git.net

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [VOTE] Apache ActiveMQ Artemis 2.6.0


Hi All,

On upgrading to 2.5.0 we have found quite a blocking issue to 2.5.0 for anyone who secures durable queue creation so clients cannot create, but doesn’t secure non-durable.

https://issues.apache.org/jira/browse/ARTEMIS-1872

In summary prior to 2.5.0 the security check incorrectly always checked for security rights for non-durable, even if the queue was a durable, this was security hole was fixed in 2.5.0, but a knock on effect is it has highlighted/exposed some logic issues in the CoreClient and also in AMQP and OpenWire protocol managers, where in some cases a queue is not check for being present before calling create queue, meaning if user is not allowed to create a queue, but is allowed to consume, and the queue exists, the client still cannot consume, as the code tries to create and throws exception.

We have created a test case that re-creates the issues, and also a possible solution its in PR here.

https://github.com/apache/activemq-artemis/pull/2093

Whilst it is not technically caused by any changes in the just created RC for 2.6.0 since 2.5.0, i think the severity/impact of this may deem it worthy to fix, and re-spin.

Cheers
Mike

> On 17 May 2018, at 20:02, Christopher Shannon <christopher.l.shannon@xxxxxxxxx> wrote:
> 
> +1
> 
> On Thu, May 17, 2018 at 2:51 PM, Timothy Bish <tabish121@xxxxxxxxx> wrote:
> 
>> On 05/16/2018 10:49 PM, Clebert Suconic wrote:
>> 
>>> I would like to propose an Apache ActiveMQ Artemis 2.6.0 release.
>>> 
>>> The release notes can be found here:
>>> 
>>> https://issues.apache.org/jira/secure/ReleaseNote.jspa?versi
>>> on=12342903&&projectId=12315920
>>> 
>>> There is a new commits report I made that I'm introducing on this release:
>>> https://dist.apache.org/repos/dist/dev/activemq/activemq-art
>>> emis/2.6.0/artemis-2.6.0.html
>>> 
>>> Source and binary distributions can be found here:
>>> https://dist.apache.org/repos/dist/dev/activemq/activemq-artemis/2.6.0
>>> 
>>> The Maven repository is here:
>>> https://repository.apache.org/content/repositories/orgapacheactivemq-1157
>>> 
>>> In case you want to give it a try with the maven repo on examples:
>>> http://activemq.apache.org/artemis/docs/latest/hacking-guide
>>> /validating-releases.html
>>> 
>>> The source tag:
>>> https://git-wip-us.apache.org/repos/asf?p=activemq-artemis.g
>>> it;a=tag;h=refs/tags/2.6.0
>>> 
>>> I will update the website after the vote has passed.
>>> 
>>> 
>>> [ ] +1 approve the release as Apache Artemis 2.4.0
>>> [ ] +0 no opinion
>>> [ ] -1 disapprove (and reason why)
>>> 
>>> 
>>> Here's my +1
>>> .
>>> 
>>> 
>> +1
>> 
>> * Validate the signatures and checksums
>> * Review license and notice files in the archives
>> * Build from source and ran some of the tests
>> * Ran binary broker and ran some samples and performance tests against it
>> * Used mvn apache-rat:check to validate license headers in place
>> 
>> 
>> --
>> Tim Bish
>> twitter: @tabish121
>> blog: http://timbish.blogspot.com/
>> 
>> 




( ! ) Warning: include(msgfooter.php): failed to open stream: No such file or directory in /var/www/git/apache-activemq-developers/msg08520.html on line 147
Call Stack
#TimeMemoryFunctionLocation
10.0008368760{main}( ).../msg08520.html:0

( ! ) Warning: include(): Failed opening 'msgfooter.php' for inclusion (include_path='.:/var/www/git') in /var/www/git/apache-activemq-developers/msg08520.html on line 147
Call Stack
#TimeMemoryFunctionLocation
10.0008368760{main}( ).../msg08520.html:0