.apache.org/maven/5.13.0/apidocs/index.html >> >>>>>>>>> >> >>>>>>>> >> >>>>>>>> >> >>>>>>>> >> >>>>>>>> -- >> >>>>>>>> -- >> >>>>>>>> Tim Bish >> >>>>>>> >> >>>>>>> >> >>>>>>> >> >>>>>>> -- >> >>>>>>> Claus Ibsen >> >>>>>>> ----------------- >> >>>>>>> http://davsclaus.com @davsclaus >> >>>>>>> Camel in Action 2: https://www.manning.com/ibsen2 >> >>>>>>> >> >>>>> >> >>>>> >> >>>>> >> >>>>> -- >> >>>>> Claus Ibsen >> >>>>> ----------------- >> >>>>> http://davsclaus.com @davsclaus >> >>>>> Camel in Action 2: https://www.manning.com/ibsen2 >> >>>>> >> >>>> >> >>>> >> >> >> >> >> >> >> >> -- >> >> Claus Ibsen >> >> ----------------- >> >> http://davsclaus.com @davsclaus >> >> Camel in Action 2: https://www.manning.com/ibsen2 >> > >> > >> > >> > -- >> > Claus Ibsen >> > ----------------- >> > http://davsclaus.com @davsclaus >> > Camel in Action 2: https://www.manning.com/ibsen2 >> >> -- >> Daniel Kulp >> dkulp@apache.org - http://dankulp.com/blog >> Talend Community Coder - http://coders.talend.com >> >> --=20 Claus Ibsen ----------------- http://davsclaus.com @davsclaus Camel in Action 2: https://www.manning.com/ibsen2