[ANNOUNCE] Apache ActiveMQ 5.13.0 Released

[Christopher Shannon <ch...@gmail.com>]

Hi everyone,

Apache ActiveMQ 5.13.0 has now been released.

This release contains a number of resolved issues and new features since
the 5.12.1 release.

A list of issues resolved in this release is available here:
https://issues.apache.org/jira/secure/ReleaseNote.jspa?projectId=12311210&version=12329848

The Wiki page for the release is here:
http://activemq.apache.org/activemq-5130-release.html

API documentation for 5.12.1 is located here:
http://activemq.apache.org/maven/5.13.0/apidocs/index.html

Re: [ANNOUNCE] Apache ActiveMQ 5.13.0 Released

[Dejan Bosanac <de...@nighttale.net>]

Sorry Christopher, my mistake. My local branches were messed up. It’s all
good.

Regards
--
Dejan Bosanac
about.me/dejanb

On Mon, Dec 14, 2015 at 2:24 PM, Christopher Shannon <
christopher.l.shannon@gmail.com> wrote:

> I updated master to 5.14-SNAPSHOT when i prepared the last release.
>
> Besides backporting this to the 5.13.x branch we should probably backport
> AMQ-6077 to 5.12.x as well so it will be included in 5.12.2.
>
> On Mon, Dec 14, 2015 at 8:15 AM, Dejan Bosanac <de...@nighttale.net>
> wrote:
>
> > Hi Claus,
> >
> > I implemented a fix for this in
> > https://issues.apache.org/jira/browse/AMQ-6077. If you can give it a
> look
> > and see if anything else is missing, it would greatly appreciated.
> >
> > Here are the proposed changes to the Camel once we have 5.13.1 release
> >
> >
> https://github.com/dejanb/camel/commit/6c942f4bac18ab84c76411515d1e87caaf7705a4
> >
> > BTW. We should change version of the current master to 5.14-SNAPSHOT now
> > that 5.13.0 is out.
> >
> > Regards
> > --
> > Dejan Bosanac
> > about.me/dejanb
> >
> > On Mon, Dec 7, 2015 at 2:39 PM, Daniel Kulp <dk...@apache.org> wrote:
> >
> > >
> > > > On Dec 7, 2015, at 8:16 AM, Claus Ibsen <cl...@gmail.com>
> wrote:
> > > >
> > > > Also if the java class name is in a JMS header ( I think there is a
> > > > standard for that, JMSType is it not?) maybe the client/server can
> use
> > > > that out of the box to know at least packages from that class is okay
> > > > to use.
> > >
> > >
> > > Doesn’t that defeat the purpose though?  I could craft a message that
> > > contains “MyBadClass” and add that JMS header to say MyBadClass should
> be
> > > allowed.  MyBadClass is loaded and security problem.  It really needs
> to
> > be
> > > something configured, not something part of the message.
> > >
> > > Dan
> > >
> > >
> > > >
> > > >
> > > > On Mon, Dec 7, 2015 at 2:15 PM, Claus Ibsen <cl...@gmail.com>
> > > wrote:
> > > >> Hi
> > > >>
> > > >> Thanks.
> > > >>
> > > >> Yeah this must be easier from client pov. Having to set a JVM system
> > > >> property is sometimes hard for people, eg they deploy to an existing
> > > >> running app server which they cannot restart.
> > > >>
> > > >> And then they need to add some code hack to set the system property
> > > >> from their java app before AMQ bootstrap.
> > > >>
> > > >> Looking forward to a 5.13.1 release. Hopefully with a nice and easy
> > > >> way for clients, and a speedy release so users can upgrade more
> > > >> easily.
> > > >>
> > > >>
> > > >>
> > > >> On Mon, Dec 7, 2015 at 1:52 PM, Dejan Bosanac <de...@nighttale.net>
> > > wrote:
> > > >>> Hi Claus,
> > > >>>
> > > >>> here’s the test fix for the current implementation
> > > >>>
> > >
> >
> https://github.com/dejanb/camel/commit/138186ffa40381c8c082d69917cbb29181ab4abc
> > > >>>
> > > >>> The thing is that the same security issues can occur in the client
> > > >>> applications, when folks call getObject() method, so I think it’s
> the
> > > right
> > > >>> approach for people to while-list only the packages they trust.
> > > >>>
> > > >>> I agree that we can improve user experience by making it easier to
> > > >>> configure all this in the client apps. I think it might be good
> allow
> > > easy
> > > >>> configuration on the connection factory and using connection urls.
> > I’ll
> > > >>> raise a new Jira for that and we can deliver this in 5.13.1. If you
> > > have
> > > >>> any more concerns and ideas on how to improve this, please let me
> > know.
> > > >>>
> > > >>> I’ll go ahead next and create more docs around this.
> > > >>>
> > > >>>
> > > >>> Regards
> > > >>> --
> > > >>> Dejan Bosanac
> > > >>> about.me/dejanb
> > > >>>
> > > >>> On Mon, Dec 7, 2015 at 11:24 AM, Dejan Bosanac <
> dejan@nighttale.net>
> > > wrote:
> > > >>>
> > > >>>> I’ll give it a try now. Thanks!
> > > >>>>
> > > >>>> Regards
> > > >>>> --
> > > >>>> Dejan Bosanac
> > > >>>> about.me/dejanb
> > > >>>>
> > > >>>> On Mon, Dec 7, 2015 at 11:16 AM, Claus Ibsen <
> claus.ibsen@gmail.com
> > >
> > > >>>> wrote:
> > > >>>>
> > > >>>>> Yes a number of test fails in camel-jms, if you test with 5.13.0.
> > You
> > > >>>>> can try yourself by changing the activemq-version in the
> > > >>>>> parent/pom.xml.
> > > >>>>>
> > > >>>>>
> > > >>>>>
> > > >>>>> On Mon, Dec 7, 2015 at 11:04 AM, Dejan Bosanac <
> > dejan@nighttale.net>
> > > >>>>> wrote:
> > > >>>>>> Hi Claus,
> > > >>>>>>
> > > >>>>>> restrictions were necessary for the CVE that was reported. We’re
> > > about
> > > >>>>> to
> > > >>>>>> disclose it fully now after the release.
> > > >>>>>>
> > > >>>>>> AFAIK the change should not affect ObjectMessages in general,
> just
> > > the
> > > >>>>>> cases where those objects are serialized/unserialized inside of
> > the
> > > >>>>> broker,
> > > >>>>>> like web console or stomp transformations. I’ll create a proper
> > > docs for
> > > >>>>>> the change now and the security aspect of it and we can see
> later
> > > whet
> > > >>>>> else
> > > >>>>>> we can do to improve the user experience.
> > > >>>>>>
> > > >>>>>> Are there any Camel related tests that fails due to this
> change? I
> > > can
> > > >>>>> take
> > > >>>>>> a look at that as well.
> > > >>>>>>
> > > >>>>>>
> > > >>>>>> Regards
> > > >>>>>> --
> > > >>>>>> Dejan Bosanac
> > > >>>>>> about.me/dejanb
> > > >>>>>>
> > > >>>>>> On Sat, Dec 5, 2015 at 11:19 AM, Claus Ibsen <
> > claus.ibsen@gmail.com
> > > >
> > > >>>>> wrote:
> > > >>>>>>
> > > >>>>>>> I really think you guys should add something about those object
> > > >>>>>>> serialization resitrcitions. Any end users that uses java
> objects
> > > over
> > > >>>>>>> JMS is affected. Nothing works anymore.
> > > >>>>>>>
> > > >>>>>>> Its because of
> > > >>>>>>> https://issues.apache.org/jira/browse/AMQ-6013
> > > >>>>>>>
> > > >>>>>>> So there should be some text in the release notes, and ideally
> > AMQ
> > > >>>>>>> broker / client should have some kind of INFO logging that
> > openwire
> > > >>>>>>> with objects is restricted or not. Otherwise its even harder
> for
> > > end
> > > >>>>>>> users to spot what is going on.
> > > >>>>>>>
> > > >>>>>>>
> > > >>>>>>>
> > > >>>>>>> On Fri, Dec 4, 2015 at 3:57 PM, Timothy Bish <
> > tabish121@gmail.com>
> > > >>>>> wrote:
> > > >>>>>>>> It's probably a good idea to add a new page in the "New
> > Features"
> > > >>>>> section
> > > >>>>>>>> on the site to cover the additions in 5.13.0.  I know you
> added
> > > the
> > > >>>>>>> 'auto'
> > > >>>>>>>> transport along with some other work for some additional
> metrics
> > > >>>>> etc, all
> > > >>>>>>>> good things that would be nice to advertise a bit.
> > > >>>>>>>>
> > > >>>>>>>> See: http://activemq.apache.org/new-features.html
> > > >>>>>>>>
> > > >>>>>>>> On Thu, Dec 3, 2015 at 3:51 PM, Christopher Shannon <
> > > >>>>>>>> christopher.l.shannon@gmail.com> wrote:
> > > >>>>>>>>
> > > >>>>>>>>> Hi everyone,
> > > >>>>>>>>>
> > > >>>>>>>>> Apache ActiveMQ 5.13.0 has now been released.
> > > >>>>>>>>>
> > > >>>>>>>>> This release contains a number of resolved issues and new
> > > features
> > > >>>>> since
> > > >>>>>>>>> the 5.12.1 release.
> > > >>>>>>>>>
> > > >>>>>>>>> A list of issues resolved in this release is available here:
> > > >>>>>>>>>
> > > >>>>>>>>>
> > > >>>>>>>
> > > >>>>>
> > >
> >
> https://issues.apache.org/jira/secure/ReleaseNote.jspa?projectId=12311210&version=12329848
> > > >>>>>>>>>
> > > >>>>>>>>> The Wiki page for the release is here:
> > > >>>>>>>>> http://activemq.apache.org/activemq-5130-release.html
> > > >>>>>>>>>
> > > >>>>>>>>> API documentation for 5.12.1 is located here:
> > > >>>>>>>>> http://activemq.apache.org/maven/5.13.0/apidocs/index.html
> > > >>>>>>>>>
> > > >>>>>>>>
> > > >>>>>>>>
> > > >>>>>>>>
> > > >>>>>>>> --
> > > >>>>>>>> --
> > > >>>>>>>> Tim Bish
> > > >>>>>>>
> > > >>>>>>>
> > > >>>>>>>
> > > >>>>>>> --
> > > >>>>>>> Claus Ibsen
> > > >>>>>>> -----------------
> > > >>>>>>> http://davsclaus.com @davsclaus
> > > >>>>>>> Camel in Action 2: https://www.manning.com/ibsen2
> > > >>>>>>>
> > > >>>>>
> > > >>>>>
> > > >>>>>
> > > >>>>> --
> > > >>>>> Claus Ibsen
> > > >>>>> -----------------
> > > >>>>> http://davsclaus.com @davsclaus
> > > >>>>> Camel in Action 2: https://www.manning.com/ibsen2
> > > >>>>>
> > > >>>>
> > > >>>>
> > > >>
> > > >>
> > > >>
> > > >> --
> > > >> Claus Ibsen
> > > >> -----------------
> > > >> http://davsclaus.com @davsclaus
> > > >> Camel in Action 2: https://www.manning.com/ibsen2
> > > >
> > > >
> > > >
> > > > --
> > > > Claus Ibsen
> > > > -----------------
> > > > http://davsclaus.com @davsclaus
> > > > Camel in Action 2: https://www.manning.com/ibsen2
> > >
> > > --
> > > Daniel Kulp
> > > dkulp@apache.org - http://dankulp.com/blog
> > > Talend Community Coder - http://coders.talend.com
> > >
> > >
> >
>

Re: [ANNOUNCE] Apache ActiveMQ 5.13.0 Released

[Christopher Shannon <ch...@gmail.com>]

I updated master to 5.14-SNAPSHOT when i prepared the last release.

