Re: [VOTE] Apache ActiveMQ Artemis 2.6.0
On upgrading to 2.5.0 we have found quite a blocking issue to 2.5.0 for anyone who secures durable queue creation so clients cannot create, but doesn’t secure non-durable.
In summary prior to 2.5.0 the security check incorrectly always checked for security rights for non-durable, even if the queue was a durable, this was security hole was fixed in 2.5.0, but a knock on effect is it has highlighted/exposed some logic issues in the CoreClient and also in AMQP and OpenWire protocol managers, where in some cases a queue is not check for being present before calling create queue, meaning if user is not allowed to create a queue, but is allowed to consume, and the queue exists, the client still cannot consume, as the code tries to create and throws exception.
We have created a test case that re-creates the issues, and also a possible solution its in PR here.
Whilst it is not technically caused by any changes in the just created RC for 2.6.0 since 2.5.0, i think the severity/impact of this may deem it worthy to fix, and re-spin.
> On 17 May 2018, at 20:02, Christopher Shannon <christopher.l.shannon@xxxxxxxxx> wrote:
> On Thu, May 17, 2018 at 2:51 PM, Timothy Bish <tabish121@xxxxxxxxx> wrote:
>> On 05/16/2018 10:49 PM, Clebert Suconic wrote:
>>> I would like to propose an Apache ActiveMQ Artemis 2.6.0 release.
>>> The release notes can be found here:
>>> There is a new commits report I made that I'm introducing on this release:
>>> Source and binary distributions can be found here:
>>> The Maven repository is here:
>>> In case you want to give it a try with the maven repo on examples:
>>> The source tag:
>>> I will update the website after the vote has passed.
>>> [ ] +1 approve the release as Apache Artemis 2.4.0
>>> [ ] +0 no opinion
>>> [ ] -1 disapprove (and reason why)
>>> Here's my +1
>> * Validate the signatures and checksums
>> * Review license and notice files in the archives
>> * Build from source and ran some of the tests
>> * Ran binary broker and ran some samples and performance tests against it
>> * Used mvn apache-rat:check to validate license headers in place
>> Tim Bish
>> twitter: @tabish121
>> blog: http://timbish.blogspot.com/