96 lines
6.3 KiB
XML
96 lines
6.3 KiB
XML
<?xml version="1.0" encoding="UTF-8"?>
|
|
<cvrfdoc xmlns="http://www.icasi.org/CVRF/schema/cvrf/1.1" xmlns:cvrf="http://www.icasi.org/CVRF/schema/cvrf/1.1">
|
|
<DocumentTitle xml:lang="en">An update for hibernate is now available for openEuler-20.03-LTS-SP1</DocumentTitle>
|
|
<DocumentType>Security Advisory</DocumentType>
|
|
<DocumentPublisher Type="Vendor">
|
|
<ContactDetails>openeuler-security@openeuler.org</ContactDetails>
|
|
<IssuingAuthority>openEuler security committee</IssuingAuthority>
|
|
</DocumentPublisher>
|
|
<DocumentTracking>
|
|
<Identification>
|
|
<ID>openEuler-SA-2021-1135</ID>
|
|
</Identification>
|
|
<Status>Final</Status>
|
|
<Version>1.0</Version>
|
|
<RevisionHistory>
|
|
<Revision>
|
|
<Number>1.0</Number>
|
|
<Date>2021-04-07</Date>
|
|
<Description>Initial</Description>
|
|
</Revision>
|
|
</RevisionHistory>
|
|
<InitialReleaseDate>2021-04-07</InitialReleaseDate>
|
|
<CurrentReleaseDate>2021-04-07</CurrentReleaseDate>
|
|
<Generator>
|
|
<Engine>openEuler SA Tool V1.0</Engine>
|
|
<Date>2021-04-07</Date>
|
|
</Generator>
|
|
</DocumentTracking>
|
|
<DocumentNotes>
|
|
<Note Title="Synopsis" Type="General" Ordinal="1" xml:lang="en">hibernate security update</Note>
|
|
<Note Title="Summary" Type="General" Ordinal="2" xml:lang="en">An update for hibernate is now available for openEuler-20.03-LTS-SP1.</Note>
|
|
<Note Title="Description" Type="General" Ordinal="3" xml:lang="en">Hibernate is a powerful, high-performance, feature-rich and very popular ORM solution for Java. Hibernate facilitates development of persistent objects based on the common Java object model to mirror the underlying database structure. This approach progresses the business performance to some extent, advances development efficiency exceedingly and obtains preferable economical efficiency and practicability. Provides: hibernate-core = 5.0.10-6.oe1 Provides: hibernate-c3p0 = 5.0.10-6.oe1 Provides: hibernate-ehcache = 5.0.10-6.oe1 Provides: hibernate-entitymanager = 5.0.10-6.oe1 Provides: hibernate-envers = 5.0.10-6.oe1 Provides: hibernate-hikaricp = 5.0.10-6.oe1 Provides: hibernate-infinispan = 5.0.10-6.oe1 Provides: hibernate-java8 = 5.0.10-6.oe1 Provides: hibernate-osgi = 5.0.10-6.oe1 Provides: hibernate-parent = 5.0.10-6.oe1 Provides: hibernate-proxool = 5.0.10-6.oe1 Provides: hibernate-spatial = 5.0.10-6.oe1 Provides: hibernate-testing = 5.0.10-6.oe1 Provides: hibernate-javadoc = 5.0.10-6.oe1 Obsoletes: hibernate-core < 5.0.10-6.oe1 Obsoletes: hibernate-c3p0 < 5.0.10-6.oe1 Obsoletes: hibernate-ehcache < 5.0.10-6.oe1 Obsoletes: hibernate-entitymanager < 5.0.10-6.oe1 Obsoletes: hibernate-envers < 5.0.10-6.oe1 Obsoletes: hibernate-hikaricp < 5.0.10-6.oe1 Obsoletes: hibernate-infinispan < 5.0.10-6.oe1 Obsoletes: hibernate-java8 < 5.0.10-6.oe1 Obsoletes: hibernate-osgi < 5.0.10-6.oe1 Obsoletes: hibernate-parent < 5.0.10-6.oe1 Obsoletes: hibernate-proxool < 5.0.10-6.oe1 Obsoletes: hibernate-spatial < 5.0.10-6.oe1 Obsoletes: hibernate-testing < 5.0.10-6.oe1 Obsoletes: hibernate-javadoc < 5.0.10-6.oe1
|
|
|
|
Security Fix(es):
|
|
|
|
A flaw was found in Hibernate ORM in versions before 5.3.18, 5.4.18 and 5.5.0.Beta1. A SQL injection in the implementation of the JPA Criteria API can permit unsanitized literals when a literal is used in the SELECT or GROUP BY parts of the query. This flaw could allow an attacker to access unauthorized information or possibly conduct further attacks.(CVE-2019-14900)</Note>
|
|
<Note Title="Topic" Type="General" Ordinal="4" xml:lang="en">An update for hibernate is now available for openEuler-20.03-LTS-SP1.