Besides backporting this to the 5.13.x branch we should probably backport
AMQ-6077 to 5.12.x as well so it will be included in 5.12.2.

On Mon, Dec 14, 2015 at 8:15 AM, Dejan Bosanac <de...@nighttale.net> wrote:

> Hi Claus,
>
> I implemented a fix for this in
> https://issues.apache.org/jira/browse/AMQ-6077. If you can give it a look
> and see if anything else is missing, it would greatly appreciated.
>
> Here are the proposed changes to the Camel once we have 5.13.1 release
>
> https://github.com/dejanb/camel/commit/6c942f4bac18ab84c76411515d1e87caaf7705a4
>
> BTW. We should change version of the current master to 5.14-SNAPSHOT now
> that 5.13.0 is out.
>
> Regards
> --
> Dejan Bosanac
> about.me/dejanb
>
> On Mon, Dec 7, 2015 at 2:39 PM, Daniel Kulp <dk...@apache.org> wrote:
>
> >
> > > On Dec 7, 2015, at 8:16 AM, Claus Ibsen <cl...@gmail.com> wrote:
> > >
> > > Also if the java class name is in a JMS header ( I think there is a
> > > standard for that, JMSType is it not?) maybe the client/server can use
> > > that out of the box to know at least packages from that class is okay
> > > to use.
> >
> >
> > Doesn’t that defeat the purpose though?  I could craft a message that
> > contains “MyBadClass” and add that JMS header to say MyBadClass should be
> > allowed.  MyBadClass is loaded and security problem.  It really needs to
> be
> > something configured, not something part of the message.
> >
> > Dan
> >
> >
> > >
> > >
> > > On Mon, Dec 7, 2015 at 2:15 PM, Claus Ibsen <cl...@gmail.com>
> > wrote:
> > >> Hi
> > >>
> > >> Thanks.
> > >>
> > >> Yeah this must be easier from client pov. Having to set a JVM system
> > >> property is sometimes hard for people, eg they deploy to an existing
> > >> running app server which they cannot restart.
> > >>
> > >> And then they need to add some code hack to set the system property
> > >> from their java app before AMQ bootstrap.
> > >>
> > >> Looking forward to a 5.13.1 release. Hopefully with a nice and easy
> > >> way for clients, and a speedy release so users can upgrade more
> > >> easily.
> > >>
> > >>
> > >>
> > >> On Mon, Dec 7, 2015 at 1:52 PM, Dejan Bosanac <de...@nighttale.net>
> > wrote:
> > >>> Hi Claus,
> > >>>
> > >>> here’s the test fix for the current implementation
> > >>>
> >
> https://github.com/dejanb/camel/commit/138186ffa40381c8c082d69917cbb29181ab4abc
> > >>>
> > >>> The thing is that the same security issues can occur in the client
> > >>> applications, when folks call getObject() method, so I think it’s the
> > right
> > >>> approach for people to while-list only the packages they trust.
> > >>>
> > >>> I agree that we can improve user experience by making it easier to
> > >>> configure all this in the client apps. I think it might be good allow
> > easy
> > >>> configuration on the connection factory and using connection urls.
> I’ll
> > >>> raise a new Jira for that and we can deliver this in 5.13.1. If you
> > have
> > >>> any more concerns and ideas on how to improve this, please let me
> know.
> > >>>
> > >>> I’ll go ahead next and create more docs around this.
> > >>>
> > >>>
> > >>> Regards
> > >>> --
> > >>> Dejan Bosanac
> > >>> about.me/dejanb
> > >>>
> > >>> On Mon, Dec 7, 2015 at 11:24 AM, Dejan Bosanac <de...@nighttale.net>
> > wrote:
> > >>>
> > >>>> I’ll give it a try now. Thanks!
> > >>>>
> > >>>> Regards
> > >>>> --
> > >>>> Dejan Bosanac
> > >>>> about.me/dejanb
> > >>>>
> > >>>> On Mon, Dec 7, 2015 at 11:16 AM, Claus Ibsen <claus.ibsen@gmail.com
> >
> > >>>> wrote:
> > >>>>
> > >>>>> Yes a number of test fails in camel-jms, if you test with 5.13.0.
> You
> > >>>>> can try yourself by changing the activemq-version in the
> > >>>>> parent/pom.xml.
> > >>>>>
> > >>>>>
> > >>>>>
> > >>>>> On Mon, Dec 7, 2015 at 11:04 AM, Dejan Bosanac <
> dejan@nighttale.net>
> > >>>>> wrote:
> > >>>>>> Hi Claus,
> > >>>>>>
> > >>>>>> restrictions were necessary for the CVE that was reported. We’re
> > about
> > >>>>> to
> > >>>>>> disclose it fully now after the release.
> > >>>>>>
> > >>>>>> AFAIK the change should not affect ObjectMessages in general, just
> > the
> > >>>>>> cases where those objects are serialized/unserialized inside of
> the
> > >>>>> broker,
> > >>>>>> like web console or stomp transformations. I’ll create a proper
> > docs for
> > >>>>>> the change now and the security aspect of it and we can see later
> > whet
> > >>>>> else
> > >>>>>> we can do to improve the user experience.
> > >>>>>>
> > >>>>>> Are there any Camel related tests that fails due to this change? I
> > can
> > >>>>> take
> > >>>>>> a look at that as well.
> > >>>>>>
> > >>>>>>
> > >>>>>> Regards
> > >>>>>> --
> > >>>>>> Dejan Bosanac
> > >>>>>> about.me/dejanb
> > >>>>>>
> > >>>>>> On Sat, Dec 5, 2015 at 11:19 AM, Claus Ibsen <
> claus.ibsen@gmail.com
> > >
> > >>>>> wrote:
> > >>>>>>
> > >>>>>>> I really think you guys should add something about those object
> > >>>>>>> serialization resitrcitions. Any end users that uses java objects
> > over
> > >>>>>>> JMS is affected. Nothing works anymore.
> > >>>>>>>
> > >>>>>>> Its because of
> > >>>>>>> https://issues.apache.org/jira/browse/AMQ-6013
> > >>>>>>>
> > >>>>>>> So there should be some text in the release notes, and ideally
> AMQ
> > >>>>>>> broker / client should have some kind of INFO logging that
> openwire
> > >>>>>>> with objects is restricted or not. Otherwise its even harder for
> > end
> > >>>>>>> users to spot what is going on.
> > >>>>>>>
> > >>>>>>>
> > >>>>>>>
> > >>>>>>> On Fri, Dec 4, 2015 at 3:57 PM, Timothy Bish <
> tabish121@gmail.com>
> > >>>>> wrote:
> > >>>>>>>> It's probably a good idea to add a new page in the "New
> Features"
> > >>>>> section
> > >>>>>>>> on the site to cover the additions in 5.13.0.  I know you added
> > the
> > >>>>>>> 'auto'
> > >>>>>>>> transport along with some other work for some additional metrics
> > >>>>> etc, all
> > >>>>>>>> good things that would be nice to advertise a bit.
> > >>>>>>>>
> > >>>>>>>> See: http://activemq.apache.org/new-features.html
> > >>>>>>>>
> > >>>>>>>> On Thu, Dec 3, 2015 at 3:51 PM, Christopher Shannon <
> > >>>>>>>> christopher.l.shannon@gmail.com> wrote:
> > >>>>>>>>
> > >>>>>>>>> Hi everyone,
> > >>>>>>>>>
> > >>>>>>>>> Apache ActiveMQ 5.13.0 has now been released.
> > >>>>>>>>>
> > >>>>>>>>> This release contains a number of resolved issues and new
> > features
> > >>>>> since
> > >>>>>>>>> the 5.12.1 release.
> > >>>>>>>>>
> > >>>>>>>>> A list of issues resolved in this release is available here:
> > >>>>>>>>>
> > >>>>>>>>>
> > >>>>>>>
> > >>>>>
> >
> https://issues.apache.org/jira/secure/ReleaseNote.jspa?projectId=12311210&version=12329848
> > >>>>>>>>>
> > >>>>>>>>> The Wiki page for the release is here:
> > >>>>>>>>> http://activemq.apache.org/activemq-5130-release.html
> > >>>>>>>>>
> > >>>>>>>>> API documentation for 5.12.1 is located here:
> > >>>>>>>>> http://activemq.apache.org/maven/5.13.0/apidocs/index.html
> > >>>>>>>>>
> > >>>>>>>>
> > >>>>>>>>
> > >>>>>>>>
> > >>>>>>>> --
> > >>>>>>>> --
> > >>>>>>>> Tim Bish
> > >>>>>>>
> > >>>>>>>
> > >>>>>>>
> > >>>>>>> --
> > >>>>>>> Claus Ibsen
> > >>>>>>> -----------------
> > >>>>>>> http://davsclaus.com @davsclaus
> > >>>>>>> Camel in Action 2: https://www.manning.com/ibsen2
> > >>>>>>>
> > >>>>>
> > >>>>>
> > >>>>>
> > >>>>> --
> > >>>>> Claus Ibsen
> > >>>>> -----------------
> > >>>>> http://davsclaus.com @davsclaus
> > >>>>> Camel in Action 2: https://www.manning.com/ibsen2
> > >>>>>
> > >>>>
> > >>>>
> > >>
> > >>
> > >>
> > >> --
> > >> Claus Ibsen
> > >> -----------------
> > >> http://davsclaus.com @davsclaus
> > >> Camel in Action 2: https://www.manning.com/ibsen2
> > >
> > >
> > >
> > > --
> > > Claus Ibsen
> > > -----------------
> > > http://davsclaus.com @davsclaus
> > > Camel in Action 2: https://www.manning.com/ibsen2
> >
> > --
> > Daniel Kulp
> > dkulp@apache.org - http://dankulp.com/blog
> > Talend Community Coder - http://coders.talend.com
> >
> >
>

Re: [ANNOUNCE] Apache ActiveMQ 5.13.0 Released

[Dejan Bosanac <de...@nighttale.net>]

Thanks Claus, here’s some more docs for it
http://activemq.apache.org/objectmessage.html#ObjectMessage-Clients

I’ll create a proper PR once we have 5.13.1

Regards
--
Dejan Bosanac
about.me/dejanb

On Wed, Dec 16, 2015 at 4:24 PM, Claus Ibsen <cl...@gmail.com> wrote:

