Sorry Christopher, my mistake. My local branches were messed up. It’s all good.
Regards -- Dejan Bosanac about.me/dejanb On Mon, Dec 14, 2015 at 2:24 PM, Christopher Shannon < [email protected]> wrote: > I updated master to 5.14-SNAPSHOT when i prepared the last release. > > Besides backporting this to the 5.13.x branch we should probably backport > AMQ-6077 to 5.12.x as well so it will be included in 5.12.2. > > On Mon, Dec 14, 2015 at 8:15 AM, Dejan Bosanac <[email protected]> > wrote: > > > Hi Claus, > > > > I implemented a fix for this in > > https://issues.apache.org/jira/browse/AMQ-6077. If you can give it a > look > > and see if anything else is missing, it would greatly appreciated. > > > > Here are the proposed changes to the Camel once we have 5.13.1 release > > > > > https://github.com/dejanb/camel/commit/6c942f4bac18ab84c76411515d1e87caaf7705a4 > > > > BTW. We should change version of the current master to 5.14-SNAPSHOT now > > that 5.13.0 is out. > > > > Regards > > -- > > Dejan Bosanac > > about.me/dejanb > > > > On Mon, Dec 7, 2015 at 2:39 PM, Daniel Kulp <[email protected]> wrote: > > > > > > > > > On Dec 7, 2015, at 8:16 AM, Claus Ibsen <[email protected]> > wrote: > > > > > > > > Also if the java class name is in a JMS header ( I think there is a > > > > standard for that, JMSType is it not?) maybe the client/server can > use > > > > that out of the box to know at least packages from that class is okay > > > > to use. > > > > > > > > > Doesn’t that defeat the purpose though? I could craft a message that > > > contains “MyBadClass” and add that JMS header to say MyBadClass should > be > > > allowed. MyBadClass is loaded and security problem. It really needs > to > > be > > > something configured, not something part of the message. > > > > > > Dan > > > > > > > > > > > > > > > > > > On Mon, Dec 7, 2015 at 2:15 PM, Claus Ibsen <[email protected]> > > > wrote: > > > >> Hi > > > >> > > > >> Thanks. > > > >> > > > >> Yeah this must be easier from client pov. Having to set a JVM system > > > >> property is sometimes hard for people, eg they deploy to an existing > > > >> running app server which they cannot restart. > > > >> > > > >> And then they need to add some code hack to set the system property > > > >> from their java app before AMQ bootstrap. > > > >> > > > >> Looking forward to a 5.13.1 release. Hopefully with a nice and easy > > > >> way for clients, and a speedy release so users can upgrade more > > > >> easily. > > > >> > > > >> > > > >> > > > >> On Mon, Dec 7, 2015 at 1:52 PM, Dejan Bosanac <[email protected]> > > > wrote: > > > >>> Hi Claus, > > > >>> > > > >>> here’s the test fix for the current implementation > > > >>> > > > > > > https://github.com/dejanb/camel/commit/138186ffa40381c8c082d69917cbb29181ab4abc > > > >>> > > > >>> The thing is that the same security issues can occur in the client > > > >>> applications, when folks call getObject() method, so I think it’s > the > > > right > > > >>> approach for people to while-list only the packages they trust. > > > >>> > > > >>> I agree that we can improve user experience by making it easier to > > > >>> configure all this in the client apps. I think it might be good > allow > > > easy > > > >>> configuration on the connection factory and using connection urls. > > I’ll > > > >>> raise a new Jira for that and we can deliver this in 5.13.1. If you > > > have > > > >>> any more concerns and ideas on how to improve this, please let me > > know. > > > >>> > > > >>> I’ll go ahead next and create more docs around this. > > > >>> > > > >>> > > > >>> Regards > > > >>> -- > > > >>> Dejan Bosanac > > > >>> about.me/dejanb > > > >>> > > > >>> On Mon, Dec 7, 2015 at 11:24 AM, Dejan Bosanac < > [email protected]> > > > wrote: > > > >>> > > > >>>> I’ll give it a try now. Thanks! > > > >>>> > > > >>>> Regards > > > >>>> -- > > > >>>> Dejan Bosanac > > > >>>> about.me/dejanb > > > >>>> > > > >>>> On Mon, Dec 7, 2015 at 11:16 AM, Claus Ibsen < > [email protected] > > > > > > >>>> wrote: > > > >>>> > > > >>>>> Yes a number of test fails in camel-jms, if you test with 5.13.0. > > You > > > >>>>> can try yourself by changing the activemq-version in the > > > >>>>> parent/pom.xml. > > > >>>>> > > > >>>>> > > > >>>>> > > > >>>>> On Mon, Dec 7, 2015 at 11:04 AM, Dejan Bosanac < > > [email protected]> > > > >>>>> wrote: > > > >>>>>> Hi