I updated master to 5.14-SNAPSHOT when i prepared the last release. Besides backporting this to the 5.13.x branch we should probably backport AMQ-6077 to 5.12.x as well so it will be included in 5.12.2.
On Mon, Dec 14, 2015 at 8:15 AM, Dejan Bosanac <[email protected]> wrote: > Hi Claus, > > I implemented a fix for this in > https://issues.apache.org/jira/browse/AMQ-6077. If you can give it a look > and see if anything else is missing, it would greatly appreciated. > > Here are the proposed changes to the Camel once we have 5.13.1 release > > https://github.com/dejanb/camel/commit/6c942f4bac18ab84c76411515d1e87caaf7705a4 > > BTW. We should change version of the current master to 5.14-SNAPSHOT now > that 5.13.0 is out. > > Regards > -- > Dejan Bosanac > about.me/dejanb > > On Mon, Dec 7, 2015 at 2:39 PM, Daniel Kulp <[email protected]> wrote: > > > > > > On Dec 7, 2015, at 8:16 AM, Claus Ibsen <[email protected]> wrote: > > > > > > Also if the java class name is in a JMS header ( I think there is a > > > standard for that, JMSType is it not?) maybe the client/server can use > > > that out of the box to know at least packages from that class is okay > > > to use. > > > > > > Doesn’t that defeat the purpose though? I could craft a message that > > contains “MyBadClass” and add that JMS header to say MyBadClass should be > > allowed. MyBadClass is loaded and security problem. It really needs to > be > > something configured, not something part of the message. > > > > Dan > > > > > > > > > > > > > On Mon, Dec 7, 2015 at 2:15 PM, Claus Ibsen <[email protected]> > > wrote: > > >> Hi > > >> > > >> Thanks. > > >> > > >> Yeah this must be easier from client pov. Having to set a JVM system > > >> property is sometimes hard for people, eg they deploy to an existing > > >> running app server which they cannot restart. > > >> > > >> And then they need to add some code hack to set the system property > > >> from their java app before AMQ bootstrap. > > >> > > >> Looking forward to a 5.13.1 release. Hopefully with a nice and easy > > >> way for clients, and a speedy release so users can upgrade more > > >> easily. > > >> > > >> > > >> > > >> On Mon, Dec 7, 2015 at 1:52 PM, Dejan Bosanac <[email protected]> > > wrote: > > >>> Hi Claus, > > >>> > > >>> here’s the test fix for the current implementation > > >>> > > > https://github.com/dejanb/camel/commit/138186ffa40381c8c082d69917cbb29181ab4abc > > >>> > > >>> The thing is that the same security issues can occur in the client > > >>> applications, when folks call getObject() method, so I think it’s the > > right > > >>> approach for people to while-list only the packages they trust. > > >>> > > >>> I agree that we can improve user experience by making it easier to > > >>> configure all this in the client apps. I think it might be good allow > > easy > > >>> configuration on the connection factory and using connection urls. > I’ll > > >>> raise a new Jira for that and we can deliver this in 5.13.1. If you > > have > > >>> any more concerns and ideas on how to improve this, please let me > know. > > >>> > > >>> I’ll go ahead next and create more docs around this. > > >>> > > >>> > > >>> Regards > > >>> -- > > >>> Dejan Bosanac > > >>> about.me/dejanb > > >>> > > >>> On Mon, Dec 7, 2015 at 11:24 AM, Dejan Bosanac <[email protected]> > > wrote: > > >>> > > >>>> I’ll give it a try now. Thanks! > > >>>> > > >>>> Regards > > >>>> -- > > >>>> Dejan Bosanac > > >>>> about.me/dejanb > > >>>> > > >>>> On Mon, Dec 7, 2015 at 11:16 AM, Claus Ibsen <[email protected] > > > > >>>> wrote: > > >>>> > > >>>>> Yes a number of test fails in camel-jms, if you test with 5.13.0. > You > > >>>>> can try yourself by changing the activemq-version in the > > >>>>> parent/pom.xml. > > >>>>> > > >>>>> > > >>>>> > > >>>>> On Mon, Dec 7, 2015 at 11:04 AM, Dejan Bosanac < > [email protected]> > > >>>>> wrote: > > >>>>>> Hi Claus, > > >>>>>> > > >>>>>> restrictions were necessary for the CVE that was reported. We’re > > about > > >>>>> to > > >>>>>> disclose it fully now after the release. > > >>>>>> > > >>>>>> AFAIK the change should not affect ObjectMessages in general, just > > the > > >>>>>> cases where those objects are serialized/unserialized inside of > the > > >>>>> broker, > > >>>>>> like web console or stomp transformations. I’ll create a proper > > docs for > > >>>>>> the change now and the security aspect of it and we can see later > > whet > > >>>>> else > > >>>>>> we can do to improve the user experience. > > >>>>>> > > >>>>>> Are there any Camel related tests that fails due to this change? I > > can > > >>>>> take > > >>>>>> a look at that as well. > > >>>>>> > > >>>>>> > > >>>>>> Regards > > >>>>>> -- > > >>>>>> Dejan Bosanac > > >>>>>> about.me/dejanb > > >>>>>> > > >>>>>> On Sat, Dec 5, 2015 at 11:19 AM, Claus Ibsen < > [email protected] > > > > > >>>>> wrote: > > >>>>>> > > >>>>>>> I really think you guys should add something about those object > > >>>>>>> serialization resitrcitions. Any end users that uses java objects > > over > > >>>>>>> JMS is affected. Nothing works anymore. > > >>>>>>> > > >>>>>>> Its because of > > >>>>>>> https://issues.apache.org/jira/browse/AMQ-6013 > > >>>>>>> > > >>>>>>> So there should be some text in the release notes, and ideally > AMQ > > >>>>>>> broker / client should have some kind of INFO logging that > openwire > > >>>>>>> with objects is restricted or not. Otherwise its even harder for > > end > > >>>>>>> users to spot what is going on. > > >>>>>>> > > >>>>>>> > > >>>>>>> > > >>>>>>> On Fri, Dec 4, 2015 at 3:57 PM, Timothy Bish < > [email protected]> > > >>>>> wrote: > > >>>>>>>> It's probably a good idea to add a new page in the "New > Features" > > >>>>> section > > >>>>>>>> on the site to cover the additions in 5.13.0. I know you added > > the > > >>>>>>> 'auto' > > >>>>>>>> transport along with some other work for some additional metrics > > >>>>> etc, all > > >>>>>>>> good things that would be nice to advertise a bit. > > >>>>>>>> > > >>>>>>>> See: http://activemq.apache.org/new-features.html > > >>>>>>>> > > >>>>>>>> On Thu, Dec 3, 2015 at 3:51 PM, Christopher Shannon < > > >>>>>>>> [email protected]> wrote: > > >>>>>>>> > > >>>>>>>>> Hi everyone, > > >>>>>>>>> > > >>>>>>>>> Apache ActiveMQ 5.13.0 has now been released. > > >>>>>>>>> > > >>>>>>>>> This release contains a number of resolved issues and new > > features > > >>>>> since > > >>>>>>>>> the 5.12.1 release. > > >>>>>>>>> > > >>>>>>>>> A list of issues resolved in this release is available here: > > >>>>>>>>> > > >>>>>>>>> > > >>>>>>> > > >>>>> > > > https://issues.apache.org/jira/secure/ReleaseNote.jspa?projectId=12311210&version=12329848 > > >>>>>>>>> > > >>>>>>>>> The Wiki page for the release is here: > > >>>>>>>>> http://activemq.apache.org/activemq-5130-release.html > > >>>>>>>>> > > >>>>>>>>> API documentation for 5.12.1 is located here: > > >>>>>>>>> http://activemq.apache.org/maven/5.13.0/apidocs/index.html > > >>>>>>>>> > > >>>>>>>> > > >>>>>>>> > > >>>>>>>> > > >>>>>>>> -- > > >>>>>>>> -- > > >>>>>>>> Tim Bish > > >>>>>>> > > >>>>>>> > > >>>>>>> > > >>>>>>> -- > > >>>>>>> Claus Ibsen > > >>>>>>> ----------------- > > >>>>>>> http://davsclaus.com @davsclaus > > >>>>>>> Camel in Action 2: https://www.manning.com/ibsen2 > > >>>>>>> > > >>>>> > > >>>>> > > >>>>> > > >>>>> -- > > >>>>> Claus Ibsen > > >>>>> ----------------- > > >>>>> http://davsclaus.com @davsclaus > > >>>>> Camel in Action 2: https://www.manning.com/ibsen2 > > >>>>> > > >>>> > > >>>> > > >> > > >> > > >> > > >> -- > > >> Claus Ibsen > > >> ----------------- > > >> http://davsclaus.com @davsclaus > > >> Camel in Action 2: https://www.manning.com/ibsen2 > > > > > > > > > > > > -- > > > Claus Ibsen > > > ----------------- > > > http://davsclaus.com @davsclaus > > > Camel in Action 2: https://www.manning.com/ibsen2 > > > > -- > > Daniel Kulp > > [email protected] - http://dankulp.com/blog > > Talend Community Coder - http://coders.talend.com > > > > >
