Thanks Dejan I logged a ticket at Camel with your instructions https://issues.apache.org/jira/browse/CAMEL-9429
On Mon, Dec 14, 2015 at 2:15 PM, Dejan Bosanac <[email protected]> wrote: > Hi Claus, > > I implemented a fix for this in > https://issues.apache.org/jira/browse/AMQ-6077. If you can give it a look > and see if anything else is missing, it would greatly appreciated. > > Here are the proposed changes to the Camel once we have 5.13.1 release > https://github.com/dejanb/camel/commit/6c942f4bac18ab84c76411515d1e87caaf7705a4 > > BTW. We should change version of the current master to 5.14-SNAPSHOT now > that 5.13.0 is out. > > Regards > -- > Dejan Bosanac > about.me/dejanb > > On Mon, Dec 7, 2015 at 2:39 PM, Daniel Kulp <[email protected]> wrote: > >> >> > On Dec 7, 2015, at 8:16 AM, Claus Ibsen <[email protected]> wrote: >> > >> > Also if the java class name is in a JMS header ( I think there is a >> > standard for that, JMSType is it not?) maybe the client/server can use >> > that out of the box to know at least packages from that class is okay >> > to use. >> >> >> Doesn’t that defeat the purpose though? I could craft a message that >> contains “MyBadClass” and add that JMS header to say MyBadClass should be >> allowed. MyBadClass is loaded and security problem. It really needs to be >> something configured, not something part of the message. >> >> Dan >> >> >> > >> > >> > On Mon, Dec 7, 2015 at 2:15 PM, Claus Ibsen <[email protected]> >> wrote: >> >> Hi >> >> >> >> Thanks. >> >> >> >> Yeah this must be easier from client pov. Having to set a JVM system >> >> property is sometimes hard for people, eg they deploy to an existing >> >> running app server which they cannot restart. >> >> >> >> And then they need to add some code hack to set the system property >> >> from their java app before AMQ bootstrap. >> >> >> >> Looking forward to a 5.13.1 release. Hopefully with a nice and easy >> >> way for clients, and a speedy release so users can upgrade more >> >> easily. >> >> >> >> >> >> >> >> On Mon, Dec 7, 2015 at 1:52 PM, Dejan Bosanac <[email protected]> >> wrote: >> >>> Hi Claus, >> >>> >> >>> here’s the test fix for the current implementation >> >>> >> https://github.com/dejanb/camel/commit/138186ffa40381c8c082d69917cbb29181ab4abc >> >>> >> >>> The thing is that the same security issues can occur in the client >> >>> applications, when folks call getObject() method, so I think it’s the >> right >> >>> approach for people to while-list only the packages they trust. >> >>> >> >>> I agree that we can improve user experience by making it easier to >> >>> configure all this in the client apps. I think it might be good allow >> easy >> >>> configuration on the connection factory and using connection urls. I’ll >> >>> raise a new Jira for that and we can deliver this in 5.13.1. If you >> have >> >>> any more concerns and ideas on how to improve this, please let me know. >> >>> >> >>> I’ll go ahead next and create more docs around this. >> >>> >> >>> >> >>> Regards >> >>> -- >> >>> Dejan Bosanac >> >>> about.me/dejanb >> >>> >> >>> On Mon, Dec 7, 2015 at 11:24 AM, Dejan Bosanac <[email protected]> >> wrote: >> >>> >> >>>> I’ll give it a try now. Thanks! >> >>>> >> >>>> Regards >> >>>> -- >> >>>> Dejan Bosanac >> >>>> about.me/dejanb >> >>>> >> >>>> On Mon, Dec 7, 2015 at 11:16 AM, Claus Ibsen <[email protected]> >> >>>> wrote: >> >>>> >> >>>>> Yes a number of test fails in camel-jms, if you test with 5.13.0. You >> >>>>> can try yourself by changing the activemq-version in the >> >>>>> parent/pom.xml. >> >>>>> >> >>>>> >> >>>>> >> >>>>> On Mon, Dec 7, 2015 at 11:04 AM, Dejan Bosanac <[email protected]> >> >>>>> wrote: >> >>>>>> Hi Claus, >> >>>>>> >> >>>>>> restrictions were necessary for the CVE that was reported. We’re >> about >> >>>>> to >> >>>>>> disclose it fully now after the release. >> >>>>>> >> >>>>>> AFAIK