In Relation To

Back to home

Bugfix releases (including CVE) for Hibernate Search 5.6, 5.7 and 5.8

Posted by    |      

Hibernate Search is a library that integrates Hibernate ORM with Apache Lucene or Elasticsearch by automatically indexing entities, enabling advanced search functionality: full-text, geospatial, aggregations and more. For more information, see Hibernate Search on hibernate.org.

We just published three bugfix releases of Hibernate Search: 5.6.4.Final, 5.7.3.Final and 5.8.2.Final.

Those releases include in particular an upgrade of the Lucene dependency to 5.5.5, which fixes CVE-2017-12629. This vulnerability should only affect you if you use org.apache.lucene.queryparser.xml.CoreParser and feed it with input from untrusted sources: this class is not used by Hibernate Search itself. However, the upgrade is recommended even if you don’t use this class.

What’s new?

Here are the most notable changes:

  • HSEARCH-2927: the Lucene dependency was upgraded to 5.5.5, which fixes a remote code execution vulnerability: CVE-2017-12629.

  • HSEARCH-2868: adding elements to a persistent collection representing the reverse side of an association will now correctly trigger the reindexing of the entity if there is a field on this collection.

  • HSEARCH-2863: @CalendarBridge(encoding = EncodingType.STRING) will no longer fail at indexing time with a ClassCastException. Thanks to Tomáš Tomek for reporting this!

For a full list of changes, please refer to the release notes:

How to get these releases

All the necessary information is available (and updated regularly) on hibernate.org:

Feedback, issues, ideas?

To get in touch, use the following channels:

Back to top