Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

fix(deps): update dependency org.hibernate:hibernate-core to v5 [security] #325

Open
wants to merge 1 commit into
base: master
Choose a base branch
from

Conversation

renovate[bot]
Copy link
Contributor

@renovate renovate bot commented Dec 24, 2022

This PR contains the following updates:

Package Change Age Adoption Passing Confidence
org.hibernate:hibernate-core (source) 3.6.10.Final -> 5.3.20.Final age adoption passing confidence

Warning

Some dependencies could not be looked up. Check the Dependency Dashboard for more information.

GitHub Vulnerability Alerts

CVE-2020-25638

A flaw was found in hibernate-core in versions prior to 5.3.20.Final and in 5.4.0.Final up to and including 5.4.23.Final. A SQL injection in the implementation of the JPA Criteria API can permit unsanitized literals when a literal is used in the SQL comments of the query. This flaw could allow an attacker to access unauthorized information or possibly conduct further attacks. The highest threat from this vulnerability is to data confidentiality and integrity.

CVE-2019-14900

A flaw was found in Hibernate ORM in versions before 5.3.18, 5.4.18 and 5.5.0.Beta1. A SQL injection in the implementation of the JPA Criteria API can permit unsanitized literals when a literal is used in the SELECT or GROUP BY parts of the query. This flaw could allow an attacker to access unauthorized information or possibly conduct further attacks.


Release Notes

hibernate/hibernate-orm (org.hibernate:hibernate-core)

v5.3.20.Final

Compare Source

v5.3.19.Final

Compare Source

v5.3.18.Final

Compare Source

v5.3.17.Final

Compare Source

v5.3.16.Final

Compare Source

v5.3.15.Final

Compare Source

v5.3.14.Final

Compare Source

v5.3.13.Final

Compare Source

v5.3.12.Final

Compare Source

v5.3.11.Final

Compare Source

v5.3.10.Final

Compare Source

v5.3.9.Final

Compare Source

v5.3.8.Final

Compare Source

v5.3.7.Final

Compare Source

v5.3.6.Final

Compare Source

v5.3.5.Final

Compare Source

v5.3.4.Final

Compare Source

v5.3.3.Final

Compare Source

v5.3.2.Final

Compare Source

v5.3.1.Final

Compare Source

v5.3.0.Final

Compare Source

v5.2.18.Final

Compare Source

v5.2.17.Final

Compare Source

v5.2.16.Final

Compare Source

v5.2.15.Final

Compare Source

v5.2.14.Final

Compare Source

v5.2.13.Final

Compare Source

v5.2.12.Final

Compare Source

v5.2.11.Final

Compare Source

v5.2.10.Final

Compare Source

v5.2.9.Final

Compare Source

v5.2.8.Final

Compare Source

v5.2.7.Final

Compare Source

v5.2.6.Final

Compare Source

v5.2.5.Final

Compare Source

v5.2.4.Final

Compare Source

v5.2.3.Final

Compare Source

v5.2.2.Final

Compare Source

v5.2.1.Final

Compare Source

v5.2.0.Final

Compare Source

v5.1.17.Final

Compare Source

v5.1.16.Final

Compare Source

v5.1.15.Final

Compare Source

v5.1.14.Final

Compare Source

v5.1.13.Final

Compare Source

v5.1.12.Final

Compare Source

v5.1.11.Final

Compare Source

v5.1.10.Final

Compare Source

v5.1.9.Final

Compare Source

v5.1.8.Final

Compare Source

v5.1.7.Final

Compare Source

v5.1.6.Final

Compare Source

v5.1.5.Final

Compare Source

v5.1.4.Final

Compare Source

v5.1.3.Final

Compare Source

v5.1.2.Final

Compare Source

v5.1.1.Final

Compare Source

v5.1.0.Final

Compare Source

v5.0.12.Final

Compare Source

v5.0.11.Final

Compare Source

v5.0.10.Final

Compare Source

v5.0.9.Final

Compare Source

v5.0.8.Final

Compare Source

v5.0.7.Final

Compare Source

v5.0.6.Final

Compare Source

v5.0.5.Final

Compare Source

v5.0.4.Final

Compare Source

v5.0.3.Final

Compare Source

v5.0.2.Final: Second bug-fix release for 5.0

Compare Source

The complete list of changes can be found here.

For information on consuming the release into your build via your favorite dependency-management-capable build tool, see http://hibernate.org/orm/downloads/.

For those of you allergic to dependency-management-capable build tools, the release bundles can be obtained from SourceForge or BinTray.

v5.0.1.Final: First bug-fix release for 5.0

Compare Source

The complete list of changes can be found here.

For information on consuming the release into your build via your favorite dependency-management-capable build tool, see http://hibernate.org/orm/downloads/.

For those of you allergic to dependency-management-capable build tools, the release bundles can be obtained from SourceForge or BinTray.

v5.0.0.Final: 5.0.0 has gone Final!

Compare Source

Today I have released Hibernate ORM 5.0 (5.0.0.Final). This has been a long time coming and is the result
of the efforts of many folks. Thanks to everyone who helped us get here with fixes, bug reports, suggestions,
input and encouragement!

A lot of development has gone into 5.0. Here are the big points:

New bootstrap API

The venerable way to bootstrap Hibernate (build a SessionFactory) has been to use its Configuration class.
Configuration, historically, allowed users to iteratively add settings and mappings in any order and to query the
state of settings and mapping information in the middle of that process. Which meant that building the mapping
information could not effectively rely on any settings being available. This lead to many limitations and problems.

5.0 introduces a new bootstrapping API aimed at alleviating those limitations and problems, while allowing
better determinism and better integration. See the Bootstrap chapter in the User Guide for details on using
the new API.

Configuration is still available for use, although in a limited sense. Some of its methods have been removed. Under
the covers Configuration makes use of the new bootstrap API.

Spatial/GIS support

Hibernate Spatial is a project that has been around for a number of years. Karel Maesen has done an amazing job
with it.

Starting in 5.0 Hibernate Spatial is now part of the Hibernate project proper to allow it to better keep up with
upstream development. It is available as org.hibernate:hibernate-spatial. If your application has need for
GIS data, we highly recommend giving hibernate-spatial a try.

Java 8 support

Well, ok.. not all of Java 8. Specifically we have added support for Java 8 Date and Time API in regards to easily mapping
attributes in your domain model using the Java 8 Date and Time API types to the database. This support is available
under the dedicated hibernate-java8 artifact (to isolate Java 8 dependencies). For additional information, see
the Basic Types chapter in the Domain Model Mapping Guide.

Expanded AUTO id generation support

JPA defines support for GenerationType#AUTO limited to just Number types. Starting in 5.0 Hibernate offers expandable support for a broader
set of types, including built-in support for both Number types (Integer, Long, etc) and UUID. Users are also free to plug
in custom strategies for interpreting GenerationType#AUTO via the new org.hibernate.boot.model.IdGeneratorStrategyInterpreter extension.

Naming strategy split

NamingStrategy has been removed in favor of a better designed API. 2 distinct ones actually:

  • org.hibernate.boot.model.naming.ImplicitNamingStrategy - used whenever a table or column is not explicitly named to determine the name to use
  • org.hibernate.boot.model.naming.PhysicalNamingStrategy - used to convert a "logical name" (either implicit or explicit) name of a table or column
    into a physical name (e.g. following corporate naming guidelines)

Attribute Converter support

5.0 offers significantly improved support for JPA 2.1 AttributeConverters:

  • fully supported for non-@​Enumerated enum values
  • applicable in conjunction with @​Nationalized support
  • now called to handle null values
  • settable in hbm.xml by using type="converter:fully.qualified.AttributeConverterName"
  • integrated with hibernate-envers
  • collection values, map keys
  • support for conversion of parameterized types

Better "bulk id table" support

Support for "bulk id tables" has been completely redesigned to better fit what different databases support.

