You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@activemq.apache.org by Havret <ha...@apache.org> on 2023/02/26 11:09:15 UTC

[VOTE] Release activemq-nms-openwire 2.1.0-rc1

Hi all,

I have put together another release of activemq-nms-openwire. Please review
it and vote accordingly.

This release includes an important new feature that allows users to specify
an allow/deny list of types for binary serialization. This can help prevent
potential security vulnerabilities.

The feature is implemented in the same way as in qpid-jms, using a
deserialization policy that controls which types can be trusted for
deserialization from an incoming NMS IObjectMessage containing serialized
.NET Object content. By default, all types are trusted during
deserialization. However, the default Deserialization Policy object
provides URI options for specifying an allow list and a deny list of .NET
classes or namespaces.

The following options are available:

- nms.deserializationPolicy.allowList: A comma-separated list of
classes/namespaces that are allowed during deserialization, unless they are
overridden by the deny list. Names in this list are not pattern values; the
exact class or namespace name must be configured (e.g.
"System.Collections.Queue" or "System.Collections"). Namespace matches
include sub-namespaces. The default is to allow all.
- nms.deserializationPolicy.denyList: A comma-separated list of
classes/namespaces that are rejected during deserialization. Names in this
list are not pattern values; the exact class or namespace name must be
configured (e.g. "System.Collections.Queue" or "System.Collections").
Namespace matches include sub-namespaces. The default is to reject none.

This release contains the following change:
*https://issues.apache.org/jira/secure/ReleaseNote.jspa?projectId=12311201&version=12352935
<https://issues.apache.org/jira/secure/ReleaseNote.jspa?projectId=12311201&version=12352935>*

The files can be grabbed from:
https://dist.apache.org/repos/dist/dev/activemq/activemq-nms-openwire/2.1.0-rc1/

Regards,
Chris

Here's mine +1 (binding)

Re: [VOTE] Release activemq-nms-openwire 2.1.0-rc1

Posted by W B D <wb...@users.sourceforge.net>.

+1 (non-binding)

Updated an existing application to use the release candidate and deployed
to a test environment. No regressions were noted. However, it does not use
IObjectMessage.

Also, built the project from the source archive on dist.apache.org.
However, I needed to add a reference to Apache.NMS.Test 1.8.0 to get the
test project to build. Also, I wasn't actually able to run most of the
tests, due to limitations of my environment (no local SQL Server).

The solution also contains a doc project, which was missing from the source
archive - perhaps this is intentional? I see it was the same for 2.0.1.

Regards,
Bruce Dodson

On Sun, Feb 26, 2023 at 3:09 AM Havret <ha...@apache.org> wrote:

> Hi all,
>
> I have put together another release of activemq-nms-openwire. Please review
> it and vote accordingly.
>
> This release includes an important new feature that allows users to specify
> an allow/deny list of types for binary serialization. This can help prevent
> potential security vulnerabilities.
>
> The feature is implemented in the same way as in qpid-jms, using a
> deserialization policy that controls which types can be trusted for
> deserialization from an incoming NMS IObjectMessage containing serialized
> .NET Object content. By default, all types are trusted during
> deserialization. However, the default Deserialization Policy object
> provides URI options for specifying an allow list and a deny list of .NET
> classes or namespaces.
>
> The following options are available:
>
> - nms.deserializationPolicy.allowList: A comma-separated list of
> classes/namespaces that are allowed during deserialization, unless they are
> overridden by the deny list. Names in this list are not pattern values; the
> exact class or namespace name must be configured (e.g.
> "System.Collections.Queue" or "System.Collections"). Namespace matches
> include sub-namespaces. The default is to allow all.
> - nms.deserializationPolicy.denyList: A comma-separated list of
> classes/namespaces that are rejected during deserialization. Names in this
> list are not pattern values; the exact class or namespace name must be
> configured (e.g. "System.Collections.Queue" or "System.Collections").
> Namespace matches include sub-namespaces. The default is to reject none.
>
> This release contains the following change:
> *
> https://issues.apache.org/jira/secure/ReleaseNote.jspa?projectId=12311201&version=12352935
> <
> https://issues.apache.org/jira/secure/ReleaseNote.jspa?projectId=12311201&version=12352935
> >*
>
> The files can be grabbed from:
>
> https://dist.apache.org/repos/dist/dev/activemq/activemq-nms-openwire/2.1.0-rc1/
>
> Regards,
> Chris
>
> Here's mine +1 (binding)
>