> Thanks Dejan
>
> I logged a ticket at Camel with your instructions
> https://issues.apache.org/jira/browse/CAMEL-9429
>
> On Mon, Dec 14, 2015 at 2:15 PM, Dejan Bosanac <de...@nighttale.net>
> wrote:
> > Hi Claus,
> >
> > I implemented a fix for this in
> > https://issues.apache.org/jira/browse/AMQ-6077. If you can give it a
> look
> > and see if anything else is missing, it would greatly appreciated.
> >
> > Here are the proposed changes to the Camel once we have 5.13.1 release
> >
> https://github.com/dejanb/camel/commit/6c942f4bac18ab84c76411515d1e87caaf7705a4
> >
> > BTW. We should change version of the current master to 5.14-SNAPSHOT now
> > that 5.13.0 is out.
> >
> > Regards
> > --
> > Dejan Bosanac
> > about.me/dejanb
> >
> > On Mon, Dec 7, 2015 at 2:39 PM, Daniel Kulp <dk...@apache.org> wrote:
> >
> >>
> >> > On Dec 7, 2015, at 8:16 AM, Claus Ibsen <cl...@gmail.com>
> wrote:
> >> >
> >> > Also if the java class name is in a JMS header ( I think there is a
> >> > standard for that, JMSType is it not?) maybe the client/server can use
> >> > that out of the box to know at least packages from that class is okay
> >> > to use.
> >>
> >>
> >> Doesn’t that defeat the purpose though?  I could craft a message that
> >> contains “MyBadClass” and add that JMS header to say MyBadClass should
> be
> >> allowed.  MyBadClass is loaded and security problem.  It really needs
> to be
> >> something configured, not something part of the message.
> >>
> >> Dan
> >>
> >>
> >> >
> >> >
> >> > On Mon, Dec 7, 2015 at 2:15 PM, Claus Ibsen <cl...@gmail.com>
> >> wrote:
> >> >> Hi
> >> >>
> >> >> Thanks.
> >> >>
> >> >> Yeah this must be easier from client pov. Having to set a JVM system
> >> >> property is sometimes hard for people, eg they deploy to an existing
> >> >> running app server which they cannot restart.
> >> >>
> >> >> And then they need to add some code hack to set the system property
> >> >> from their java app before AMQ bootstrap.
> >> >>
> >> >> Looking forward to a 5.13.1 release. Hopefully with a nice and easy
> >> >> way for clients, and a speedy release so users can upgrade more
> >> >> easily.
> >> >>
> >> >>
> >> >>
> >> >> On Mon, Dec 7, 2015 at 1:52 PM, Dejan Bosanac <de...@nighttale.net>
> >> wrote:
> >> >>> Hi Claus,
> >> >>>
> >> >>> here’s the test fix for the current implementation
> >> >>>
> >>
> https://github.com/dejanb/camel/commit/138186ffa40381c8c082d69917cbb29181ab4abc
> >> >>>
> >> >>> The thing is that the same security issues can occur in the client
> >> >>> applications, when folks call getObject() method, so I think it’s
> the
> >> right
> >> >>> approach for people to while-list only the packages they trust.
> >> >>>
> >> >>> I agree that we can improve user experience by making it easier to
> >> >>> configure all this in the client apps. I think it might be good
> allow
> >> easy
> >> >>> configuration on the connection factory and using connection urls.
> I’ll
> >> >>> raise a new Jira for that and we can deliver this in 5.13.1. If you
> >> have
> >> >>> any more concerns and ideas on how to improve this, please let me
> know.
> >> >>>
> >> >>> I’ll go ahead next and create more docs around this.
> >> >>>
> >> >>>
> >> >>> Regards
> >> >>> --
> >> >>> Dejan Bosanac
> >> >>> about.me/dejanb
> >> >>>
> >> >>> On Mon, Dec 7, 2015 at 11:24 AM, Dejan Bosanac <dejan@nighttale.net
> >
> >> wrote:
> >> >>>
> >> >>>> I’ll give it a try now. Thanks!
> >> >>>>
> >> >>>> Regards
> >> >>>> --
> >> >>>> Dejan Bosanac
> >> >>>> about.me/dejanb
> >> >>>>
> >> >>>> On Mon, Dec 7, 2015 at 11:16 AM, Claus Ibsen <
> claus.ibsen@gmail.com>
> >> >>>> wrote:
> >> >>>>
> >> >>>>> Yes a number of test fails in camel-jms, if you test with 5.13.0.
> You
> >> >>>>> can try yourself by changing the activemq-version in the
> >> >>>>> parent/pom.xml.
> >> >>>>>
> >> >>>>>
> >> >>>>>
> >> >>>>> On Mon, Dec 7, 2015 at 11:04 AM, Dejan Bosanac <
> dejan@nighttale.net>
> >> >>>>> wrote:
> >> >>>>>> Hi Claus,
> >> >>>>>>
> >> >>>>>> restrictions were necessary for the CVE that was reported. We’re
> >> about
> >> >>>>> to
> >> >>>>>> disclose it fully now after the release.
> >> >>>>>>
> >> >>>>>> AFAIK the change should not affect ObjectMessages in general,
> just
> >> the
> >> >>>>>> cases where those objects are serialized/unserialized inside of
> the
> >> >>>>> broker,
> >> >>>>>> like web console or stomp transformations. I’ll create a proper
> >> docs for
> >> >>>>>> the change now and the security aspect of it and we can see later
> >> whet
> >> >>>>> else
> >> >>>>>> we can do to improve the user experience.
> >> >>>>>>
> >> >>>>>> Are there any Camel related tests that fails due to this change?
> I
> >> can
> >> >>>>> take
> >> >>>>>> a look at that as well.
> >> >>>>>>
> >> >>>>>>
> >> >>>>>> Regards
> >> >>>>>> --
> >> >>>>>> Dejan Bosanac
> >> >>>>>> about.me/dejanb
> >> >>>>>>
> >> >>>>>> On Sat, Dec 5, 2015 at 11:19 AM, Claus Ibsen <
> claus.ibsen@gmail.com
> >> >
> >> >>>>> wrote:
> >> >>>>>>
> >> >>>>>>> I really think you guys should add something about those object
> >> >>>>>>> serialization resitrcitions. Any end users that uses java
> objects
> >> over
> >> >>>>>>> JMS is affected. Nothing works anymore.
> >> >>>>>>>
> >> >>>>>>> Its because of
> >> >>>>>>> https://issues.apache.org/jira/browse/AMQ-6013
> >> >>>>>>>
> >> >>>>>>> So there should be some text in the release notes, and ideally
> AMQ
> >> >>>>>>> broker / client should have some kind of INFO logging that
> openwire
> >> >>>>>>> with objects is restricted or not. Otherwise its even harder for
> >> end
> >> >>>>>>> users to spot what is going on.
> >> >>>>>>>
> >> >>>>>>>
> >> >>>>>>>
> >> >>>>>>> On Fri, Dec 4, 2015 at 3:57 PM, Timothy Bish <
> tabish121@gmail.com>
> >> >>>>> wrote:
> >> >>>>>>>> It's probably a good idea to add a new page in the "New
> Features"
> >> >>>>> section
> >> >>>>>>>> on the site to cover the additions in 5.13.0.  I know you added
> >> the
> >> >>>>>>> 'auto'
> >> >>>>>>>> transport along with some other work for some additional
> metrics
> >> >>>>> etc, all
> >> >>>>>>>> good things that would be nice to advertise a bit.
> >> >>>>>>>>
> >> >>>>>>>> See: http://activemq.apache.org/new-features.html
> >> >>>>>>>>
> >> >>>>>>>> On Thu, Dec 3, 2015 at 3:51 PM, Christopher Shannon <
> >> >>>>>>>> christopher.l.shannon@gmail.com> wrote:
> >> >>>>>>>>
> >> >>>>>>>>> Hi everyone,
> >> >>>>>>>>>
> >> >>>>>>>>> Apache ActiveMQ 5.13.0 has now been released.
> >> >>>>>>>>>
> >> >>>>>>>>> This release contains a number of resolved issues and new
> >> features
> >> >>>>> since
> >> >>>>>>>>> the 5.12.1 release.
> >> >>>>>>>>>
> >> >>>>>>>>> A list of issues resolved in this release is available here:
> >> >>>>>>>>>
> >> >>>>>>>>>
> >> >>>>>>>
> >> >>>>>
> >>
> https://issues.apache.org/jira/secure/ReleaseNote.jspa?projectId=12311210&version=12329848
> >> >>>>>>>>>
> >> >>>>>>>>> The Wiki page for the release is here:
> >> >>>>>>>>> http://activemq.apache.org/activemq-5130-release.html
> >> >>>>>>>>>
> >> >>>>>>>>> API documentation for 5.12.1 is located here:
> >> >>>>>>>>> http://activemq.apache.org/maven/5.13.0/apidocs/index.html
> >> >>>>>>>>>
> >> >>>>>>>>
> >> >>>>>>>>
> >> >>>>>>>>
> >> >>>>>>>> --
> >> >>>>>>>> --
> >> >>>>>>>> Tim Bish
> >> >>>>>>>
> >> >>>>>>>
> >> >>>>>>>
> >> >>>>>>> --
> >> >>>>>>> Claus Ibsen
> >> >>>>>>> -----------------
> >> >>>>>>> http://davsclaus.com @davsclaus
> >> >>>>>>> Camel in Action 2: https://www.manning.com/ibsen2
> >> >>>>>>>
> >> >>>>>
> >> >>>>>
> >> >>>>>
> >> >>>>> --
> >> >>>>> Claus Ibsen
> >> >>>>> -----------------
> >> >>>>> http://davsclaus.com @davsclaus
> >> >>>>> Camel in Action 2: https://www.manning.com/ibsen2
> >> >>>>>
> >> >>>>
> >> >>>>
> >> >>
> >> >>
> >> >>
> >> >> --
> >> >> Claus Ibsen
> >> >> -----------------
> >> >> http://davsclaus.com @davsclaus
> >> >> Camel in Action 2: https://www.manning.com/ibsen2
> >> >
> >> >
> >> >
> >> > --
> >> > Claus Ibsen
> >> > -----------------
> >> > http://davsclaus.com @davsclaus
> >> > Camel in Action 2: https://www.manning.com/ibsen2
> >>
> >> --
> >> Daniel Kulp
> >> dkulp@apache.org - http://dankulp.com/blog
> >> Talend Community Coder - http://coders.talend.com
> >>
> >>
>
>
>
> --
> Claus Ibsen
> -----------------
> http://davsclaus.com @davsclaus
> Camel in Action 2: https://www.manning.com/ibsen2
>

Re: [ANNOUNCE] Apache ActiveMQ 5.13.0 Released

[Claus Ibsen <cl...@gmail.com>]

Thanks Dejan

I logged a ticket at Camel with your instructions
https://issues.apache.org/jira/browse/CAMEL-9429