Transaction management

The transaction SPI underwent a major redesign as part of 5.0 as well. From a user perspective this generally
only comes into view in terms of configuration. Previously applications would work with the different backend
transaction stratagies directly via the org.hibernate.Transaction API. In 5.0 a level of indirection has been
added here. The API implementation of org.hibernate.Transaction is always the same now. On the backend, the
org.hibernate.Transaction impl talks to a org.hibernate.resource.transaction.TransactionCoordinator which represents
the "transactional context" for a given Session according to the backend transaction strategy. Users generally do not
need to care about the distinction.

The change is noted here because it might affect your bootstrap configuration. Whereas previously applications would
specify hibernate.transaction.factory_class and refer to a org.hibernate.engine.transaction.spi.TransactionFactory FQN,
with 5.0 the new contract is org.hibernate.resource.transaction.TransactionCoordinatorBuilder and is specified using the
hibernate.transaction.coordinator_class setting. See org.hibernate.cfg.AvailableSettings.TRANSACTION_COORDINATOR_STRATEGY
JavaDocs for additional details.

The following short-names are recognized:
jdbc::(the default) says to use JDBC-based transactions (org.hibernate.resource.transaction.backend.jdbc.internal.JdbcResourceLocalTransactionCoordinatorImpl)
jta::says to use JTA-based transactions (org.hibernate.resource.transaction.backend.jta.internal.JtaTransactionCoordinatorImpl)

See the User Guide for additional details.

Schema Tooling

5.0 offers much improvement in the area of schema tooling (export, validation and migration).

Typed Session API

Hibernate's native APIs (Session, etc) have been updated to be typed. No more casting!

Improved OSGi support

Really this started with a frustration over the fragility of hibernate-osgi tests. The first piece was a better testing setup using
Pax Exam and Karaf. This lead to us generating (and now publishing!) a Hibernate Karaf features file.

OSGi support has undergone some general improvement as well thanks to feedback from some Karaf and Pax developers and users.

See the Getting Started Guide for additional details on using the new Karaf features file.

Improved bytrecode enhancement capabilities

  • dirty tracking
  • bidirectional association management
  • lazy loading

Work on documentation

A lot of work has gone into the documentation for 5.0. Its still not complete (is documentation ever "complete"?), but it is much improved.

See the revamped http://hibernate.org/orm/documentation/5.0\[documentation page] for details.

BinTray

For now the plan is to publish the release bundles (zip and tgz) to BinTray. We will continue to publish to SourceForge as well. For the time being
we will publish the bundles to both.

Ultimately we will start to publish the "maven" artifacts there as well.

This is all a work in progress.

How to get it

See http://hibernate.atlassian.net/projects/HHH/versions/20851 for the complete list of changes.

See http://hibernate.org/orm/downloads/ for information on obtaining the releases.

v4.3.11.Final

Compare Source

v4.3.10.Final

Compare Source

v4.3.9.Final

Compare Source

v4.3.8.Final

Compare Source

v4.3.7.Final

Compare Source

v4.3.6.Final

Compare Source

v4.3.5.Final

Compare Source

v4.3.4.Final

Compare Source

v4.3.3.Final

Compare Source

v4.3.2.Final

Compare Source

v4.3.1.Final: Release

Compare Source

See the details at http://in.relation.to/Bloggers/HibernateORM431FinalRelease. See http://hibernate.org/orm/downloads/ for information on getting the artifacts.