Re: [VOTE] Release activemq-nms-openwire 2.1.0-rc1

Posted by jg...@apache.org.

Yeah it actually should be on both.  private@ is where the vote actually counts.  dev@ is for keeping it public.

Jeff

> On Feb 27, 2023, at 8:10 AM, Bruce Snyder <br...@gmail.com> wrote:
> 
> Whoops, now I see it's on both. My mistake.
> 
> Bruce
> 
> On Mon, Feb 27, 2023 at 8:09 AM Bruce Snyder <br...@gmail.com> wrote:
> 
>> This vote should be moved to the dev@ list.
>> 
>> Bruce
>> 
>> On Sun, Feb 26, 2023 at 4:09 AM Havret <ha...@apache.org> wrote:
>> 
>>> Hi all,
>>> 
>>> I have put together another release of activemq-nms-openwire. Please
>>> review
>>> it and vote accordingly.
>>> 
>>> This release includes an important new feature that allows users to
>>> specify
>>> an allow/deny list of types for binary serialization. This can help
>>> prevent
>>> potential security vulnerabilities.
>>> 
>>> The feature is implemented in the same way as in qpid-jms, using a
>>> deserialization policy that controls which types can be trusted for
>>> deserialization from an incoming NMS IObjectMessage containing serialized
>>> .NET Object content. By default, all types are trusted during
>>> deserialization. However, the default Deserialization Policy object
>>> provides URI options for specifying an allow list and a deny list of .NET
>>> classes or namespaces.
>>> 
>>> The following options are available:
>>> 
>>> - nms.deserializationPolicy.allowList: A comma-separated list of
>>> classes/namespaces that are allowed during deserialization, unless they
>>> are
>>> overridden by the deny list. Names in this list are not pattern values;
>>> the
>>> exact class or namespace name must be configured (e.g.
>>> "System.Collections.Queue" or "System.Collections"). Namespace matches
>>> include sub-namespaces. The default is to allow all.
>>> - nms.deserializationPolicy.denyList: A comma-separated list of
>>> classes/namespaces that are rejected during deserialization. Names in this
>>> list are not pattern values; the exact class or namespace name must be
>>> configured (e.g. "System.Collections.Queue" or "System.Collections").
>>> Namespace matches include sub-namespaces. The default is to reject none.
>>> 
>>> This release contains the following change:
>>> *
>>> https://issues.apache.org/jira/secure/ReleaseNote.jspa?projectId=12311201&version=12352935
>>> <
>>> https://issues.apache.org/jira/secure/ReleaseNote.jspa?projectId=12311201&version=12352935
>>>> *
>>> 
>>> The files can be grabbed from:
>>> 
>>> https://dist.apache.org/repos/dist/dev/activemq/activemq-nms-openwire/2.1.0-rc1/
>>> 
>>> Regards,
>>> Chris
>>> 
>>> Here's mine +1 (binding)
>>> 
>> 
>> 
>> --
>> perl -e 'print
>> unpack("u30","D0G)U8V4\@4VYY9&5R\"F)R=6-E+G-N>61E<D\!G;6%I;\"YC;VT*" );'
>> http://bsnyder.org/ <http://bruceblog.org/>
>> 
> 
> 
> -- 
> perl -e 'print
> unpack("u30","D0G)U8V4\@4VYY9&5R\"F)R=6-E+G-N>61E<D\!G;6%I;\"YC;VT*" );'
> http://bsnyder.org/ <http://bruceblog.org/>

Re: [VOTE] Release activemq-nms-openwire 2.1.0-rc1

Posted by Bruce Snyder <br...@gmail.com>.