On Mon, Dec 14, 2015 at 2:15 PM, Dejan Bosanac <de...@nighttale.net> wrote:
> Hi Claus,
>
> I implemented a fix for this in
> https://issues.apache.org/jira/browse/AMQ-6077. If you can give it a look
> and see if anything else is missing, it would greatly appreciated.
>
> Here are the proposed changes to the Camel once we have 5.13.1 release
> https://github.com/dejanb/camel/commit/6c942f4bac18ab84c76411515d1e87caaf7705a4
>
> BTW. We should change version of the current master to 5.14-SNAPSHOT now
> that 5.13.0 is out.
>
> Regards
> --
> Dejan Bosanac
> about.me/dejanb
>
> On Mon, Dec 7, 2015 at 2:39 PM, Daniel Kulp <dk...@apache.org> wrote:
>
>>
>> > On Dec 7, 2015, at 8:16 AM, Claus Ibsen <cl...@gmail.com> wrote:
>> >
>> > Also if the java class name is in a JMS header ( I think there is a
>> > standard for that, JMSType is it not?) maybe the client/server can use
>> > that out of the box to know at least packages from that class is okay
>> > to use.
>>
>>
>> Doesn’t that defeat the purpose though?  I could craft a message that
>> contains “MyBadClass” and add that JMS header to say MyBadClass should be
>> allowed.  MyBadClass is loaded and security problem.  It really needs to be
>> something configured, not something part of the message.
>>
>> Dan
>>
>>
>> >
>> >
>> > On Mon, Dec 7, 2015 at 2:15 PM, Claus Ibsen <cl...@gmail.com>
>> wrote:
>> >> Hi
>> >>
>> >> Thanks.
>> >>
>> >> Yeah this must be easier from client pov. Having to set a JVM system
>> >> property is sometimes hard for people, eg they deploy to an existing
>> >> running app server which they cannot restart.
>> >>
>> >> And then they need to add some code hack to set the system property
>> >> from their java app before AMQ bootstrap.
>> >>
>> >> Looking forward to a 5.13.1 release. Hopefully with a nice and easy
>> >> way for clients, and a speedy release so users can upgrade more
>> >> easily.
>> >>
>> >>
>> >>
>> >> On Mon, Dec 7, 2015 at 1:52 PM, Dejan Bosanac <de...@nighttale.net>
>> wrote:
>> >>> Hi Claus,
>> >>>
>> >>> here’s the test fix for the current implementation
>> >>>
>> https://github.com/dejanb/camel/commit/138186ffa40381c8c082d69917cbb29181ab4abc
>> >>>
>> >>> The thing is that the same security issues can occur in the client
>> >>> applications, when folks call getObject() method, so I think it’s the
>> right
>> >>> approach for people to while-list only the packages they trust.
>> >>>
>> >>> I agree that we can improve user experience by making it easier to
>> >>> configure all this in the client apps. I think it might be good allow
>> easy
>> >>> configuration on the connection factory and using connection urls. I’ll
>> >>> raise a new Jira for that and we can deliver this in 5.13.1. If you
>> have
>> >>> any more concerns and ideas on how to improve this, please let me know.
>> >>>
>> >>> I’ll go ahead next and create more docs around this.
>> >>>
>> >>>
>> >>> Regards
>> >>> --
>> >>> Dejan Bosanac
>> >>> about.me/dejanb
>> >>>
>> >>> On Mon, Dec 7, 2015 at 11:24 AM, Dejan Bosanac <de...@nighttale.net>
>> wrote:
>> >>>
>> >>>> I’ll give it a try now. Thanks!
>> >>>>
>> >>>> Regards
>> >>>> --
>> >>>> Dejan Bosanac
>> >>>> about.me/dejanb
>> >>>>
>> >>>> On Mon, Dec 7, 2015 at 11:16 AM, Claus Ibsen <cl...@gmail.com>
>> >>>> wrote:
>> >>>>
>> >>>>> Yes a number of test fails in camel-jms, if you test with 5.13.0. You
>> >>>>> can try yourself by changing the activemq-version in the
>> >>>>> parent/pom.xml.
>> >>>>>
>> >>>>>
>> >>>>>
>> >>>>> On Mon, Dec 7, 2015 at 11:04 AM, Dejan Bosanac <de...@nighttale.net>
>> >>>>> wrote:
>> >>>>>> Hi Claus,
>> >>>>>>
>> >>>>>> restrictions were necessary for the CVE that was reported. We’re
>> about
>> >>>>> to
>> >>>>>> disclose it fully now after the release.
>> >>>>>>
>> >>>>>> AFAIK the change should not affect ObjectMessages in general, just
>> the
>> >>>>>> cases where those objects are serialized/unserialized inside of the
>> >>>>> broker,
>> >>>>>> like web console or stomp transformations. I’ll create a proper
>> docs for
>> >>>>>> the change now and the security aspect of it and we can see later
>> whet
>> >>>>> else
>> >>>>>> we can do to improve the user experience.
>> >>>>>>
>> >>>>>> Are there any Camel related tests that fails due to this change? I
>> can
>> >>>>> take
>> >>>>>> a look at that as well.
>> >>>>>>
>> >>>>>>
>> >>>>>> Regards
>> >>>>>> --
>> >>>>>> Dejan Bosanac
>> >>>>>> about.me/dejanb
>> >>>>>>
>> >>>>>> On Sat, Dec 5, 2015 at 11:19 AM, Claus Ibsen <claus.ibsen@gmail.com
>> >
>> >>>>> wrote:
>> >>>>>>
>> >>>>>>> I really think you guys should add something about those object
>> >>>>>>> serialization resitrcitions. Any end users that uses java objects
>> over
>> >>>>>>> JMS is affected. Nothing works anymore.
>> >>>>>>>
>> >>>>>>> Its because of
>> >>>>>>> https://issues.apache.org/jira/browse/AMQ-6013
>> >>>>>>>
>> >>>>>>> So there should be some text in the release notes, and ideally AMQ
>> >>>>>>> broker / client should have some kind of INFO logging that openwire
>> >>>>>>> with objects is restricted or not. Otherwise its even harder for
>> end
>> >>>>>>> users to spot what is going on.
>> >>>>>>>
>> >>>>>>>
>> >>>>>>>
>> >>>>>>> On Fri, Dec 4, 2015 at 3:57 PM, Timothy Bish <ta...@gmail.com>
>> >>>>> wrote:
>> >>>>>>>> It's probably a good idea to add a new page in the "New Features"
>> >>>>> section
>> >>>>>>>> on the site to cover the additions in 5.13.0.  I know you added
>> the
>> >>>>>>> 'auto'
>> >>>>>>>> transport along with some other work for some additional metrics
>> >>>>> etc, all
>> >>>>>>>> good things that would be nice to advertise a bit.
>> >>>>>>>>
>> >>>>>>>> See: http://activemq.apache.org/new-features.html
>> >>>>>>>>
>> >>>>>>>> On Thu, Dec 3, 2015 at 3:51 PM, Christopher Shannon <
>> >>>>>>>> christopher.l.shannon@gmail.com> wrote:
>> >>>>>>>>
>> >>>>>>>>> Hi everyone,
>> >>>>>>>>>
>> >>>>>>>>> Apache ActiveMQ 5.13.0 has now been released.
>> >>>>>>>>>
>> >>>>>>>>> This release contains a number of resolved issues and new
>> features
>> >>>>> since
>> >>>>>>>>> the 5.12.1 release.
>> >>>>>>>>>
>> >>>>>>>>> A list of issues resolved in this release is available here:
>> >>>>>>>>>
>> >>>>>>>>>
>> >>>>>>>
>> >>>>>
>> https://issues.apache.org/jira/secure/ReleaseNote.jspa?projectId=12311210&version=12329848
>> >>>>>>>>>
>> >>>>>>>>> The Wiki page for the release is here:
>> >>>>>>>>> http://activemq.apache.org/activemq-5130-release.html
>> >>>>>>>>>
>> >>>>>>>>> API documentation for 5.12.1 is located here:
>> >>>>>>>>> http://activemq.apache.org/maven/5.13.0/apidocs/index.html
>> >>>>>>>>>
>> >>>>>>>>
>> >>>>>>>>
>> >>>>>>>>
>> >>>>>>>> --
>> >>>>>>>> --
>> >>>>>>>> Tim Bish
>> >>>>>>>
>> >>>>>>>
>> >>>>>>>
>> >>>>>>> --
>> >>>>>>> Claus Ibsen
>> >>>>>>> -----------------
>> >>>>>>> http://davsclaus.com @davsclaus
>> >>>>>>> Camel in Action 2: https://www.manning.com/ibsen2
>> >>>>>>>
>> >>>>>
>> >>>>>
>> >>>>>
>> >>>>> --
>> >>>>> Claus Ibsen
>> >>>>> -----------------
>> >>>>> http://davsclaus.com @davsclaus
>> >>>>> Camel in Action 2: https://www.manning.com/ibsen2
>> >>>>>
>> >>>>
>> >>>>
>> >>
>> >>
>> >>
>> >> --
>> >> Claus Ibsen
>> >> -----------------
>> >> http://davsclaus.com @davsclaus
>> >> Camel in Action 2: https://www.manning.com/ibsen2
>> >
>> >
>> >
>> > --
>> > Claus Ibsen
>> > -----------------
>> > http://davsclaus.com @davsclaus
>> > Camel in Action 2: https://www.manning.com/ibsen2
>>
>> --
>> Daniel Kulp
>> dkulp@apache.org - http://dankulp.com/blog
>> Talend Community Coder - http://coders.talend.com
>>
>>



-- 
Claus Ibsen
-----------------
http://davsclaus.com @davsclaus
Camel in Action 2: https://www.manning.com/ibsen2

Re: [ANNOUNCE] Apache ActiveMQ 5.13.0 Released

[Dejan Bosanac <de...@nighttale.net>]

Hi Claus,

I implemented a fix for this in
https://issues.apache.org/jira/browse/AMQ-6077. If you can give it a look
and see if anything else is missing, it would greatly appreciated.

Here are the proposed changes to the Camel once we have 5.13.1 release
https://github.com/dejanb/camel/commit/6c942f4bac18ab84c76411515d1e87caaf7705a4

BTW. We should change version of the current master to 5.14-SNAPSHOT now
that 5.13.0 is out.

Regards
--
Dejan Bosanac
about.me/dejanb

On Mon, Dec 7, 2015 at 2:39 PM, Daniel Kulp <dk...@apache.org> wrote:

>
> > On Dec 7, 2015, at 8:16 AM, Claus Ibsen <cl...@gmail.com> wrote:
> >
> > Also if the java class name is in a JMS header ( I think there is a
> > standard for that, JMSType is it not?) maybe the client/server can use
> > that out of the box to know at least packages from that class is okay
> > to use.
>
>
> Doesn’t that defeat the purpose though?  I could craft a message that
> contains “MyBadClass” and add that JMS header to say MyBadClass should be
> allowed.  MyBadClass is loaded and security problem.  It really needs to be
> something configured, not something part of the message.
>
> Dan
>
>
> >
> >
> > On Mon, Dec 7, 2015 at 2:15 PM, Claus Ibsen <cl...@gmail.com>
> wrote:
> >> Hi
> >>
> >> Thanks.
> >>
> >> Yeah this must be easier from client pov. Having to set a JVM system
> >> property is sometimes hard for people, eg they deploy to an existing
> >> running app server which they cannot restart.
> >>
> >> And then they need to add some code hack to set the system property
> >> from their java app before AMQ bootstrap.
> >>
> >> Looking forward to a 5.13.1 release. Hopefully with a nice and easy
> >> way for clients, and a speedy release so users can upgrade more
> >> easily.
> >>
> >>
> >>
> >> On Mon, Dec 7, 2015 at 1:52 PM, Dejan Bosanac <de...@nighttale.net>
> wrote:
> >>> Hi Claus,
> >>>
> >>> here’s the test fix for the current implementation
> >>>
> https://github.com/dejanb/camel/commit/138186ffa40381c8c082d69917cbb29181ab4abc
> >>>
> >>> The thing is that the same security issues can occur in the client
> >>> applications, when folks call getObject() method, so I think it’s the
> right
> >>> approach for people to while-list only the packages they trust.
> >>>
> >>> I agree that we can improve user experience by making it easier to
> >>> configure all this in the client apps. I think it might be good allow
> easy
> >>> configuration on the connection factory and using connection urls. I’ll
> >>> raise a new Jira for that and we can deliver this in 5.13.1. If you
> have
> >>> any more concerns and ideas on how to improve this, please let me know.
> >>>
> >>> I’ll go ahead next and create more docs around this.
> >>>
> >>>
> >>> Regards
> >>> --
> >>> Dejan Bosanac
> >>> about.me/dejanb
> >>>
> >>> On Mon, Dec 7, 2015 at 11:24 AM, Dejan Bosanac <de...@nighttale.net>
> wrote:
> >>>
> >>>> I’ll give it a try now. Thanks!
> >>>>
> >>>> Regards
> >>>> --
> >>>> Dejan Bosanac
> >>>> about.me/dejanb
> >>>>
> >>>> On Mon, Dec 7, 2015 at 11:16 AM, Claus Ibsen <cl...@gmail.com>
> >>>> wrote:
> >>>>
> >>>>> Yes a number of test fails in camel-jms, if you test with 5.13.0. You
> >>>>> can try yourself by changing the activemq-version in the
> >>>>> parent/pom.xml.
> >>>>>
> >>>>>
> >>>>>
> >>>>> On Mon, Dec 7, 2015 at 11:04 AM, Dejan Bosanac <de...@nighttale.net>
> >>>>> wrote:
> >>>>>> Hi Claus,
> >>>>>>
> >>>>>> restrictions were necessary for the CVE that was reported. We’re
> about
> >>>>> to
> >>>>>> disclose it fully now after the release.
> >>>>>>
> >>>>>> AFAIK the change should not affect ObjectMessages in general, just
> the
> >>>>>> cases where those objects are serialized/unserialized inside of the
> >>>>> broker,
> >>>>>> like web console or stomp transformations. I’ll create a proper
> docs for
> >>>>>> the change now and the security aspect of it and we can see later
> whet
> >>>>> else
> >>>>>> we can do to improve the user experience.
> >>>>>>
> >>>>>> Are there any Camel related tests that fails due to this change? I
> can
> >>>>> take
> >>>>>> a look at that as well.
> >>>>>>
> >>>>>>
> >>>>>> Regards
> >>>>>> --
> >>>>>> Dejan Bosanac
> >>>>>> about.me/dejanb
> >>>>>>
> >>>>>> On Sat, Dec 5, 2015 at 11:19 AM, Claus Ibsen <claus.ibsen@gmail.com
> >
> >>>>> wrote:
> >>>>>>
> >>>>>>> I really think you guys should add something about those object
> >>>>>>> serialization resitrcitions. Any end users that uses java objects
> over
> >>>>>>> JMS is affected. Nothing works anymore.
> >>>>>>>
> >>>>>>> Its because of
> >>>>>>> https://issues.apache.org/jira/browse/AMQ-6013
> >>>>>>>
> >>>>>>> So there should be some text in the release notes, and ideally AMQ
> >>>>>>> broker / client should have some kind of INFO logging that openwire
> >>>>>>> with objects is restricted or not. Otherwise its even harder for
> end
> >>>>>>> users to spot what is going on.
> >>>>>>>
> >>>>>>>
> >>>>>>>
> >>>>>>> On Fri, Dec 4, 2015 at 3:57 PM, Timothy Bish <ta...@gmail.com>
> >>>>> wrote:
> >>>>>>>> It's probably a good idea to add a new page in the "New Features"
> >>>>> section
> >>>>>>>> on the site to cover the additions in 5.13.0.  I know you added
> the
> >>>>>>> 'auto'
> >>>>>>>> transport along with some other work for some additional metrics
> >>>>> etc, all
> >>>>>>>> good things that would be nice to advertise a bit.
> >>>>>>>>
> >>>>>>>> See: http://activemq.apache.org/new-features.html
> >>>>>>>>
> >>>>>>>> On Thu, Dec 3, 2015 at 3:51 PM, Christopher Shannon <
> >>>>>>>> christopher.l.shannon@gmail.com> wrote:
> >>>>>>>>
> >>>>>>>>> Hi everyone,
> >>>>>>>>>
> >>>>>>>>> Apache ActiveMQ 5.13.0 has now been released.
> >>>>>>>>>
> >>>>>>>>> This release contains a number of resolved issues and new
> features
> >>>>> since
> >>>>>>>>> the 5.12.1 release.
> >>>>>>>>>
> >>>>>>>>> A list of issues resolved in this release is available here:
> >>>>>>>>>
> >>>>>>>>>
> >>>>>>>
> >>>>>
> https://issues.apache.org/jira/secure/ReleaseNote.jspa?projectId=12311210&version=12329848
> >>>>>>>>>
> >>>>>>>>> The Wiki page for the release is here:
> >>>>>>>>> http://activemq.apache.org/activemq-5130-release.html
> >>>>>>>>>
> >>>>>>>>> API documentation for 5.12.1 is located here:
> >>>>>>>>> http://activemq.apache.org/maven/5.13.0/apidocs/index.html
> >>>>>>>>>
> >>>>>>>>
> >>>>>>>>
> >>>>>>>>
> >>>>>>>> --
> >>>>>>>> --
> >>>>>>>> Tim Bish
> >>>>>>>
> >>>>>>>
> >>>>>>>
> >>>>>>> --
> >>>>>>> Claus Ibsen
> >>>>>>> -----------------
> >>>>>>> http://davsclaus.com @davsclaus
> >>>>>>> Camel in Action 2: https://www.manning.com/ibsen2
> >>>>>>>
> >>>>>
> >>>>>
> >>>>>
> >>>>> --
> >>>>> Claus Ibsen
> >>>>> -----------------
> >>>>> http://davsclaus.com @davsclaus
> >>>>> Camel in Action 2: https://www.manning.com/ibsen2
> >>>>>
> >>>>
> >>>>
> >>
> >>
> >>
> >> --
> >> Claus Ibsen
> >> -----------------
> >> http://davsclaus.com @davsclaus
> >> Camel in Action 2: https://www.manning.com/ibsen2
> >
> >
> >
> > --
> > Claus Ibsen
> > -----------------
> > http://davsclaus.com @davsclaus
> > Camel in Action 2: https://www.manning.com/ibsen2
>
> --
> Daniel Kulp
> dkulp@apache.org - http://dankulp.com/blog
> Talend Community Coder - http://coders.talend.com
>
>

Re: [ANNOUNCE] Apache ActiveMQ 5.13.0 Released

[Daniel Kulp <dk...@apache.org>]

> On Dec 7, 2015, at 8:16 AM, Claus Ibsen <cl...@gmail.com> wrote:
> 
> Also if the java class name is in a JMS header ( I think there is a
> standard for that, JMSType is it not?) maybe the client/server can use
> that out of the box to know at least packages from that class is okay
> to use.


Doesn’t that defeat the purpose though?  I could craft a message that contains “MyBadClass” and add that JMS header to say MyBadClass should be allowed.  MyBadClass is loaded and security problem.  It really needs to be something configured, not something part of the message.  

Dan


> 
> 
> On Mon, Dec 7, 2015 at 2:15 PM, Claus Ibsen <cl...@gmail.com> wrote:
>> Hi
>> 
>> Thanks.
>> 
>> Yeah this must be easier from client pov. Having to set a JVM system
>> property is sometimes hard for people, eg they deploy to an existing
>> running app server which they cannot restart.
>> 
>> And then they need to add some code hack to set the system property
>> from their java app before AMQ bootstrap.
>> 
>> Looking forward to a 5.13.1 release. Hopefully with a nice and easy
>> way for clients, and a speedy release so users can upgrade more
>> easily.
>> 
>> 
>> 
>> On Mon, Dec 7, 2015 at 1:52 PM, Dejan Bosanac <de...@nighttale.net> wrote:
>>> Hi Claus,
>>> 
>>> here’s the test fix for the current implementation
>>> https://github.com/dejanb/camel/commit/138186ffa40381c8c082d69917cbb29181ab4abc
>>> 
>>> The thing is that the same security issues can occur in the client
>>> applications, when folks call getObject() method, so I think it’s the right
>>> approach for people to while-list only the packages they trust.
>>> 
>>> I agree that we can improve user experience by making it easier to
>>> configure all this in the client apps. I think it might be good allow easy
>>> configuration on the connection factory and using connection urls. I’ll
>>> raise a new Jira for that and we can deliver this in 5.13.1. If you have
>>> any more concerns and ideas on how to improve this, please let me know.
>>> 
>>> I’ll go ahead next and create more docs around this.
>>> 
>>> 
>>> Regards
>>> --
>>> Dejan Bosanac
>>> about.me/dejanb
>>> 
>>> On Mon, Dec 7, 2015 at 11:24 AM, Dejan Bosanac <de...@nighttale.net> wrote:
>>> 
>>>> I’ll give it a try now. Thanks!
>>>> 
>>>> Regards
>>>> --
>>>> Dejan Bosanac
>>>> about.me/dejanb
>>>> 
>>>> On Mon, Dec 7, 2015 at 11:16 AM, Claus Ibsen <cl...@gmail.com>
>>>> wrote:
>>>> 
>>>>> Yes a number of test fails in camel-jms, if you test with 5.13.0. You
>>>>> can try yourself by changing the activemq-version in the
>>>>> parent/pom.xml.
>>>>> 
>>>>> 
>>>>> 
>>>>> On Mon, Dec 7, 2015 at 11:04 AM, Dejan Bosanac <de...@nighttale.net>
>>>>> wrote:
>>>>>> Hi Claus,
>>>>>> 
>>>>>> restrictions were necessary for the CVE that was reported. We’re about
>>>>> to
>>>>>> disclose it fully now after the release.
>>>>>> 
>>>>>> AFAIK the change should not affect ObjectMessages in general, just the
>>>>>> cases where those objects are serialized/unserialized inside of the
>>>>> broker,
>>>>>> like web console or stomp transformations. I’ll create a proper docs for
>>>>>> the change now and the security aspect of it and we can see later whet
>>>>> else
>>>>>> we can do to improve the user experience.
>>>>>> 
>>>>>> Are there any Camel related tests that fails due to this change? I can
>>>>> take
>>>>>> a look at that as well.
>>>>>> 
>>>>>> 
>>>>>> Regards
>>>>>> --
>>>>>> Dejan Bosanac
>>>>>> about.me/dejanb
>>>>>> 
>>>>>> On Sat, Dec 5, 2015 at 11:19 AM, Claus Ibsen <cl...@gmail.com>
>>>>> wrote:
>>>>>> 
>>>>>>> I really think you guys should add something about those object
>>>>>>> serialization resitrcitions. Any end users that uses java objects over
>>>>>>> JMS is affected. Nothing works anymore.
>>>>>>> 
>>>>>>> Its because of
>>>>>>> https://issues.apache.org/jira/browse/AMQ-6013
>>>>>>> 
>>>>>>> So there should be some text in the release notes, and ideally AMQ
>>>>>>> broker / client should have some kind of INFO logging that openwire
>>>>>>> with objects is restricted or not. Otherwise its even harder for end
>>>>>>> users to spot what is going on.
>>>>>>> 
>>>>>>> 
>>>>>>> 
>>>>>>> On Fri, Dec 4, 2015 at 3:57 PM, Timothy Bish <ta...@gmail.com>
>>>>> wrote:
>>>>>>>> It's probably a good idea to add a new page in the "New Features"
>>>>> section
>>>>>>>> on the site to cover the additions in 5.13.0.  I know you added the
>>>>>>> 'auto'
>>>>>>>> transport along with some other work for some additional metrics
>>>>> etc, all
>>>>>>>> good things that would be nice to advertise a bit.
>>>>>>>> 
>>>>>>>> See: http://activemq.apache.org/new-features.html
>>>>>>>> 
>>>>>>>> On Thu, Dec 3, 2015 at 3:51 PM, Christopher Shannon <
>>>>>>>> christopher.l.shannon@gmail.com> wrote:
>>>>>>>> 
>>>>>>>>> Hi everyone,
>>>>>>>>> 
>>>>>>>>> Apache ActiveMQ 5.13.0 has now been released.
>>>>>>>>> 
>>>>>>>>> This release contains a number of resolved issues and new features
>>>>> since
>>>>>>>>> the 5.12.1 release.
>>>>>>>>> 
>>>>>>>>> A list of issues resolved in this release is available here:
>>>>>>>>> 
>>>>>>>>> 
>>>>>>> 
>>>>> https://issues.apache.org/jira/secure/ReleaseNote.jspa?projectId=12311210&version=12329848
>>>>>>>>> 
>>>>>>>>> The Wiki page for the release is here:
>>>>>>>>> http://activemq.apache.org/activemq-5130-release.html
>>>>>>>>> 
>>>>>>>>> API documentation for 5.12.1 is located here:
>>>>>>>>> http://activemq.apache.org/maven/5.13.0/apidocs/index.html
>>>>>>>>> 
>>>>>>>> 
>>>>>>>> 
>>>>>>>> 
>>>>>>>> --
>>>>>>>> --
>>>>>>>> Tim Bish
>>>>>>> 
>>>>>>> 
>>>>>>> 
>>>>>>> --
>>>>>>> Claus Ibsen
>>>>>>> -----------------
>>>>>>> http://davsclaus.com @davsclaus
>>>>>>> Camel in Action 2: https://www.manning.com/ibsen2
>>>>>>> 
>>>>> 
>>>>> 
>>>>> 
>>>>> --
>>>>> Claus Ibsen
>>>>> -----------------
>>>>> http://davsclaus.com @davsclaus
>>>>> Camel in Action 2: https://www.manning.com/ibsen2
>>>>> 
>>>> 
>>>> 
>> 
>> 
>> 
>> --
>> Claus Ibsen
>> -----------------
>> http://davsclaus.com @davsclaus
>> Camel in Action 2: https://www.manning.com/ibsen2
> 
> 
> 
> -- 
> Claus Ibsen
> -----------------
> http://davsclaus.com @davsclaus
> Camel in Action 2: https://www.manning.com/ibsen2