Claus, > > > >>>>>> > > > >>>>>> restrictions were necessary for the CVE that was reported. We’re > > > about > > > >>>>> to > > > >>>>>> disclose it fully now after the release. > > > >>>>>> > > > >>>>>> AFAIK the change should not affect ObjectMessages in general, > just > > > the > > > >>>>>> cases where those objects are serialized/unserialized inside of > > the > > > >>>>> broker, > > > >>>>>> like web console or stomp transformations. I’ll create a proper > > > docs for > > > >>>>>> the change now and the security aspect of it and we can see > later > > > whet > > > >>>>> else > > > >>>>>> we can do to improve the user experience. > > > >>>>>> > > > >>>>>> Are there any Camel related tests that fails due to this > change? I > > > can > > > >>>>> take > > > >>>>>> a look at that as well. > > > >>>>>> > > > >>>>>> > > > >>>>>> Regards > > > >>>>>> -- > > > >>>>>> Dejan Bosanac > > > >>>>>> about.me/dejanb > > > >>>>>> > > > >>>>>> On Sat, Dec 5, 2015 at 11:19 AM, Claus Ibsen < > > [email protected] > > > > > > > >>>>> wrote: > > > >>>>>> > > > >>>>>>> I really think you guys should add something about those object > > > >>>>>>> serialization resitrcitions. Any end users that uses java > objects > > > over > > > >>>>>>> JMS is affected. Nothing works anymore. > > > >>>>>>> > > > >>>>>>> Its because of > > > >>>>>>> https://issues.apache.org/jira/browse/AMQ-6013 > > > >>>>>>> > > > >>>>>>> So there should be some text in the release notes, and ideally > > AMQ > > > >>>>>>> broker / client should have some kind of INFO logging that > > openwire > > > >>>>>>> with objects is restricted or not. Otherwise its even harder > for > > > end > > > >>>>>>> users to spot what is going on. > > > >>>>>>> > > > >>>>>>> > > > >>>>>>> > > > >>>>>>> On Fri, Dec 4, 2015 at 3:57 PM, Timothy Bish < > > [email protected]> > > > >>>>> wrote: > > > >>>>>>>> It's probably a good idea to add a new page in the "New > > Features" > > > >>>>> section > > > >>>>>>>> on the site to cover the additions in 5.13.0. I know you > added > > > the > > > >>>>>>> 'auto' > > > >>>>>>>> transport along with some other work for some additional > metrics > > > >>>>> etc, all > > > >>>>>>>> good things that would be nice to advertise a bit. > > > >>>>>>>> > > > >>>>>>>> See: http://activemq.apache.org/new-features.html > > > >>>>>>>> > > > >>>>>>>> On Thu, Dec 3, 2015 at 3:51 PM, Christopher Shannon < > > > >>>>>>>> [email protected]> wrote: > > > >>>>>>>> > > > >>>>>>>>> Hi everyone, > > > >>>>>>>>> > > > >>>>>>>>> Apache ActiveMQ 5.13.0 has now been released. > > > >>>>>>>>> > > > >>>>>>>>> This release contains a number of resolved issues and new > > > features > > > >>>>> since > > > >>>>>>>>> the 5.12.1 release. > > > >>>>>>>>> > > > >>>>>>>>> A list of issues resolved in this release is available here: > > > >>>>>>>>> > > > >>>>>>>>> > > > >>>>>>> > > > >>>>> > > > > > > https://issues.apache.org/jira/secure/ReleaseNote.jspa?projectId=12311210&version=12329848 > > > >>>>>>>>> > > > >>>>>>>>> The Wiki page for the release is here: > > > >>>>>>>>> http://activemq.apache.org/activemq-5130-release.html > > > >>>>>>>>> > > > >>>>>>>>> API documentation for 5.12.1 is located here: > > > >>>>>>>>> http://activemq.apache.org/maven/5.13.0/apidocs/index.html > > > >>>>>>>>> > > > >>>>>>>> > > > >>>>>>>> > > > >>>>>>>> > > > >>>>>>>> -- > > > >>>>>>>> -- > > > >>>>>>>> Tim Bish > > > >>>>>>> > > > >>>>>>> > > > >>>>>>> > > > >>>>>>> -- > > > >>>>>>> Claus Ibsen > > > >>>>>>> ----------------- > > > >>>>>>> http://davsclaus.com @davsclaus > > > >>>>>>> Camel in Action 2: https://www.manning.com/ibsen2 > > > >>>>>>> > > > >>>>> > > > >>>>> > > > >>>>> > > > >>>>> -- > > > >>>>> Claus Ibsen > > > >>>>> ----------------- > > > >>>>> http://davsclaus.com @davsclaus > > > >>>>> Camel in Action 2: https://www.manning.com/ibsen2 > > > >>>>> > > > >>>> > > > >>>> > > > >> > > > >> > > > >> > > > >> -- > > > >> Claus Ibsen > > > >> ----------------- > > > >> http://davsclaus.com @davsclaus > > > >> Camel in Action 2: https://www.manning.com/ibsen2 > > > > > > > > > > > > > > > > -- > > > > Claus Ibsen > > > > ----------------- > > > > http://davsclaus.com @davsclaus > > > > Camel in Action 2: https://www.manning.com/ibsen2 > > > > > > -- > > > Daniel Kulp > > > [email protected] - http://dankulp.com/blog > > > Talend Community Coder - http://coders.talend.com > > > > > > > > >