|
|
|
|
openEuler Security has rated this update as having a security impact of medium. A Common Vunlnerability Scoring System(CVSS)base score,which gives a detailed severity rating, is available for each vulnerability from the CVElink(s) in the References section.</Note>
|
|
<Note Title="Severity" Type="General" Ordinal="5" xml:lang="en">Medium</Note>
|
|
<Note Title="Affected Component" Type="General" Ordinal="6" xml:lang="en">hibernate</Note>
|
|
</DocumentNotes>
|
|
<DocumentReferences>
|
|
<Reference Type="Self">
|
|
<URL>https://openeuler.org/en/security/safety-bulletin/detail.html?id=openEuler-SA-2021-1135</URL>
|
|
</Reference>
|
|
<Reference Type="openEuler CVE">
|
|
<URL>https://openeuler.org/en/security/cve/detail.html?id=CVE-2019-14900</URL>
|
|
</Reference>
|
|
<Reference Type="Other">
|
|
<URL>https://nvd.nist.gov/vuln/detail/CVE-2019-14900</URL>
|
|
</Reference>
|
|
</DocumentReferences>
|
|
<ProductTree xmlns="http://www.icasi.org/CVRF/schema/prod/1.1">
|
|
<Branch Type="Product Name" Name="openEuler">
|
|
<FullProductName ProductID="openEuler-20.03-LTS-SP1" CPE="cpe:/a:openEuler:openEuler:20.03-LTS-SP1">openEuler-20.03-LTS-SP1</FullProductName>
|
|
</Branch>
|
|
<Branch Type="Package Arch" Name="noarch">
|
|
<FullProductName ProductID="hibernate-5.0.10-8" CPE="cpe:/a:openEuler:openEuler:20.03-LTS-SP1">hibernate-5.0.10-8.oe1.noarch.rpm</FullProductName>
|
|
</Branch>
|
|
<Branch Type="Package Arch" Name="src">
|
|
<FullProductName ProductID="hibernate-5.0.10-8" CPE="cpe:/a:openEuler:openEuler:20.03-LTS-SP1">hibernate-5.0.10-8.oe1.src.rpm</FullProductName>
|
|
</Branch>
|
|
</ProductTree>
|
|
<Vulnerability Ordinal="1" xmlns="http://www.icasi.org/CVRF/schema/vuln/1.1">
|
|
<Notes>
|
|
<Note Title="Vulnerability Description" Type="General" Ordinal="1" xml:lang="en">A flaw was found in Hibernate ORM in versions before 5.3.18, 5.4.18 and 5.5.0.Beta1. A SQL injection in the implementation of the JPA Criteria API can permit unsanitized literals when a literal is used in the SELECT or GROUP BY parts of the query. This flaw could allow an attacker to access unauthorized information or possibly conduct further attacks.</Note>
|
|
</Notes>
|
|
<ReleaseDate>2021-04-07</ReleaseDate>
|
|
<CVE>CVE-2019-14900</CVE>
|
|
<ProductStatuses>
|
|
<Status Type="Fixed">
|
|
<ProductID>openEuler-20.03-LTS-SP1</ProductID>
|
|
</Status>
|
|
</ProductStatuses>
|
|
<Threats>
|
|
<Threat Type="Impact">
|
|
<Description>Medium</Description>
|
|
</Threat>
|
|
</Threats>
|
|
<CVSSScoreSets>
|
|
<ScoreSet>
|
|
<BaseScore>6.5</BaseScore>
|
|
<Vector>AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N</Vector>
|
|
</ScoreSet>
|
|
</CVSSScoreSets>
|
|
<Remediations>
|
|
<Remediation Type="Vendor Fix">
|
|
<Description>hibernate security update</Description>
|
|
<DATE>2021-04-07</DATE>
|
|
<URL>https://openeuler.org/en/security/safety-bulletin/detail.html?id=openEuler-SA-2021-1135</URL>
|
|
</Remediation>
|
|
</Remediations>
|
|
</Vulnerability>
|
|
</cvrfdoc>
|