Also if the java class name is in a JMS header ( I think there is a standard for that, JMSType is it not?) maybe the client/server can use that out of the box to know at least packages from that class is okay to use.
On Mon, Dec 7, 2015 at 2:15 PM, Claus Ibsen <[email protected]> wrote: > Hi > > Thanks. > > Yeah this must be easier from client pov. Having to set a JVM system > property is sometimes hard for people, eg they deploy to an existing > running app server which they cannot restart. > > And then they need to add some code hack to set the system property > from their java app before AMQ bootstrap. > > Looking forward to a 5.13.1 release. Hopefully with a nice and easy > way for clients, and a speedy release so users can upgrade more > easily. > > > > On Mon, Dec 7, 2015 at 1:52 PM, Dejan Bosanac <[email protected]> wrote: >> Hi Claus, >> >> here’s the test fix for the current implementation >> https://github.com/dejanb/camel/commit/138186ffa40381c8c082d69917cbb29181ab4abc >> >> The thing is that the same security issues can occur in the client >> applications, when folks call getObject() method, so I think it’s the right >> approach for people to while-list only the packages they trust. >> >> I agree that we can improve user experience by making it easier to >> configure all this in the client apps. I think it might be good allow easy >> configuration on the connection factory and using connection urls. I’ll >> raise a new Jira for that and we can deliver this in 5.13.1. If you have >> any more concerns and ideas on how to improve this, please let me know. >> >> I’ll go ahead next and create more docs around this. >> >> >> Regards >> -- >> Dejan Bosanac >> about.me/dejanb >> >> On Mon, Dec 7, 2015 at 11:24 AM, Dejan Bosanac <[email protected]> wrote: >> >>> I’ll give it a try now. Thanks! >>> >>> Regards >>> -- >>> Dejan Bosanac >>> about.me/dejanb >>> >>> On Mon, Dec 7, 2015 at 11:16 AM, Claus Ibsen <[email protected]> >>> wrote: >>> >>>> Yes a number of test fails in camel-jms, if you test with 5.13.0. You >>>> can try yourself by changing the activemq-version in the >>>> parent/pom.xml. >>>> >>>> >>>> >>>> On Mon, Dec 7, 2015 at 11:04 AM, Dejan Bosanac <[email protected]> >>>> wrote: >>>> > Hi Claus, >>>> > >>>> > restrictions were necessary for the CVE that was reported. We’re about >>>> to >>>> > disclose it fully now after the release. >>>> > >>>> > AFAIK the change should not affect ObjectMessages in general, just the >>>> > cases where those objects are serialized/unserialized inside of the >>>> broker, >>>> > like web console or stomp transformations. I’ll create a proper docs for >>>> > the change now and the security aspect of it and we can see later whet >>>> else >>>> > we can do to improve the user experience. >>>> > >>>> > Are there any Camel related tests that fails due to this change? I can >>>> take >>>> > a look at that as well. >>>> > >>>> > >>>> > Regards >>>> > -- >>>> > Dejan Bosanac >>>> > about.me/dejanb >>>> > >>>> > On Sat, Dec 5, 2015 at 11:19 AM, Claus Ibsen <[email protected]> >>>> wrote: >>>> > >>>> >> I really think you guys should add something about those object >>>> >> serialization resitrcitions. Any end users that uses java objects over >>>> >> JMS is affected. Nothing works anymore. >>>> >> >>>> >> Its because of >>>> >> https://issues.apache.org/jira/browse/AMQ-6013 >>>> >> >>>> >> So there should be some text in the release notes, and ideally AMQ >>>> >> broker / client should have some kind of INFO logging that openwire >>>> >> with objects is restricted or not. Otherwise its even harder for end >>>> >> users to spot what is going on. >>>> >> >>>> >> >>>> >> >>>> >> On Fri, Dec 4, 2015 at 3:57 PM, Timothy Bish <[email protected]> >>>> wrote: >>>> >> > It's probably a good idea to add a new page in the "New Features" >>>> section >>>> >> > on the site to cover the additions in 5.13.0. I know you added the >>>> >> 'auto' >>>> >> > transport along with some other work for some additional metrics >>>> etc, all >>>> >> > good things that would be nice to advertise a bit. >>>> >> > >>>> >> > See: http://activemq.apache.org/new-features.html >>>> >> > >>>> >> > On Thu, Dec 3, 2015 at 3:51 PM, Christopher Shannon < >>>> >> > [email protected]> wrote: >>>> >> > >>>> >> >> Hi everyone, >>>> >> >> >>>> >> >> Apache ActiveMQ 5.13.0 has now been released. >>>> >> >> >>>> >> >> This release contains a number of resolved issues and new features >>>> since >>>> >> >> the 5.12.1 release. >>>> >> >> >>>> >> >> A list of issues resolved in this release is available here: >>>> >> >> >>>> >> >> >>>> >> >>>> https://issues.apache.org/jira/secure/ReleaseNote.jspa?projectId=12311210&version=12329848 >>>> >> >> >>>> >> >> The Wiki page for the release is here: >>>> >> >> http://activemq.apache.org/activemq-5130-release.html >>>> >> >> >>>> >> >> API documentation for 5.12.1 is located here: >>>> >> >> http://activemq.apache.org/maven/5.13.0/apidocs/index.html >>>> >> >> >>>> >> > >>>> >> > >>>> >> > >>>> >> > -- >>>> >> > -- >>>> >> > Tim Bish >>>> >> >>>> >> >>>> >> >>>> >> -- >>>> >> Claus Ibsen >>>> >> ----------------- >>>> >> http://davsclaus.com @davsclaus >>>> >> Camel in Action 2: https://www.manning.com/ibsen2 >>>> >> >>>> >>>> >>>> >>>> -- >>>> Claus Ibsen >>>> ----------------- >>>> http://davsclaus.com @davsclaus >>>> Camel in Action 2: https://www.manning.com/ibsen2 >>>> >>> >>> > > > > -- > Claus Ibsen > ----------------- > http://davsclaus.com @davsclaus > Camel in Action 2: https://www.manning.com/ibsen2 -- Claus Ibsen ----------------- http://davsclaus.com @davsclaus Camel in Action 2: https://www.manning.com/ibsen2