-- 
Daniel Kulp
dkulp@apache.org - http://dankulp.com/blog
Talend Community Coder - http://coders.talend.com

Re: [ANNOUNCE] Apache ActiveMQ 5.13.0 Released

[Claus Ibsen <cl...@gmail.com>]

Also if the java class name is in a JMS header ( I think there is a
standard for that, JMSType is it not?) maybe the client/server can use
that out of the box to know at least packages from that class is okay
to use.


On Mon, Dec 7, 2015 at 2:15 PM, Claus Ibsen <cl...@gmail.com> wrote:
> Hi
>
> Thanks.
>
> Yeah this must be easier from client pov. Having to set a JVM system
> property is sometimes hard for people, eg they deploy to an existing
> running app server which they cannot restart.
>
> And then they need to add some code hack to set the system property
> from their java app before AMQ bootstrap.
>
> Looking forward to a 5.13.1 release. Hopefully with a nice and easy
> way for clients, and a speedy release so users can upgrade more
> easily.
>
>
>
> On Mon, Dec 7, 2015 at 1:52 PM, Dejan Bosanac <de...@nighttale.net> wrote:
>> Hi Claus,
>>
>> here’s the test fix for the current implementation
>> https://github.com/dejanb/camel/commit/138186ffa40381c8c082d69917cbb29181ab4abc
>>
>> The thing is that the same security issues can occur in the client
>> applications, when folks call getObject() method, so I think it’s the right
>> approach for people to while-list only the packages they trust.
>>
>> I agree that we can improve user experience by making it easier to
>> configure all this in the client apps. I think it might be good allow easy
>> configuration on the connection factory and using connection urls. I’ll
>> raise a new Jira for that and we can deliver this in 5.13.1. If you have
>> any more concerns and ideas on how to improve this, please let me know.
>>
>> I’ll go ahead next and create more docs around this.
>>
>>
>> Regards
>> --
>> Dejan Bosanac
>> about.me/dejanb
>>
>> On Mon, Dec 7, 2015 at 11:24 AM, Dejan Bosanac <de...@nighttale.net> wrote:
>>
>>> I’ll give it a try now. Thanks!
>>>
>>> Regards
>>> --
>>> Dejan Bosanac
>>> about.me/dejanb
>>>
>>> On Mon, Dec 7, 2015 at 11:16 AM, Claus Ibsen <cl...@gmail.com>
>>> wrote:
>>>
>>>> Yes a number of test fails in camel-jms, if you test with 5.13.0. You
>>>> can try yourself by changing the activemq-version in the
>>>> parent/pom.xml.
>>>>
>>>>
>>>>
>>>> On Mon, Dec 7, 2015 at 11:04 AM, Dejan Bosanac <de...@nighttale.net>
>>>> wrote:
>>>> > Hi Claus,
>>>> >
>>>> > restrictions were necessary for the CVE that was reported. We’re about
>>>> to
>>>> > disclose it fully now after the release.
>>>> >
>>>> > AFAIK the change should not affect ObjectMessages in general, just the
>>>> > cases where those objects are serialized/unserialized inside of the
>>>> broker,
>>>> > like web console or stomp transformations. I’ll create a proper docs for
>>>> > the change now and the security aspect of it and we can see later whet
>>>> else
>>>> > we can do to improve the user experience.
>>>> >
>>>> > Are there any Camel related tests that fails due to this change? I can
>>>> take
>>>> > a look at that as well.
>>>> >
>>>> >
>>>> > Regards
>>>> > --
>>>> > Dejan Bosanac
>>>> > about.me/dejanb
>>>> >
>>>> > On Sat, Dec 5, 2015 at 11:19 AM, Claus Ibsen <cl...@gmail.com>
>>>> wrote:
>>>> >
>>>> >> I really think you guys should add something about those object
>>>> >> serialization resitrcitions. Any end users that uses java objects over
>>>> >> JMS is affected. Nothing works anymore.
>>>> >>
>>>> >> Its because of
>>>> >> https://issues.apache.org/jira/browse/AMQ-6013
>>>> >>
>>>> >> So there should be some text in the release notes, and ideally AMQ
>>>> >> broker / client should have some kind of INFO logging that openwire
>>>> >> with objects is restricted or not. Otherwise its even harder for end
>>>> >> users to spot what is going on.
>>>> >>
>>>> >>
>>>> >>
>>>> >> On Fri, Dec 4, 2015 at 3:57 PM, Timothy Bish <ta...@gmail.com>
>>>> wrote:
>>>> >> > It's probably a good idea to add a new page in the "New Features"
>>>> section
>>>> >> > on the site to cover the additions in 5.13.0.  I know you added the
>>>> >> 'auto'
>>>> >> > transport along with some other work for some additional metrics
>>>> etc, all
>>>> >> > good things that would be nice to advertise a bit.
>>>> >> >
>>>> >> > See: http://activemq.apache.org/new-features.html
>>>> >> >
>>>> >> > On Thu, Dec 3, 2015 at 3:51 PM, Christopher Shannon <
>>>> >> > christopher.l.shannon@gmail.com> wrote:
>>>> >> >
>>>> >> >> Hi everyone,
>>>> >> >>
>>>> >> >> Apache ActiveMQ 5.13.0 has now been released.
>>>> >> >>
>>>> >> >> This release contains a number of resolved issues and new features
>>>> since
>>>> >> >> the 5.12.1 release.
>>>> >> >>
>>>> >> >> A list of issues resolved in this release is available here:
>>>> >> >>
>>>> >> >>
>>>> >>
>>>> https://issues.apache.org/jira/secure/ReleaseNote.jspa?projectId=12311210&version=12329848
>>>> >> >>
>>>> >> >> The Wiki page for the release is here:
>>>> >> >> http://activemq.apache.org/activemq-5130-release.html
>>>> >> >>
>>>> >> >> API documentation for 5.12.1 is located here:
>>>> >> >> http://activemq.apache.org/maven/5.13.0/apidocs/index.html
>>>> >> >>
>>>> >> >
>>>> >> >
>>>> >> >
>>>> >> > --
>>>> >> > --
>>>> >> > Tim Bish
>>>> >>
>>>> >>
>>>> >>
>>>> >> --
>>>> >> Claus Ibsen
>>>> >> -----------------
>>>> >> http://davsclaus.com @davsclaus
>>>> >> Camel in Action 2: https://www.manning.com/ibsen2
>>>> >>
>>>>
>>>>
>>>>
>>>> --
>>>> Claus Ibsen
>>>> -----------------
>>>> http://davsclaus.com @davsclaus
>>>> Camel in Action 2: https://www.manning.com/ibsen2
>>>>
>>>
>>>
>
>
>
> --
> Claus Ibsen
> -----------------
> http://davsclaus.com @davsclaus
> Camel in Action 2: https://www.manning.com/ibsen2



-- 
Claus Ibsen
-----------------
http://davsclaus.com @davsclaus
Camel in Action 2: https://www.manning.com/ibsen2

Re: [ANNOUNCE] Apache ActiveMQ 5.13.0 Released

[Claus Ibsen <cl...@gmail.com>]

Hi

Thanks.

Yeah this must be easier from client pov. Having to set a JVM system
property is sometimes hard for people, eg they deploy to an existing
running app server which they cannot restart.

And then they need to add some code hack to set the system property
from their java app before AMQ bootstrap.

Looking forward to a 5.13.1 release. Hopefully with a nice and easy
way for clients, and a speedy release so users can upgrade more
easily.