Whoops, now I see it's on both. My mistake.

Bruce

On Mon, Feb 27, 2023 at 8:09 AM Bruce Snyder <br...@gmail.com> wrote:

> This vote should be moved to the dev@ list.
>
> Bruce
>
> On Sun, Feb 26, 2023 at 4:09 AM Havret <ha...@apache.org> wrote:
>
>> Hi all,
>>
>> I have put together another release of activemq-nms-openwire. Please
>> review
>> it and vote accordingly.
>>
>> This release includes an important new feature that allows users to
>> specify
>> an allow/deny list of types for binary serialization. This can help
>> prevent
>> potential security vulnerabilities.
>>
>> The feature is implemented in the same way as in qpid-jms, using a
>> deserialization policy that controls which types can be trusted for
>> deserialization from an incoming NMS IObjectMessage containing serialized
>> .NET Object content. By default, all types are trusted during
>> deserialization. However, the default Deserialization Policy object
>> provides URI options for specifying an allow list and a deny list of .NET
>> classes or namespaces.
>>
>> The following options are available:
>>
>> - nms.deserializationPolicy.allowList: A comma-separated list of
>> classes/namespaces that are allowed during deserialization, unless they
>> are
>> overridden by the deny list. Names in this list are not pattern values;
>> the
>> exact class or namespace name must be configured (e.g.
>> "System.Collections.Queue" or "System.Collections"). Namespace matches
>> include sub-namespaces. The default is to allow all.
>> - nms.deserializationPolicy.denyList: A comma-separated list of
>> classes/namespaces that are rejected during deserialization. Names in this
>> list are not pattern values; the exact class or namespace name must be
>> configured (e.g. "System.Collections.Queue" or "System.Collections").
>> Namespace matches include sub-namespaces. The default is to reject none.
>>
>> This release contains the following change:
>> *
>> https://issues.apache.org/jira/secure/ReleaseNote.jspa?projectId=12311201&version=12352935
>> <
>> https://issues.apache.org/jira/secure/ReleaseNote.jspa?projectId=12311201&version=12352935
>> >*
>>
>> The files can be grabbed from:
>>
>> https://dist.apache.org/repos/dist/dev/activemq/activemq-nms-openwire/2.1.0-rc1/
>>
>> Regards,
>> Chris
>>
>> Here's mine +1 (binding)
>>
>
>
> --
> perl -e 'print
> unpack("u30","D0G)U8V4\@4VYY9&5R\"F)R=6-E+G-N>61E<D\!G;6%I;\"YC;VT*" );'
> http://bsnyder.org/ <http://bruceblog.org/>
>


-- 
perl -e 'print
unpack("u30","D0G)U8V4\@4VYY9&5R\"F)R=6-E+G-N>61E<D\!G;6%I;\"YC;VT*" );'
http://bsnyder.org/ <http://bruceblog.org/>

Re: [VOTE] Release activemq-nms-openwire 2.1.0-rc1

Posted by Bruce Snyder <br...@gmail.com>.

This vote should be moved to the dev@ list.

