This is an automated email from the ASF dual-hosted git repository.
cshannon pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/activemq-website.git
The following commit(s) were added to refs/heads/main by this push:
new 5026ca214 Publish Apache ActiveMQ 6.2.7 and 5.19.8 releases (#183)
5026ca214 is described below
commit 5026ca21471a3974619fd6d92aba3a179444c6d1
Author: JB Onofré <[email protected]>
AuthorDate: Mon Jun 29 20:22:06 2026 +0200
Publish Apache ActiveMQ 6.2.7 and 5.19.8 releases (#183)
* Publish Apache ActiveMQ 6.2.7 and 5.19.8 releases
* Add information about recent changes
---------
Co-authored-by: Christopher L. Shannon <[email protected]>
---
src/_classic_releases/classic-05-19-08.md | 38 ++++++++++++++++++++++
src/_classic_releases/classic-06-02-07.md | 37 +++++++++++++++++++++
.../documentation/connection-configuration-uri.md | 1 +
.../classic/documentation/objectmessage.md | 2 +-
.../documentation/per-destination-policies.md | 1 +
.../documentation/xbean-xml-reference-50.md | 6 ++++
src/components/classic/download/index.md | 8 ++---
7 files changed, 88 insertions(+), 5 deletions(-)
diff --git a/src/_classic_releases/classic-05-19-08.md
b/src/_classic_releases/classic-05-19-08.md
new file mode 100644
index 000000000..312b28100
--- /dev/null
+++ b/src/_classic_releases/classic-05-19-08.md
@@ -0,0 +1,38 @@
+---
+version: 5.19.8
+release_notes: https://github.com/apache/activemq/releases/tag/activemq-5.19.8
+release_date: 2026-06-29
+title: ActiveMQ 5.19.8 Release
+java_version: 11+
+shortDescription: Maintenance release on the 5.19.x series.
+redirect_from:
+- /../../../activemq-5019008-release
+---
+Apache Classic {{ page.version }} was released on {{ page.release_date |
date_to_string: "ordinal", "US" }}.
+
+This is a maintenance release on the 5.19.x series, including:
+- Update Stomp transports with improved validation
+- Send advisory messages using the broker connection context
+- Several security enforcement and validation fixes (https in BrokerView,
webconsole, ...)
+- Preserve ${...} placeholders when removing/modifying networkConnectors in
RuntimeConfigurationPlugin
+
+
+#### Notable updates regarding security and breaking changes:
+
+- This release introduces
[maxInflatedDataSize](../documentation/xbean-xml-reference-50) and
[maxInflatedDataSizeRatio](../documentation/connection-configuration-uri) as
possible breaking changes to be aware of.
+ maxInflatedDataSize is the maximum allowed size of an uncompressed message
body. The default on the broker is 100 MB which is in line with the default
maxFrameSize of defined in the XML config of 10 MB on a transport.
+ For the client, maxInflatedDataSize is computed as a ratio using
maxInflatedDataSizeRatio
+- By default,
[allowTempDestinationStealing](../documentation/per-destination-policies) has
now been disabled. In previous releases, connections could add consumers on any
temporary destination. Now only the connection that created the temporary
destination can consume. This may cause problems with failover or network
bridging if using temporary destinations in those scenarios. You can re-nable
the preivous behavior by setting `allowTempDestinationStealing` to true, but
this would only b [...]
+- The WebConsole is now restricted only to admin users by default. The
WebConsole uses admin credentials to perform some functions, including when
browsing destinations. Therefore, it is recommended to not grant access to
non-admin users as the WebConsole is specifically meant for admins.
+
+#### Other notable changes from the recent 5.19.7 and 5.19.8 release:
+
+- The WebConsole configuration has been hardened in including limiting allowed
hosts/ips by default. This can be changed in the jetty.xml file.
+- Jolokia has been restricted to administrators only.
+- The XBeanBrokerFactory is blocked by default when using the VM Transport. It
can be re-enabled with the
`org.apache.activemq.transport.VM_TRANSPORT_FACTORY_SCHEMES_ENABLED` system
property.
+- The `java.lang` package is no longer part of the default allowed
serializable packages list. This is configured using the
`org.apache.activemq.SERIALIZABLE_PACKAGES` system property. See
[ObjectMessage](../documentation/objectmessage) for more info.
+- The XBeanBrokerFactory is restricted to to local file system and classpath
protocols only. This can be changed using the
`org.apache.activemq.xbean.XBEAN_BROKER_FACTORY_PROTOCOLS` system property.
+
+
+You can find details on the [release notes]({{ page.release_notes }}).