On Mon, Dec 7, 2015 at 1:52 PM, Dejan Bosanac <de...@nighttale.net> wrote:
> Hi Claus,
>
> here’s the test fix for the current implementation
> https://github.com/dejanb/camel/commit/138186ffa40381c8c082d69917cbb29181ab4abc
>
> The thing is that the same security issues can occur in the client
> applications, when folks call getObject() method, so I think it’s the right
> approach for people to while-list only the packages they trust.
>
> I agree that we can improve user experience by making it easier to
> configure all this in the client apps. I think it might be good allow easy
> configuration on the connection factory and using connection urls. I’ll
> raise a new Jira for that and we can deliver this in 5.13.1. If you have
> any more concerns and ideas on how to improve this, please let me know.
>
> I’ll go ahead next and create more docs around this.
>
>
> Regards
> --
> Dejan Bosanac
> about.me/dejanb
>
> On Mon, Dec 7, 2015 at 11:24 AM, Dejan Bosanac <de...@nighttale.net> wrote:
>
>> I’ll give it a try now. Thanks!
>>
>> Regards
>> --
>> Dejan Bosanac
>> about.me/dejanb
>>
>> On Mon, Dec 7, 2015 at 11:16 AM, Claus Ibsen <cl...@gmail.com>
>> wrote:
>>
>>> Yes a number of test fails in camel-jms, if you test with 5.13.0. You
>>> can try yourself by changing the activemq-version in the
>>> parent/pom.xml.
>>>
>>>
>>>
>>> On Mon, Dec 7, 2015 at 11:04 AM, Dejan Bosanac <de...@nighttale.net>
>>> wrote:
>>> > Hi Claus,
>>> >
>>> > restrictions were necessary for the CVE that was reported. We’re about
>>> to
>>> > disclose it fully now after the release.
>>> >
>>> > AFAIK the change should not affect ObjectMessages in general, just the
>>> > cases where those objects are serialized/unserialized inside of the
>>> broker,
>>> > like web console or stomp transformations. I’ll create a proper docs for
>>> > the change now and the security aspect of it and we can see later whet
>>> else
>>> > we can do to improve the user experience.
>>> >
>>> > Are there any Camel related tests that fails due to this change? I can
>>> take
>>> > a look at that as well.
>>> >
>>> >
>>> > Regards
>>> > --
>>> > Dejan Bosanac
>>> > about.me/dejanb
>>> >
>>> > On Sat, Dec 5, 2015 at 11:19 AM, Claus Ibsen <cl...@gmail.com>
>>> wrote:
>>> >
>>> >> I really think you guys should add something about those object
>>> >> serialization resitrcitions. Any end users that uses java objects over
>>> >> JMS is affected. Nothing works anymore.
>>> >>
>>> >> Its because of
>>> >> https://issues.apache.org/jira/browse/AMQ-6013
>>> >>
>>> >> So there should be some text in the release notes, and ideally AMQ
>>> >> broker / client should have some kind of INFO logging that openwire
>>> >> with objects is restricted or not. Otherwise its even harder for end
>>> >> users to spot what is going on.
>>> >>
>>> >>
>>> >>
>>> >> On Fri, Dec 4, 2015 at 3:57 PM, Timothy Bish <ta...@gmail.com>
>>> wrote:
>>> >> > It's probably a good idea to add a new page in the "New Features"
>>> section
>>> >> > on the site to cover the additions in 5.13.0.  I know you added the
>>> >> 'auto'
>>> >> > transport along with some other work for some additional metrics
>>> etc, all
>>> >> > good things that would be nice to advertise a bit.
>>> >> >
>>> >> > See: http://activemq.apache.org/new-features.html
>>> >> >
>>> >> > On Thu, Dec 3, 2015 at 3:51 PM, Christopher Shannon <
>>> >> > christopher.l.shannon@gmail.com> wrote:
>>> >> >
>>> >> >> Hi everyone,
>>> >> >>
>>> >> >> Apache ActiveMQ 5.13.0 has now been released.
>>> >> >>
>>> >> >> This release contains a number of resolved issues and new features
>>> since
>>> >> >> the 5.12.1 release.
>>> >> >>
>>> >> >> A list of issues resolved in this release is available here:
>>> >> >>
>>> >> >>
>>> >>
>>> https://issues.apache.org/jira/secure/ReleaseNote.jspa?projectId=12311210&version=12329848
>>> >> >>
>>> >> >> The Wiki page for the release is here:
>>> >> >> http://activemq.apache.org/activemq-5130-release.html
>>> >> >>
>>> >> >> API documentation for 5.12.1 is located here:
>>> >> >> http://activemq.apache.org/maven/5.13.0/apidocs/index.html
>>> >> >>
>>> >> >
>>> >> >
>>> >> >
>>> >> > --
>>> >> > --
>>> >> > Tim Bish
>>> >>
>>> >>
>>> >>
>>> >> --
>>> >> Claus Ibsen
>>> >> -----------------
>>> >> http://davsclaus.com @davsclaus
>>> >> Camel in Action 2: https://www.manning.com/ibsen2
>>> >>
>>>
>>>
>>>
>>> --
>>> Claus Ibsen
>>> -----------------
>>> http://davsclaus.com @davsclaus
>>> Camel in Action 2: https://www.manning.com/ibsen2
>>>
>>
>>



-- 
Claus Ibsen
-----------------
http://davsclaus.com @davsclaus
Camel in Action 2: https://www.manning.com/ibsen2

Re: [ANNOUNCE] Apache ActiveMQ 5.13.0 Released

[Dejan Bosanac <de...@nighttale.net>]

Hi Claus,

here’s the test fix for the current implementation
https://github.com/dejanb/camel/commit/138186ffa40381c8c082d69917cbb29181ab4abc

The thing is that the same security issues can occur in the client
applications, when folks call getObject() method, so I think it’s the right
approach for people to while-list only the packages they trust.

I agree that we can improve user experience by making it easier to
configure all this in the client apps. I think it might be good allow easy
configuration on the connection factory and using connection urls. I’ll
raise a new Jira for that and we can deliver this in 5.13.1. If you have
any more concerns and ideas on how to improve this, please let me know.

I’ll go ahead next and create more docs around this.


Regards
--
Dejan Bosanac
about.me/dejanb

On Mon, Dec 7, 2015 at 11:24 AM, Dejan Bosanac <de...@nighttale.net> wrote:

> I’ll give it a try now. Thanks!
>
> Regards
> --
> Dejan Bosanac
> about.me/dejanb
>
> On Mon, Dec 7, 2015 at 11:16 AM, Claus Ibsen <cl...@gmail.com>
> wrote:
>
>> Yes a number of test fails in camel-jms, if you test with 5.13.0. You
>> can try yourself by changing the activemq-version in the
>> parent/pom.xml.
>>
>>
>>
>> On Mon, Dec 7, 2015 at 11:04 AM, Dejan Bosanac <de...@nighttale.net>
>> wrote:
>> > Hi Claus,
>> >
>> > restrictions were necessary for the CVE that was reported. We’re about
>> to
>> > disclose it fully now after the release.
>> >
>> > AFAIK the change should not affect ObjectMessages in general, just the
>> > cases where those objects are serialized/unserialized inside of the
>> broker,
>> > like web console or stomp transformations. I’ll create a proper docs for
>> > the change now and the security aspect of it and we can see later whet
>> else
>> > we can do to improve the user experience.
>> >
>> > Are there any Camel related tests that fails due to this change? I can
>> take
>> > a look at that as well.
>> >
>> >
>> > Regards
>> > --
>> > Dejan Bosanac
>> > about.me/dejanb
>> >
>> > On Sat, Dec 5, 2015 at 11:19 AM, Claus Ibsen <cl...@gmail.com>
>> wrote:
>> >
>> >> I really think you guys should add something about those object
>> >> serialization resitrcitions. Any end users that uses java objects over
>> >> JMS is affected. Nothing works anymore.
>> >>
>> >> Its because of
>> >> https://issues.apache.org/jira/browse/AMQ-6013
>> >>
>> >> So there should be some text in the release notes, and ideally AMQ
>> >> broker / client should have some kind of INFO logging that openwire
>> >> with objects is restricted or not. Otherwise its even harder for end
>> >> users to spot what is going on.
>> >>
>> >>
>> >>
>> >> On Fri, Dec 4, 2015 at 3:57 PM, Timothy Bish <ta...@gmail.com>
>> wrote:
>> >> > It's probably a good idea to add a new page in the "New Features"
>> section
>> >> > on the site to cover the additions in 5.13.0.  I know you added the
>> >> 'auto'
>> >> > transport along with some other work for some additional metrics
>> etc, all
>> >> > good things that would be nice to advertise a bit.
>> >> >
>> >> > See: http://activemq.apache.org/new-features.html
>> >> >
>> >> > On Thu, Dec 3, 2015 at 3:51 PM, Christopher Shannon <
>> >> > christopher.l.shannon@gmail.com> wrote:
>> >> >
>> >> >> Hi everyone,
>> >> >>
>> >> >> Apache ActiveMQ 5.13.0 has now been released.
>> >> >>
>> >> >> This release contains a number of resolved issues and new features
>> since
>> >> >> the 5.12.1 release.
>> >> >>
>> >> >> A list of issues resolved in this release is available here:
>> >> >>
>> >> >>
>> >>
>> https://issues.apache.org/jira/secure/ReleaseNote.jspa?projectId=12311210&version=12329848
>> >> >>
>> >> >> The Wiki page for the release is here:
>> >> >> http://activemq.apache.org/activemq-5130-release.html
>> >> >>
>> >> >> API documentation for 5.12.1 is located here:
>> >> >> http://activemq.apache.org/maven/5.13.0/apidocs/index.html
>> >> >>
>> >> >
>> >> >
>> >> >
>> >> > --
>> >> > --
>> >> > Tim Bish
>> >>
>> >>
>> >>
>> >> --
>> >> Claus Ibsen
>> >> -----------------
>> >> http://davsclaus.com @davsclaus
>> >> Camel in Action 2: https://www.manning.com/ibsen2
>> >>
>>
>>
>>
>> --
>> Claus Ibsen
>> -----------------
>> http://davsclaus.com @davsclaus
>> Camel in Action 2: https://www.manning.com/ibsen2
>>
>
>

Re: [ANNOUNCE] Apache ActiveMQ 5.13.0 Released

[Dejan Bosanac <de...@nighttale.net>]

I’ll give it a try now. Thanks!

Regards
--
Dejan Bosanac
about.me/dejanb

On Mon, Dec 7, 2015 at 11:16 AM, Claus Ibsen <cl...@gmail.com> wrote:

> Yes a number of test fails in camel-jms, if you test with 5.13.0. You
> can try yourself by changing the activemq-version in the
> parent/pom.xml.
>
>
>
> On Mon, Dec 7, 2015 at 11:04 AM, Dejan Bosanac <de...@nighttale.net>
> wrote:
> > Hi Claus,
> >
> > restrictions were necessary for the CVE that was reported. We’re about to
> > disclose it fully now after the release.
> >
> > AFAIK the change should not affect ObjectMessages in general, just the
> > cases where those objects are serialized/unserialized inside of the
> broker,
> > like web console or stomp transformations. I’ll create a proper docs for
> > the change now and the security aspect of it and we can see later whet
> else
> > we can do to improve the user experience.
> >
> > Are there any Camel related tests that fails due to this change? I can
> take
> > a look at that as well.
> >
> >
> > Regards
> > --
> > Dejan Bosanac
> > about.me/dejanb
> >
> > On Sat, Dec 5, 2015 at 11:19 AM, Claus Ibsen <cl...@gmail.com>
> wrote:
> >
> >> I really think you guys should add something about those object
> >> serialization resitrcitions. Any end users that uses java objects over
> >> JMS is affected. Nothing works anymore.
> >>
> >> Its because of
> >> https://issues.apache.org/jira/browse/AMQ-6013
> >>
> >> So there should be some text in the release notes, and ideally AMQ
> >> broker / client should have some kind of INFO logging that openwire
> >> with objects is restricted or not. Otherwise its even harder for end
> >> users to spot what is going on.
> >>
> >>
> >>
> >> On Fri, Dec 4, 2015 at 3:57 PM, Timothy Bish <ta...@gmail.com>
> wrote:
> >> > It's probably a good idea to add a new page in the "New Features"
> section
> >> > on the site to cover the additions in 5.13.0.  I know you added the
> >> 'auto'
> >> > transport along with some other work for some additional metrics etc,
> all
> >> > good things that would be nice to advertise a bit.
> >> >
> >> > See: http://activemq.apache.org/new-features.html
> >> >
> >> > On Thu, Dec 3, 2015 at 3:51 PM, Christopher Shannon <
> >> > christopher.l.shannon@gmail.com> wrote:
> >> >
> >> >> Hi everyone,
> >> >>
> >> >> Apache ActiveMQ 5.13.0 has now been released.
> >> >>
> >> >> This release contains a number of resolved issues and new features
> since
> >> >> the 5.12.1 release.
> >> >>
> >> >> A list of issues resolved in this release is available here:
> >> >>
> >> >>
> >>
> https://issues.apache.org/jira/secure/ReleaseNote.jspa?projectId=12311210&version=12329848
> >> >>
> >> >> The Wiki page for the release is here:
> >> >> http://activemq.apache.org/activemq-5130-release.html
> >> >>
> >> >> API documentation for 5.12.1 is located here:
> >> >> http://activemq.apache.org/maven/5.13.0/apidocs/index.html
> >> >>
> >> >
> >> >
> >> >
> >> > --
> >> > --
> >> > Tim Bish
> >>
> >>
> >>
> >> --
> >> Claus Ibsen
> >> -----------------
> >> http://davsclaus.com @davsclaus
> >> Camel in Action 2: https://www.manning.com/ibsen2
> >>
>
>
>
> --
> Claus Ibsen
> -----------------
> http://davsclaus.com @davsclaus
> Camel in Action 2: https://www.manning.com/ibsen2
>

Re: [ANNOUNCE] Apache ActiveMQ 5.13.0 Released

[Claus Ibsen <cl...@gmail.com>]

Yes a number of test fails in camel-jms, if you test with 5.13.0. You
can try yourself by changing the activemq-version in the
parent/pom.xml.



