Yeah it actually should be on both. private@ is where the vote actually counts. dev@ is for keeping it public.
Jeff > On Feb 27, 2023, at 8:10 AM, Bruce Snyder <bruce.sny...@gmail.com> wrote: > > Whoops, now I see it's on both. My mistake. > > Bruce > > On Mon, Feb 27, 2023 at 8:09 AM Bruce Snyder <bruce.sny...@gmail.com> wrote: > >> This vote should be moved to the dev@ list. >> >> Bruce >> >> On Sun, Feb 26, 2023 at 4:09 AM Havret <hav...@apache.org> wrote: >> >>> Hi all, >>> >>> I have put together another release of activemq-nms-openwire. Please >>> review >>> it and vote accordingly. >>> >>> This release includes an important new feature that allows users to >>> specify >>> an allow/deny list of types for binary serialization. This can help >>> prevent >>> potential security vulnerabilities. >>> >>> The feature is implemented in the same way as in qpid-jms, using a >>> deserialization policy that controls which types can be trusted for >>> deserialization from an incoming NMS IObjectMessage containing serialized >>> .NET Object content. By default, all types are trusted during >>> deserialization. However, the default Deserialization Policy object >>> provides URI options for specifying an allow list and a deny list of .NET >>> classes or namespaces. >>> >>> The following options are available: >>> >>> - nms.deserializationPolicy.allowList: A comma-separated list of >>> classes/namespaces that are allowed during deserialization, unless they >>> are >>> overridden by the deny list. Names in this list are not pattern values; >>> the >>> exact class or namespace name must be configured (e.g. >>> "System.Collections.Queue" or "System.Collections"). Namespace matches >>> include sub-namespaces. The default is to allow all. >>> - nms.deserializationPolicy.denyList: A comma-separated list of >>> classes/namespaces that are rejected during deserialization. Names in this >>> list are not pattern values; the exact class or namespace name must be >>> configured (e.g. "System.Collections.Queue" or "System.Collections"). >>> Namespace matches include sub-namespaces. The default is to reject none. >>> >>> This release contains the following change: >>> * >>> https://issues.apache.org/jira/secure/ReleaseNote.jspa?projectId=12311201&version=12352935 >>> < >>> https://issues.apache.org/jira/secure/ReleaseNote.jspa?projectId=12311201&version=12352935 >>>> * >>> >>> The files can be grabbed from: >>> >>> https://dist.apache.org/repos/dist/dev/activemq/activemq-nms-openwire/2.1.0-rc1/ >>> >>> Regards, >>> Chris >>> >>> Here's mine +1 (binding) >>> >> >> >> -- >> perl -e 'print >> unpack("u30","D0G)U8V4\@4VYY9&5R\"F)R=6-E+G-N>61E<D\!G;6%I;\"YC;VT*" );' >> http://bsnyder.org/ <http://bruceblog.org/> >> > > > -- > perl -e 'print > unpack("u30","D0G)U8V4\@4VYY9&5R\"F)R=6-E+G-N>61E<D\!G;6%I;\"YC;VT*" );' > http://bsnyder.org/ <http://bruceblog.org/>
