Hi All, On upgrading to 2.5.0 we have found quite a blocking issue to 2.5.0 for anyone who secures durable queue creation so clients cannot create, but doesn’t secure non-durable.
https://issues.apache.org/jira/browse/ARTEMIS-1872 In summary prior to 2.5.0 the security check incorrectly always checked for security rights for non-durable, even if the queue was a durable, this was security hole was fixed in 2.5.0, but a knock on effect is it has highlighted/exposed some logic issues in the CoreClient and also in AMQP and OpenWire protocol managers, where in some cases a queue is not check for being present before calling create queue, meaning if user is not allowed to create a queue, but is allowed to consume, and the queue exists, the client still cannot consume, as the code tries to create and throws exception. We have created a test case that re-creates the issues, and also a possible solution its in PR here. https://github.com/apache/activemq-artemis/pull/2093 Whilst it is not technically caused by any changes in the just created RC for 2.6.0 since 2.5.0, i think the severity/impact of this may deem it worthy to fix, and re-spin. Cheers Mike > On 17 May 2018, at 20:02, Christopher Shannon > <christopher.l.shan...@gmail.com> wrote: > > +1 > > On Thu, May 17, 2018 at 2:51 PM, Timothy Bish <tabish...@gmail.com> wrote: > >> On 05/16/2018 10:49 PM, Clebert Suconic wrote: >> >>> I would like to propose an Apache ActiveMQ Artemis 2.6.0 release. >>> >>> The release notes can be found here: >>> >>> https://issues.apache.org/jira/secure/ReleaseNote.jspa?versi >>> on=12342903&&projectId=12315920 >>> >>> There is a new commits report I made that I'm introducing on this release: >>> https://dist.apache.org/repos/dist/dev/activemq/activemq-art >>> emis/2.6.0/artemis-2.6.0.html >>> >>> Source and binary distributions can be found here: >>> https://dist.apache.org/repos/dist/dev/activemq/activemq-artemis/2.6.0 >>> >>> The Maven repository is here: >>> https://repository.apache.org/content/repositories/orgapacheactivemq-1157 >>> >>> In case you want to give it a try with the maven repo on examples: >>> http://activemq.apache.org/artemis/docs/latest/hacking-guide >>> /validating-releases.html >>> >>> The source tag: >>> https://git-wip-us.apache.org/repos/asf?p=activemq-artemis.g >>> it;a=tag;h=refs/tags/2.6.0 >>> >>> I will update the website after the vote has passed. >>> >>> >>> [ ] +1 approve the release as Apache Artemis 2.4.0 >>> [ ] +0 no opinion >>> [ ] -1 disapprove (and reason why) >>> >>> >>> Here's my +1 >>> . >>> >>> >> +1 >> >> * Validate the signatures and checksums >> * Review license and notice files in the archives >> * Build from source and ran some of the tests >> * Ran binary broker and ran some samples and performance tests against it >> * Used mvn apache-rat:check to validate license headers in place >> >> >> -- >> Tim Bish >> twitter: @tabish121 >> blog: http://timbish.blogspot.com/ >> >>