Bruce

On Sun, Feb 26, 2023 at 4:09 AM Havret <ha...@apache.org> wrote:

> Hi all,
>
> I have put together another release of activemq-nms-openwire. Please review
> it and vote accordingly.
>
> This release includes an important new feature that allows users to specify
> an allow/deny list of types for binary serialization. This can help prevent
> potential security vulnerabilities.
>
> The feature is implemented in the same way as in qpid-jms, using a
> deserialization policy that controls which types can be trusted for
> deserialization from an incoming NMS IObjectMessage containing serialized
> .NET Object content. By default, all types are trusted during
> deserialization. However, the default Deserialization Policy object
> provides URI options for specifying an allow list and a deny list of .NET
> classes or namespaces.
>
> The following options are available:
>
> - nms.deserializationPolicy.allowList: A comma-separated list of
> classes/namespaces that are allowed during deserialization, unless they are
> overridden by the deny list. Names in this list are not pattern values; the
> exact class or namespace name must be configured (e.g.
> "System.Collections.Queue" or "System.Collections"). Namespace matches
> include sub-namespaces. The default is to allow all.
> - nms.deserializationPolicy.denyList: A comma-separated list of
> classes/namespaces that are rejected during deserialization. Names in this
> list are not pattern values; the exact class or namespace name must be
> configured (e.g. "System.Collections.Queue" or "System.Collections").
> Namespace matches include sub-namespaces. The default is to reject none.
>
> This release contains the following change:
> *
> https://issues.apache.org/jira/secure/ReleaseNote.jspa?projectId=12311201&version=12352935
> <
> https://issues.apache.org/jira/secure/ReleaseNote.jspa?projectId=12311201&version=12352935
> >*
>
> The files can be grabbed from:
>
> https://dist.apache.org/repos/dist/dev/activemq/activemq-nms-openwire/2.1.0-rc1/
>
> Regards,
> Chris
>
> Here's mine +1 (binding)
>


-- 
perl -e 'print
unpack("u30","D0G)U8V4\@4VYY9&5R\"F)R=6-E+G-N>61E<D\!G;6%I;\"YC;VT*" );'
http://bsnyder.org/ <http://bruceblog.org/>

Re: [VOTE] Release activemq-nms-openwire 2.1.0-rc1

Posted by Michael André Pearce <mi...@apache.org>.

Thanks Chris, much needed feature!

+1 (binding) 

On 2023/02/26 11:09:15 Havret wrote:
> Hi all,
> 
> I have put together another release of activemq-nms-openwire. Please review
> it and vote accordingly.
> 
> This release includes an important new feature that allows users to specify
> an allow/deny list of types for binary serialization. This can help prevent
> potential security vulnerabilities.
> 
> The feature is implemented in the same way as in qpid-jms, using a
> deserialization policy that controls which types can be trusted for
> deserialization from an incoming NMS IObjectMessage containing serialized
> .NET Object content. By default, all types are trusted during
> deserialization. However, the default Deserialization Policy object
> provides URI options for specifying an allow list and a deny list of .NET
> classes or namespaces.
> 
> The following options are available:
> 
> - nms.deserializationPolicy.allowList: A comma-separated list of
> classes/namespaces that are allowed during deserialization, unless they are
> overridden by the deny list. Names in this list are not pattern values; the
> exact class or namespace name must be configured (e.g.
> "System.Collections.Queue" or "System.Collections"). Namespace matches
> include sub-namespaces. The default is to allow all.
> - nms.deserializationPolicy.denyList: A comma-separated list of
> classes/namespaces that are rejected during deserialization. Names in this
> list are not pattern values; the exact class or namespace name must be
> configured (e.g. "System.Collections.Queue" or "System.Collections").
> Namespace matches include sub-namespaces. The default is to reject none.
> 
> This release contains the following change:
> *https://issues.apache.org/jira/secure/ReleaseNote.jspa?projectId=12311201&version=12352935
> <https://issues.apache.org/jira/secure/ReleaseNote.jspa?projectId=12311201&version=12352935>*
> 
> The files can be grabbed from:
> https://dist.apache.org/repos/dist/dev/activemq/activemq-nms-openwire/2.1.0-rc1/
> 
> Regards,
> Chris
> 
> Here's mine +1 (binding)
>

Re: [VOTE] Release activemq-nms-openwire 2.1.0-rc1

Posted by Havret <ha...@apache.org>.