+
diff --git a/src/_classic_releases/classic-06-02-07.md
b/src/_classic_releases/classic-06-02-07.md
new file mode 100644
index 000000000..e2b1ccec4
--- /dev/null
+++ b/src/_classic_releases/classic-06-02-07.md
@@ -0,0 +1,37 @@
+---
+version: 6.2.7
+release_notes: https://github.com/apache/activemq/releases/tag/activemq-6.2.7
+release_date: 2026-06-29
+title: ActiveMQ 6.2.7 Release
+java_version: 17+
+shortDescription: ActiveMQ 6.2.7 is a new milestone for the project, starting
the 6.2.x series.
+redirect_from:
+- /../../../activemq-6000207-release
+---
+Apache ActiveMQ {{ page.version }} was released on {{ page.release_date |
date_to_string: "ordinal", "US" }}.
+
+This is an important maintenance release on the 6.2.x series.
+It especially includes:
+- Update Stomp transports with improved validation
+- Send advisory messages using the broker connection context
+- Several security enforcement and validation fixes (https in BrokerView,
webconsole, ...)
+- Preserve ${...} placeholders when removing/modifying networkConnectors in
RuntimeConfigurationPlugin
+
+#### Notable updates regarding security and breaking changes:
+
+- This release introduces
[maxInflatedDataSize](../documentation/xbean-xml-reference-50) and
[maxInflatedDataSizeRatio](../documentation/connection-configuration-uri) as
possible breaking changes to be aware of.
+maxInflatedDataSize is the maximum allowed size of an uncompressed message
body. The default on the broker is 100 MB which is in line with the default
maxFrameSize of defined in the XML config of 10 MB on a transport.
+For the client, maxInflatedDataSize is computed as a ratio using
maxInflatedDataSizeRatio
+- By default,
[allowTempDestinationStealing](../documentation/per-destination-policies) has
now been disabled. In previous releases, connections could add consumers on any
temporary destination. Now only the connection that created the temporary
destination can consume. This may cause problems with failover or network
bridging if using temporary destinations in those scenarios. You can re-nable
the preivous behavior by setting `allowTempDestinationStealing` to true, but
this would only b [...]
+- The WebConsole is now restricted only to admin users by default. The
WebConsole uses admin credentials to perform some functions, including when
browsing destinations. Therefore, it is recommended to not grant access to
non-admin users as the WebConsole is specifically meant for admins.
+
+#### Other notable changes from the recent 6.2.5 and 6.2.6 release:
+
+- The WebConsole configuration has been hardened in including limiting allowed
hosts/ips by default. This can be changed in the jetty.xml file.
+- Jolokia has been restricted to administrators only.
+- The XBeanBrokerFactory is blocked by default when using the VM Transport. It
can be re-enabled with the
`org.apache.activemq.transport.VM_TRANSPORT_FACTORY_SCHEMES_ENABLED` system
property.
+- The `java.lang` package is no longer part of the default allowed
serializable packages list. This is configured using the
`org.apache.activemq.SERIALIZABLE_PACKAGES` system property. See
[ObjectMessage](../documentation/objectmessage) for more info.
+- The XBeanBrokerFactory is restricted to to local file system and classpath
protocols only. This can be changed using the
`org.apache.activemq.xbean.XBEAN_BROKER_FACTORY_PROTOCOLS` system property.
+
+You can find details on the [release notes]({{ page.release_notes }}).
+
diff --git
a/src/components/classic/documentation/connection-configuration-uri.md
b/src/components/classic/documentation/connection-configuration-uri.md
index 9ce1785b2..c4360ee37 100644
--- a/src/components/classic/documentation/connection-configuration-uri.md
+++ b/src/components/classic/documentation/connection-configuration-uri.md
@@ -49,6 +49,7 @@ Option Name|Default Value|Description
`useRetroactiveConsumer`|`false`|Sets whether or not retroactive consumers are
enabled. Retroactive consumers allow non-durable topic subscribers to receive
old messages that were published before the non-durable subscriber started.
`warnAboutUnstartedConnectionTimeout`|`500`|The timeout, in milliseconds, from
the time of connection creation to when a warning is generated if the
connection is not properly started via
[Connection.start()](http://java.sun.com/j2ee/1.4/docs/api/javax/jms/Connection.html#start())
and a message is received by a consumer. It is a very common gotcha to forget
to [start the connection and then wonder why no messages are
delivered](i-am-not-receiving-any-messages-what-is-wrong) so this optio [...]
`nonBlockingRedelivery`|`false`|Whether or not message redelivery (and any
related delays) will block the delivery of other messages. Setting to `true`
will allow messages to be delivered out of order.
+`maxInflatedDataSizeRatio`| `10.0` |Used to compute maxInflatedDataSize
if [maxFrameSize](configuring-wire-formats) is configured on the wireformat.