the change should not affect ObjectMessages in general, just >> the >> >>>>>> cases where those objects are serialized/unserialized inside of the >> >>>>> broker, >> >>>>>> like web console or stomp transformations. I’ll create a proper >> docs for >> >>>>>> the change now and the security aspect of it and we can see later >> whet >> >>>>> else >> >>>>>> we can do to improve the user experience. >> >>>>>> >> >>>>>> Are there any Camel related tests that fails due to this change? I >> can >> >>>>> take >> >>>>>> a look at that as well. >> >>>>>> >> >>>>>> >> >>>>>> Regards >> >>>>>> -- >> >>>>>> Dejan Bosanac >> >>>>>> about.me/dejanb >> >>>>>> >> >>>>>> On Sat, Dec 5, 2015 at 11:19 AM, Claus Ibsen <[email protected] >> > >> >>>>> wrote: >> >>>>>> >> >>>>>>> I really think you guys should add something about those object >> >>>>>>> serialization resitrcitions. Any end users that uses java objects >> over >> >>>>>>> JMS is affected. Nothing works anymore. >> >>>>>>> >> >>>>>>> Its because of >> >>>>>>> https://issues.apache.org/jira/browse/AMQ-6013 >> >>>>>>> >> >>>>>>> So there should be some text in the release notes, and ideally AMQ >> >>>>>>> broker / client should have some kind of INFO logging that openwire >> >>>>>>> with objects is restricted or not. Otherwise its even harder for >> end >> >>>>>>> users to spot what is going on. >> >>>>>>> >> >>>>>>> >> >>>>>>> >> >>>>>>> On Fri, Dec 4, 2015 at 3:57 PM, Timothy Bish <[email protected]> >> >>>>> wrote: >> >>>>>>>> It's probably a good idea to add a new page in the "New Features" >> >>>>> section >> >>>>>>>> on the site to cover the additions in 5.13.0. I know you added >> the >> >>>>>>> 'auto' >> >>>>>>>> transport along with some other work for some additional metrics >> >>>>> etc, all >> >>>>>>>> good things that would be nice to advertise a bit. >> >>>>>>>> >> >>>>>>>> See: http://activemq.apache.org/new-features.html >> >>>>>>>> >> >>>>>>>> On Thu, Dec 3, 2015 at 3:51 PM, Christopher Shannon < >> >>>>>>>> [email protected]> wrote: >> >>>>>>>> >> >>>>>>>>> Hi everyone, >> >>>>>>>>> >> >>>>>>>>> Apache ActiveMQ 5.13.0 has now been released. >> >>>>>>>>> >> >>>>>>>>> This release contains a number of resolved issues and new >> features >> >>>>> since >> >>>>>>>>> the 5.12.1 release. >> >>>>>>>>> >> >>>>>>>>> A list of issues resolved in this release is available here: >> >>>>>>>>> >> >>>>>>>>> >> >>>>>>> >> >>>>> >> https://issues.apache.org/jira/secure/ReleaseNote.jspa?projectId=12311210&version=12329848 >> >>>>>>>>> >> >>>>>>>>> The Wiki page for the release is here: >> >>>>>>>>> http://activemq.apache.org/activemq-5130-release.html >> >>>>>>>>> >> >>>>>>>>> API documentation for 5.12.1 is located here: >> >>>>>>>>> http://activemq.apache.org/maven/5.13.0/apidocs/index.html >> >>>>>>>>> >> >>>>>>>> >> >>>>>>>> >> >>>>>>>> >> >>>>>>>> -- >> >>>>>>>> -- >> >>>>>>>> Tim Bish >> >>>>>>> >> >>>>>>> >> >>>>>>> >> >>>>>>> -- >> >>>>>>> Claus Ibsen >> >>>>>>> ----------------- >> >>>>>>> http://davsclaus.com @davsclaus >> >>>>>>> Camel in Action 2: https://www.manning.com/ibsen2 >> >>>>>>> >> >>>>> >> >>>>> >> >>>>> >> >>>>> -- >> >>>>> Claus Ibsen >> >>>>> ----------------- >> >>>>> http://davsclaus.com @davsclaus >> >>>>> Camel in Action 2: https://www.manning.com/ibsen2 >> >>>>> >> >>>> >> >>>> >> >> >> >> >> >> >> >> -- >> >> Claus Ibsen >> >> ----------------- >> >> http://davsclaus.com @davsclaus >> >> Camel in Action 2: https://www.manning.com/ibsen2 >> > >> > >> > >> > -- >> > Claus Ibsen >> > ----------------- >> > http://davsclaus.com @davsclaus >> > Camel in Action 2: https://www.manning.com/ibsen2 >> >> -- >> Daniel Kulp >> [email protected] - http://dankulp.com/blog >> Talend Community Coder - http://coders.talend.com >> >> -- Claus Ibsen ----------------- http://davsclaus.com @davsclaus Camel in Action 2: https://www.manning.com/ibsen2
