Hi all, I have put together another release of activemq-nms-openwire. Please review it and vote accordingly.
This release includes an important new feature that allows users to specify an allow/deny list of types for binary serialization. This can help prevent potential security vulnerabilities. The feature is implemented in the same way as in qpid-jms, using a deserialization policy that controls which types can be trusted for deserialization from an incoming NMS IObjectMessage containing serialized .NET Object content. By default, all types are trusted during deserialization. However, the default Deserialization Policy object provides URI options for specifying an allow list and a deny list of .NET classes or namespaces. The following options are available: - nms.deserializationPolicy.allowList: A comma-separated list of classes/namespaces that are allowed during deserialization, unless they are overridden by the deny list. Names in this list are not pattern values; the exact class or namespace name must be configured (e.g. "System.Collections.Queue" or "System.Collections"). Namespace matches include sub-namespaces. The default is to allow all. - nms.deserializationPolicy.denyList: A comma-separated list of classes/namespaces that are rejected during deserialization. Names in this list are not pattern values; the exact class or namespace name must be configured (e.g. "System.Collections.Queue" or "System.Collections"). Namespace matches include sub-namespaces. The default is to reject none. This release contains the following change: *https://issues.apache.org/jira/secure/ReleaseNote.jspa?projectId=12311201&version=12352935 <https://issues.apache.org/jira/secure/ReleaseNote.jspa?projectId=12311201&version=12352935>* The files can be grabbed from: https://dist.apache.org/repos/dist/dev/activemq/activemq-nms-openwire/2.1.0-rc1/ Regards, Chris Here's mine +1 (binding)