This ratio is used to determine the maximum allowed size of an uncompressed
message body. maxInflatedDataSize is defined as `maxFrameSize *
maxInflatedDataSizeRatio`. For example, if maxFrameSize is 10MB then by
default maxInflatedDataSize would be 100MB. (since v5.19.8 and v6.2.7)
### Nested Options
diff --git a/src/components/classic/documentation/objectmessage.md
b/src/components/classic/documentation/objectmessage.md
index 28c941a7c..d3b0980fc 100644
--- a/src/components/classic/documentation/objectmessage.md
+++ b/src/components/classic/documentation/objectmessage.md
@@ -19,7 +19,7 @@ If you need to exchange object messages, you need to add
packages your applicati
For example:
```
--Dorg.apache.activemq.SERIALIZABLE_PACKAGES=java.lang,javax.security,java.util,org.apache.activemq,org.fusesource.hawtbuf,com.thoughtworks.xstream.mapper,com.mycompany.myapp
+-Dorg.apache.activemq.SERIALIZABLE_PACKAGES=javax.security,java.util,org.apache.activemq,org.fusesource.hawtbuf,com.thoughtworks.xstream.mapper,com.mycompany.myapp
```
will add `com.mycompany.myapp` package to the list of trusted packages. Note
that other packages listed here are enabled by default as they are necessary
for the regular broker work. In case you want to shortcut this mechanism, you
can allow all packages to be trusted by using `*` wildcard, like
```
diff --git a/src/components/classic/documentation/per-destination-policies.md
b/src/components/classic/documentation/per-destination-policies.md
index d5e36df57..e8559a5b5 100644
--- a/src/components/classic/documentation/per-destination-policies.md
+++ b/src/components/classic/documentation/per-destination-policies.md
@@ -18,6 +18,7 @@ Common Property|Default|Description
`advisoryForFastProducers`|`false`|Send an advisory message if a producer is
deemed fast.
`advisoryForSlowConsumers`|`false`|Send an advisory message if a consumer is
deemed slow.
`advisoryWhenFull`|`false`|Send an advisory message when a limit (memory,
store, temp disk) is full.
+`allowTempDestinationStealing`|`false`|Allow other connections besides the
connection that created the temporary destination to create consumers on that
temporary destination. This is recommended to be `false` and should only be
enabled when it's not a concern if other connections can consume from any
temporary destination. This may need to be enabled to make certain failover
scenaiors or networking bridging use cases work that involve temporary
destinations. (Since v6.2.7 and v5.19.8)
`enableAudit`|`true`|When `true` the broker will track duplicate messages.
Duplicates can happen for non-persistent messages during failover.
`gcInactiveDestinations`|`false`|Garbage collect inactive destinations.
`inactiveTimoutBeforeGC`|`5000`|The timeout (in ms) after which a destination
is considered inactive.
diff --git a/src/components/classic/documentation/xbean-xml-reference-50.md
b/src/components/classic/documentation/xbean-xml-reference-50.md
index 3a03cb8f7..d2e3d5daa 100644
--- a/src/components/classic/documentation/xbean-xml-reference-50.md
+++ b/src/components/classic/documentation/xbean-xml-reference-50.md
@@ -1207,6 +1207,12 @@ vmConnectorURI
_java.net.URI_
+maxInflatedDataSize
+
+_integer_
+
+The maximum allowed size of an uncompressed message body. The default is 100
MB.
+
### The _\<bytesJDBCAdapter>_ Element
This JDBCAdapter inserts and extracts BLOB data using the
setBytes()/getBytes() operations. The databases/JDBC drivers that use this
adapter are:
diff --git a/src/components/classic/download/index.md
b/src/components/classic/download/index.md
index bab94e03b..7f03a4f3f 100644
--- a/src/components/classic/download/index.md
+++ b/src/components/classic/download/index.md
@@ -25,8 +25,8 @@ It is important to [verify the
integrity](#verify-the-integrity-of-downloads) of
<tr style="background-color: #dff0d8;">
<td>6.2.x</td>
<td><strong>Stable - Supported</strong></td>
- <td>6.2.6</td>
- <td>May 31st, 2026</td>
+ <td>6.2.7</td>
+ <td>June 29th, 2026</td>
</tr>
<tr style="background-color: #f0f0f0;">
<td>6.1.x</td>
@@ -43,8 +43,8 @@ It is important to [verify the
integrity](#verify-the-integrity-of-downloads) of
<tr style="background-color: #dff0d8;">
<td>5.19.x</td>
<td><strong>Stable - Supported</strong></td>
- <td>5.19.7</td>
- <td>May 31st, 2026</td>
+ <td>5.19.8</td>
+ <td>June 29th, 2026</td>
</tr>
<tr style="background-color: #f0f0f0;">
<td>5.18.x</td>
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
For further information, visit: https://activemq.apache.org/contact