On Mon, Dec 7, 2015 at 11:04 AM, Dejan Bosanac <de...@nighttale.net> wrote:
> Hi Claus,
>
> restrictions were necessary for the CVE that was reported. We’re about to
> disclose it fully now after the release.
>
> AFAIK the change should not affect ObjectMessages in general, just the
> cases where those objects are serialized/unserialized inside of the broker,
> like web console or stomp transformations. I’ll create a proper docs for
> the change now and the security aspect of it and we can see later whet else
> we can do to improve the user experience.
>
> Are there any Camel related tests that fails due to this change? I can take
> a look at that as well.
>
>
> Regards
> --
> Dejan Bosanac
> about.me/dejanb
>
> On Sat, Dec 5, 2015 at 11:19 AM, Claus Ibsen <cl...@gmail.com> wrote:
>
>> I really think you guys should add something about those object
>> serialization resitrcitions. Any end users that uses java objects over
>> JMS is affected. Nothing works anymore.
>>
>> Its because of
>> https://issues.apache.org/jira/browse/AMQ-6013
>>
>> So there should be some text in the release notes, and ideally AMQ
>> broker / client should have some kind of INFO logging that openwire
>> with objects is restricted or not. Otherwise its even harder for end
>> users to spot what is going on.
>>
>>
>>
>> On Fri, Dec 4, 2015 at 3:57 PM, Timothy Bish <ta...@gmail.com> wrote:
>> > It's probably a good idea to add a new page in the "New Features" section
>> > on the site to cover the additions in 5.13.0.  I know you added the
>> 'auto'
>> > transport along with some other work for some additional metrics etc, all
>> > good things that would be nice to advertise a bit.
>> >
>> > See: http://activemq.apache.org/new-features.html
>> >
>> > On Thu, Dec 3, 2015 at 3:51 PM, Christopher Shannon <
>> > christopher.l.shannon@gmail.com> wrote:
>> >
>> >> Hi everyone,
>> >>
>> >> Apache ActiveMQ 5.13.0 has now been released.
>> >>
>> >> This release contains a number of resolved issues and new features since
>> >> the 5.12.1 release.
>> >>
>> >> A list of issues resolved in this release is available here:
>> >>
>> >>
>> https://issues.apache.org/jira/secure/ReleaseNote.jspa?projectId=12311210&version=12329848
>> >>
>> >> The Wiki page for the release is here:
>> >> http://activemq.apache.org/activemq-5130-release.html
>> >>
>> >> API documentation for 5.12.1 is located here:
>> >> http://activemq.apache.org/maven/5.13.0/apidocs/index.html
>> >>
>> >
>> >
>> >
>> > --
>> > --
>> > Tim Bish
>>
>>
>>
>> --
>> Claus Ibsen
>> -----------------
>> http://davsclaus.com @davsclaus
>> Camel in Action 2: https://www.manning.com/ibsen2
>>



-- 
Claus Ibsen
-----------------
http://davsclaus.com @davsclaus
Camel in Action 2: https://www.manning.com/ibsen2

Re: [ANNOUNCE] Apache ActiveMQ 5.13.0 Released

[Dejan Bosanac <de...@nighttale.net>]

Hi Claus,

restrictions were necessary for the CVE that was reported. We’re about to
disclose it fully now after the release.

AFAIK the change should not affect ObjectMessages in general, just the
cases where those objects are serialized/unserialized inside of the broker,
like web console or stomp transformations. I’ll create a proper docs for
the change now and the security aspect of it and we can see later whet else
we can do to improve the user experience.

Are there any Camel related tests that fails due to this change? I can take
a look at that as well.


Regards
--
Dejan Bosanac
about.me/dejanb

On Sat, Dec 5, 2015 at 11:19 AM, Claus Ibsen <cl...@gmail.com> wrote:

> I really think you guys should add something about those object
> serialization resitrcitions. Any end users that uses java objects over
> JMS is affected. Nothing works anymore.
>
> Its because of
> https://issues.apache.org/jira/browse/AMQ-6013
>
> So there should be some text in the release notes, and ideally AMQ
> broker / client should have some kind of INFO logging that openwire
> with objects is restricted or not. Otherwise its even harder for end
> users to spot what is going on.
>
>
>
> On Fri, Dec 4, 2015 at 3:57 PM, Timothy Bish <ta...@gmail.com> wrote:
> > It's probably a good idea to add a new page in the "New Features" section
> > on the site to cover the additions in 5.13.0.  I know you added the
> 'auto'
> > transport along with some other work for some additional metrics etc, all
> > good things that would be nice to advertise a bit.
> >
> > See: http://activemq.apache.org/new-features.html
> >
> > On Thu, Dec 3, 2015 at 3:51 PM, Christopher Shannon <
> > christopher.l.shannon@gmail.com> wrote:
> >
> >> Hi everyone,
> >>
> >> Apache ActiveMQ 5.13.0 has now been released.
> >>
> >> This release contains a number of resolved issues and new features since
> >> the 5.12.1 release.
> >>
> >> A list of issues resolved in this release is available here:
> >>
> >>
> https://issues.apache.org/jira/secure/ReleaseNote.jspa?projectId=12311210&version=12329848
> >>
> >> The Wiki page for the release is here:
> >> http://activemq.apache.org/activemq-5130-release.html
> >>
> >> API documentation for 5.12.1 is located here:
> >> http://activemq.apache.org/maven/5.13.0/apidocs/index.html
> >>
> >
> >
> >
> > --
> > --
> > Tim Bish
>
>
>
> --
> Claus Ibsen
> -----------------
> http://davsclaus.com @davsclaus
> Camel in Action 2: https://www.manning.com/ibsen2
>

Re: [ANNOUNCE] Apache ActiveMQ 5.13.0 Released

[Claus Ibsen <cl...@gmail.com>]

I really think you guys should add something about those object
serialization resitrcitions. Any end users that uses java objects over
JMS is affected. Nothing works anymore.

Its because of
https://issues.apache.org/jira/browse/AMQ-6013

So there should be some text in the release notes, and ideally AMQ
broker / client should have some kind of INFO logging that openwire
with objects is restricted or not. Otherwise its even harder for end
users to spot what is going on.



On Fri, Dec 4, 2015 at 3:57 PM, Timothy Bish <ta...@gmail.com> wrote:
> It's probably a good idea to add a new page in the "New Features" section
> on the site to cover the additions in 5.13.0.  I know you added the 'auto'
> transport along with some other work for some additional metrics etc, all
> good things that would be nice to advertise a bit.
>
> See: http://activemq.apache.org/new-features.html
>
> On Thu, Dec 3, 2015 at 3:51 PM, Christopher Shannon <
> christopher.l.shannon@gmail.com> wrote:
>
>> Hi everyone,
>>
>> Apache ActiveMQ 5.13.0 has now been released.
>>
>> This release contains a number of resolved issues and new features since
>> the 5.12.1 release.
>>
>> A list of issues resolved in this release is available here:
>>
>> https://issues.apache.org/jira/secure/ReleaseNote.jspa?projectId=12311210&version=12329848
>>
>> The Wiki page for the release is here:
>> http://activemq.apache.org/activemq-5130-release.html
>>
>> API documentation for 5.12.1 is located here:
>> http://activemq.apache.org/maven/5.13.0/apidocs/index.html
>>
>
>
>
> --
> --
> Tim Bish



-- 
Claus Ibsen
-----------------
http://davsclaus.com @davsclaus
Camel in Action 2: https://www.manning.com/ibsen2

Re: [ANNOUNCE] Apache ActiveMQ 5.13.0 Released

[Christopher Shannon <ch...@gmail.com>]

Good catch, I will update that today.

On Fri, Dec 4, 2015 at 9:57 AM, Timothy Bish <ta...@gmail.com> wrote:

> It's probably a good idea to add a new page in the "New Features" section
> on the site to cover the additions in 5.13.0.  I know you added the 'auto'
> transport along with some other work for some additional metrics etc, all
> good things that would be nice to advertise a bit.
>
> See: http://activemq.apache.org/new-features.html
>
> On Thu, Dec 3, 2015 at 3:51 PM, Christopher Shannon <
> christopher.l.shannon@gmail.com> wrote:
>
> > Hi everyone,
> >
> > Apache ActiveMQ 5.13.0 has now been released.
> >
> > This release contains a number of resolved issues and new features since
> > the 5.12.1 release.
> >
> > A list of issues resolved in this release is available here:
> >
> >
> https://issues.apache.org/jira/secure/ReleaseNote.jspa?projectId=12311210&version=12329848
> >
> > The Wiki page for the release is here:
> > http://activemq.apache.org/activemq-5130-release.html
> >
> > API documentation for 5.12.1 is located here:
> > http://activemq.apache.org/maven/5.13.0/apidocs/index.html
> >
>
>
>
> --
> --
> Tim Bish
>

Re: [ANNOUNCE] Apache ActiveMQ 5.13.0 Released

[Timothy Bish <ta...@gmail.com>]

It's probably a good idea to add a new page in the "New Features" section
on the site to cover the additions in 5.13.0.  I know you added the 'auto'
transport along with some other work for some additional metrics etc, all
good things that would be nice to advertise a bit.

See: http://activemq.apache.org/new-features.html

On Thu, Dec 3, 2015 at 3:51 PM, Christopher Shannon <
christopher.l.shannon@gmail.com> wrote:

> Hi everyone,
>
> Apache ActiveMQ 5.13.0 has now been released.
>
> This release contains a number of resolved issues and new features since
> the 5.12.1 release.
>
> A list of issues resolved in this release is available here:
>
> https://issues.apache.org/jira/secure/ReleaseNote.jspa?projectId=12311210&version=12329848
>
> The Wiki page for the release is here:
> http://activemq.apache.org/activemq-5130-release.html
>
> API documentation for 5.12.1 is located here:
> http://activemq.apache.org/maven/5.13.0/apidocs/index.html
>



-- 
--
Tim Bish