+1 (non-binding) Updated an existing application to use the release candidate and deployed to a test environment. No regressions were noted. However, it does not use IObjectMessage.
Also, built the project from the source archive on dist.apache.org. However, I needed to add a reference to Apache.NMS.Test 1.8.0 to get the test project to build. Also, I wasn't actually able to run most of the tests, due to limitations of my environment (no local SQL Server). The solution also contains a doc project, which was missing from the source archive - perhaps this is intentional? I see it was the same for 2.0.1. Regards, Bruce Dodson On Sun, Feb 26, 2023 at 3:09 AM Havret <hav...@apache.org> wrote: > Hi all, > > I have put together another release of activemq-nms-openwire. Please review > it and vote accordingly. > > This release includes an important new feature that allows users to specify > an allow/deny list of types for binary serialization. This can help prevent > potential security vulnerabilities. > > The feature is implemented in the same way as in qpid-jms, using a > deserialization policy that controls which types can be trusted for > deserialization from an incoming NMS IObjectMessage containing serialized > .NET Object content. By default, all types are trusted during > deserialization. However, the default Deserialization Policy object > provides URI options for specifying an allow list and a deny list of .NET > classes or namespaces. > > The following options are available: > > - nms.deserializationPolicy.allowList: A comma-separated list of > classes/namespaces that are allowed during deserialization, unless they are > overridden by the deny list. Names in this list are not pattern values; the > exact class or namespace name must be configured (e.g. > "System.Collections.Queue" or "System.Collections"). Namespace matches > include sub-namespaces. The default is to allow all. > - nms.deserializationPolicy.denyList: A comma-separated list of > classes/namespaces that are rejected during deserialization. Names in this > list are not pattern values; the exact class or namespace name must be > configured (e.g. "System.Collections.Queue" or "System.Collections"). > Namespace matches include sub-namespaces. The default is to reject none. > > This release contains the following change: > * > https://issues.apache.org/jira/secure/ReleaseNote.jspa?projectId=12311201&version=12352935 > < > https://issues.apache.org/jira/secure/ReleaseNote.jspa?projectId=12311201&version=12352935 > >* > > The files can be grabbed from: > > https://dist.apache.org/repos/dist/dev/activemq/activemq-nms-openwire/2.1.0-rc1/ > > Regards, > Chris > > Here's mine +1 (binding) >