Results of the activemq-nms-openwire 2.1.0-rc1 release vote.

The vote passes with 5 Binding Votes

Binding Votes:
Jeff Genender
Clebert Suconic
Chris Porebski
Arthur Naseef
Michael André Pearce

Non-Binding Votes:
Bruce Dodson

Thank you for all the contributions and everyone's time reviewing the
release candidate and voting.

I will proceed with publishing the release now.

Chris

On Tue, Mar 7, 2023 at 2:47 AM Clebert Suconic <cl...@gmail.com>
wrote:

> Is this still open ?   +1
> On Mon, Mar 6, 2023 at 5:22 PM Arthur Naseef <ar...@amlinv.com> wrote:
>
> > +1
> >
> > I downloaded the sources and built on Windows 10.  Also reviewed the
> commit
> > that adds the deny and allow lists.
> >
> > Art
> >
> >
> > On Wed, Mar 1, 2023 at 8:12 AM <jg...@apache.org> wrote:
> >
> > > +1
> > >
> > > Jeff
> > >
> > >
> > > > On Mar 1, 2023, at 4:02 AM, Michael André Pearce <
> > > michaelpearce@apache.org> wrote:
> > > >
> > > > Thanks Chris, much needed feature!
> > > >
> > > > +1 (binding)
> > > >
> > > > On 2023/02/26 11:09:15 Havret wrote:
> > > >> Hi all,
> > > >>
> > > >> I have put together another release of activemq-nms-openwire. Please
> > > review
> > > >> it and vote accordingly.
> > > >>
> > > >> This release includes an important new feature that allows users to
> > > specify
> > > >> an allow/deny list of types for binary serialization. This can help
> > > prevent
> > > >> potential security vulnerabilities.
> > > >>
> > > >> The feature is implemented in the same way as in qpid-jms, using a
> > > >> deserialization policy that controls which types can be trusted for
> > > >> deserialization from an incoming NMS IObjectMessage containing
> > > serialized
> > > >> .NET Object content. By default, all types are trusted during
> > > >> deserialization. However, the default Deserialization Policy object
> > > >> provides URI options for specifying an allow list and a deny list of
> > > .NET
> > > >> classes or namespaces.
> > > >>
> > > >> The following options are available:
> > > >>
> > > >> - nms.deserializationPolicy.allowList: A comma-separated list of
> > > >> classes/namespaces that are allowed during deserialization, unless
> > they
> > > are
> > > >> overridden by the deny list. Names in this list are not pattern
> > values;
> > > the
> > > >> exact class or namespace name must be configured (e.g.
> > > >> "System.Collections.Queue" or "System.Collections"). Namespace
> matches
> > > >> include sub-namespaces. The default is to allow all.
> > > >> - nms.deserializationPolicy.denyList: A comma-separated list of
> > > >> classes/namespaces that are rejected during deserialization. Names
> in
> > > this
> > > >> list are not pattern values; the exact class or namespace name must
> be
> > > >> configured (e.g. "System.Collections.Queue" or
> "System.Collections").
> > > >> Namespace matches include sub-namespaces. The default is to reject
> > none.
> > > >>
> > > >> This release contains the following change:
> > > >> *
> > >
> >
> https://issues.apache.org/jira/secure/ReleaseNote.jspa?projectId=12311201&version=12352935
> > > >> <
> > >
> >
> https://issues.apache.org/jira/secure/ReleaseNote.jspa?projectId=12311201&version=12352935
> > > >*
> > > >>
> > > >> The files can be grabbed from:
> > > >>
> > >
> >
> https://dist.apache.org/repos/dist/dev/activemq/activemq-nms-openwire/2.1.0-rc1/
> > > >>
> > > >> Regards,
> > > >> Chris
> > > >>
> > > >> Here's mine +1 (binding)
> > > >>
> > >
> > >
> >
> --
> Clebert Suconic
>