v4.3.0.Final

Compare Source

v4.2.21.Final

Compare Source

v4.2.20.Final

Compare Source

v4.2.19.Final

Compare Source

v4.2.18.Final

Compare Source

v4.2.17.Final

Compare Source

v4.2.16.Final

Compare Source

v4.2.15.Final

Compare Source

v4.2.14.Final

Compare Source

v4.2.13.Final

Compare Source

v4.2.12.Final

Compare Source

v4.2.11.Final

Compare Source

v4.2.10.Final

Compare Source

v4.2.9.Final

Compare Source

v4.2.8.Final

Compare Source

v4.2.7.SP1

Compare Source

v4.2.7.Final

Compare Source

v4.2.6.Final

Compare Source

v4.2.5.Final

Compare Source

v4.2.4.Final: Hibernate ORM 4.2.4.Final

Compare Source

Hibernate ORM 4.2.4.Final was just released, containing multiple bug fixes. Please see the full changelog for more information: https://hibernate.atlassian.net/secure/ReleaseNote.jspa?projectId=10031\&version=13750

JBoss Nexus: https://repository.jboss.org/nexus/content/groups/public/org/hibernate
Maven Central: http://repo1.maven.org/maven2/org/hibernate/hibernate-core (should update in a couple of days)
SourceForge: https://sourceforge.net/projects/hibernate/files/hibernate4
Downloads: binaries attached

v4.2.3.Final: Hibernate ORM 4.2.3.Final

Compare Source

Hibernate ORM 4.2.3.Final was just released. The full changelog can be viewed here

HHH-8112 fully documented the OSGi capabilities and included multiple quickstart projects. Please see the Dev Guide and Quickstart.

This release also completed the umbrella OSGi task: HHH-7527! Finally -- whew!

Multiple minor bug fixes were included -- please see the changelog for more info.

JBoss Nexus: https://repository.jboss.org/nexus/content/groups/public/org/hibernate
Maven Central: http://repo1.maven.org/maven2/org/hibernate/hibernate-core
SourceForge: https://sourceforge.net/projects/hibernate/files/hibernate4
Downloads: (binaries attached)

v4.2.2.Final

Compare Source

v4.2.1.Final

Compare Source

v4.2.0.SP1

Compare Source

v4.2.0.Final

Compare Source

v4.1.12.Final

Compare Source

v4.1.11.Final

Compare Source

v4.1.10.Final

Compare Source

v4.1.9.Final

Compare Source

v4.1.8.Final

Compare Source

v4.1.7.Final

Compare Source

v4.1.6.Final

Compare Source

v4.1.5.SP1

Compare Source

v4.1.5.Final

Compare Source

v4.1.4.Final

Compare Source

v4.1.3.Final

Compare Source

v4.1.2.Final

Compare Source

v4.1.1.Final

Compare Source

v4.1.0.Final

Compare Source

v4.0.1.Final

Compare Source

v4.0.0.Final

Compare Source


Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.


  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@renovate renovate bot force-pushed the renovate/maven-org.hibernate-hibernate-core-vulnerability branch 3 times, most recently from d2e1230 to d9616fa Compare January 19, 2023 20:20
@renovate renovate bot changed the title fix(deps): update dependency org.hibernate:hibernate-core to v5 [security] fix(deps): update dependency org.hibernate:hibernate-core to v5 [security] - autoclosed Mar 11, 2023
@renovate renovate bot closed this Mar 11, 2023
@renovate renovate bot deleted the renovate/maven-org.hibernate-hibernate-core-vulnerability branch March 11, 2023 07:10
@renovate renovate bot changed the title fix(deps): update dependency org.hibernate:hibernate-core to v5 [security] - autoclosed fix(deps): update dependency org.hibernate:hibernate-core to v5 [security] Mar 11, 2023
@renovate renovate bot reopened this Mar 11, 2023
@renovate renovate bot force-pushed the renovate/maven-org.hibernate-hibernate-core-vulnerability branch 5 times, most recently from 006313b to 12cbcba Compare March 22, 2023 16:11
@renovate renovate bot force-pushed the renovate/maven-org.hibernate-hibernate-core-vulnerability branch from 12cbcba to abaeb31 Compare October 22, 2024 21:52
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

0 participants