An update for hibernate is now available for openEuler-20.03-LTS-SP1 Security Advisory openeuler-security@openeuler.org openEuler security committee openEuler-SA-2021-1135 Final 1.0 1.0 2021-04-07 Initial 2021-04-07 2021-04-07 openEuler SA Tool V1.0 2021-04-07 hibernate security update An update for hibernate is now available for openEuler-20.03-LTS-SP1. Hibernate is a powerful, high-performance, feature-rich and very popular ORM solution for Java. Hibernate facilitates development of persistent objects based on the common Java object model to mirror the underlying database structure. This approach progresses the business performance to some extent, advances development efficiency exceedingly and obtains preferable economical efficiency and practicability. Provides: hibernate-core = 5.0.10-6.oe1 Provides: hibernate-c3p0 = 5.0.10-6.oe1 Provides: hibernate-ehcache = 5.0.10-6.oe1 Provides: hibernate-entitymanager = 5.0.10-6.oe1 Provides: hibernate-envers = 5.0.10-6.oe1 Provides: hibernate-hikaricp = 5.0.10-6.oe1 Provides: hibernate-infinispan = 5.0.10-6.oe1 Provides: hibernate-java8 = 5.0.10-6.oe1 Provides: hibernate-osgi = 5.0.10-6.oe1 Provides: hibernate-parent = 5.0.10-6.oe1 Provides: hibernate-proxool = 5.0.10-6.oe1 Provides: hibernate-spatial = 5.0.10-6.oe1 Provides: hibernate-testing = 5.0.10-6.oe1 Provides: hibernate-javadoc = 5.0.10-6.oe1 Obsoletes: hibernate-core < 5.0.10-6.oe1 Obsoletes: hibernate-c3p0 < 5.0.10-6.oe1 Obsoletes: hibernate-ehcache < 5.0.10-6.oe1 Obsoletes: hibernate-entitymanager < 5.0.10-6.oe1 Obsoletes: hibernate-envers < 5.0.10-6.oe1 Obsoletes: hibernate-hikaricp < 5.0.10-6.oe1 Obsoletes: hibernate-infinispan < 5.0.10-6.oe1 Obsoletes: hibernate-java8 < 5.0.10-6.oe1 Obsoletes: hibernate-osgi < 5.0.10-6.oe1 Obsoletes: hibernate-parent < 5.0.10-6.oe1 Obsoletes: hibernate-proxool < 5.0.10-6.oe1 Obsoletes: hibernate-spatial < 5.0.10-6.oe1 Obsoletes: hibernate-testing < 5.0.10-6.oe1 Obsoletes: hibernate-javadoc < 5.0.10-6.oe1 Security Fix(es): A flaw was found in Hibernate ORM in versions before 5.3.18, 5.4.18 and 5.5.0.Beta1. A SQL injection in the implementation of the JPA Criteria API can permit unsanitized literals when a literal is used in the SELECT or GROUP BY parts of the query. This flaw could allow an attacker to access unauthorized information or possibly conduct further attacks.(CVE-2019-14900) An update for hibernate is now available for openEuler-20.03-LTS-SP1. openEuler Security has rated this update as having a security impact of medium. A Common Vunlnerability Scoring System(CVSS)base score,which gives a detailed severity rating, is available for each vulnerability from the CVElink(s) in the References section. Medium hibernate https://openeuler.org/en/security/safety-bulletin/detail.html?id=openEuler-SA-2021-1135 https://openeuler.org/en/security/cve/detail.html?id=CVE-2019-14900 https://nvd.nist.gov/vuln/detail/CVE-2019-14900 openEuler-20.03-LTS-SP1 hibernate-5.0.10-8.oe1.noarch.rpm hibernate-5.0.10-8.oe1.src.rpm A flaw was found in Hibernate ORM in versions before 5.3.18, 5.4.18 and 5.5.0.Beta1. A SQL injection in the implementation of the JPA Criteria API can permit unsanitized literals when a literal is used in the SELECT or GROUP BY parts of the query. This flaw could allow an attacker to access unauthorized information or possibly conduct further attacks. 2021-04-07 CVE-2019-14900 openEuler-20.03-LTS-SP1 Medium 6.5 AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N hibernate security update 2021-04-07 https://openeuler.org/en/security/safety-bulletin/detail.html?id=openEuler-SA-2021-1135