Hi Thanks.
Yeah this must be easier from client pov. Having to set a JVM system property is sometimes hard for people, eg they deploy to an existing running app server which they cannot restart. And then they need to add some code hack to set the system property from their java app before AMQ bootstrap. Looking forward to a 5.13.1 release. Hopefully with a nice and easy way for clients, and a speedy release so users can upgrade more easily. On Mon, Dec 7, 2015 at 1:52 PM, Dejan Bosanac <[email protected]> wrote: > Hi Claus, > > here’s the test fix for the current implementation > https://github.com/dejanb/camel/commit/138186ffa40381c8c082d69917cbb29181ab4abc > > The thing is that the same security issues can occur in the client > applications, when folks call getObject() method, so I think it’s the right > approach for people to while-list only the packages they trust. > > I agree that we can improve user experience by making it easier to > configure all this in the client apps. I think it might be good allow easy > configuration on the connection factory and using connection urls. I’ll > raise a new Jira for that and we can deliver this in 5.13.1. If you have > any more concerns and ideas on how to improve this, please let me know. > > I’ll go ahead next and create more docs around this. > > > Regards > -- > Dejan Bosanac > about.me/dejanb > > On Mon, Dec 7, 2015 at 11:24 AM, Dejan Bosanac <[email protected]> wrote: > >> I’ll give it a try now. Thanks! >> >> Regards >> -- >> Dejan Bosanac >> about.me/dejanb >> >> On Mon, Dec 7, 2015 at 11:16 AM, Claus Ibsen <[email protected]> >> wrote: >> >>> Yes a number of test fails in camel-jms, if you test with 5.13.0. You >>> can try yourself by changing the activemq-version in the >>> parent/pom.xml. >>> >>> >>> >>> On Mon, Dec 7, 2015 at 11:04 AM, Dejan Bosanac <[email protected]> >>> wrote: >>> > Hi Claus, >>> > >>> > restrictions were necessary for the CVE that was reported. We’re about >>> to >>> > disclose it fully now after the release. >>> > >>> > AFAIK the change should not affect ObjectMessages in general, just the >>> > cases where those objects are serialized/unserialized inside of the >>> broker, >>> > like web console or stomp transformations. I’ll create a proper docs for >>> > the change now and the security aspect of it and we can see later whet >>> else >>> > we can do to improve the user experience. >>> > >>> > Are there any Camel related tests that fails due to this change? I can >>> take >>> > a look at that as well. >>> > >>> > >>> > Regards >>> > -- >>> > Dejan Bosanac >>> > about.me/dejanb >>> > >>> > On Sat, Dec 5, 2015 at 11:19 AM, Claus Ibsen <[email protected]> >>> wrote: >>> > >>> >> I really think you guys should add something about those object >>> >> serialization resitrcitions. Any end users that uses java objects over >>> >> JMS is affected. Nothing works anymore. >>> >> >>> >> Its because of >>> >> https://issues.apache.org/jira/browse/AMQ-6013 >>> >> >>> >> So there should be some text in the release notes, and ideally AMQ >>> >> broker / client should have some kind of INFO logging that openwire >>> >> with objects is restricted or not. Otherwise its even harder for end >>> >> users to spot what is going on. >>> >> >>> >> >>> >> >>> >> On Fri, Dec 4, 2015 at 3:57 PM, Timothy Bish <[email protected]> >>> wrote: >>> >> > It's probably a good idea to add a new page in the "New Features" >>> section >>> >> > on the site to cover the additions in 5.13.0. I know you added the >>> >> 'auto' >>> >> > transport along with some other work for some additional metrics >>> etc, all >>> >> > good things that would be nice to advertise a bit. >>> >> > >>> >> > See: http://activemq.apache.org/new-features.html >>> >> > >>> >> > On Thu, Dec 3, 2015 at 3:51 PM, Christopher Shannon < >>> >> > [email protected]> wrote: >>> >> > >>> >> >> Hi everyone, >>> >> >> >>> >> >> Apache ActiveMQ 5.13.0 has now been released. >>> >> >> >>> >> >> This release contains a number of resolved issues and new features >>> since >>> >> >> the 5.12.1 release. >>> >> >> >>> >> >> A list of issues resolved in this release is available here: >>> >> >> >>> >> >> >>> >> >>> https://issues.apache.org/jira/secure/ReleaseNote.jspa?projectId=12311210&version=12329848 >>> >> >> >>> >> >> The Wiki page for the release is here: >>> >> >> http://activemq.apache.org/activemq-5130-release.html >>> >> >> >>> >> >> API documentation for 5.12.1 is located here: >>> >> >> http://activemq.apache.org/maven/5.13.0/apidocs/index.html >>> >> >> >>> >> > >>> >> > >>> >> > >>> >> > -- >>> >> > -- >>> >> > Tim Bish >>> >> >>> >> >>> >> >>> >> -- >>> >> Claus Ibsen >>> >> ----------------- >>> >> http://davsclaus.com @davsclaus >>> >> Camel in Action 2: https://www.manning.com/ibsen2 >>> >> >>> >>> >>> >>> -- >>> Claus Ibsen >>> ----------------- >>> http://davsclaus.com @davsclaus >>> Camel in Action 2: https://www.manning.com/ibsen2 >>> >> >> -- Claus Ibsen ----------------- http://davsclaus.com @davsclaus Camel in Action 2: https://www.manning.com/ibsen2
