Uploaded image for project: 'JBoss A-MQ'
  1. JBoss A-MQ
  2. ENTMQ-1484

Implementation of AMQ-6077 in Fuse 6.2.1 is incomplete

    XMLWordPrintable

Details

    • Bug
    • Resolution: Done
    • Major
    • JBoss A-MQ 6.3
    • JBoss A-MQ 6.2
    • broker
    • None

    Description

      Some new features to control the deserialization of object messages were implemented in ActiveMQ 5.12 and 5.13 in the wake of CVE-2015-5254 .These include methods (setTrustedPackages(), etc) on the ActiveMQConnectionFactory and a JVM property SERIALIZABLE_PACKAGES, which set out to control which Java packages can be deserialized.These changes are logged in AMQ-6077. https://issues.apache.org/jira/browse/AMQ-6077We note that the use of the SERIALIZABLE_PACKAGES method has been implemented in Fuse 6.2.1, but that the methods setTrustedPackages(), etc., have not.

      Attachments

        Issue Links

          blocks

          Bug - A problem that impairs or prevents the functions of the product. ENTMQ-1490 Better configuration of restricted classes for clients (Back port AMQ-6077)

          • Major - To be worked after higher priority work items are addressed. When the severity is high and the effort to change it is low to moderate, this term is chosen. Issues in this category likely have an existing workaround but implementation or execution may be non-trivial.
          • Closed

          Activity

            People

              gtully@redhat.com Gary Tully
              rhn-support-kboone Kevin Boone
              Michal Toth Michal Toth
              Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: