Today, we published a new maintenance release of Hibernate ORM 5.3: 5.3.20.Final.
This release introduces a security fix relating to https://access.redhat.com/security/cve/CVE-2020-25638 .
The flaw has been present in Hibernate ORM since many years, so many older versions are affected.
An upgrade is recommended, but if you are using a very old version which makes it difficult to upgrade to the latest supported versions (series 5.4 and 5.3 at time of writing this), you can disable SQL comments by setting:
This also is the default, so if you did not set the use_sql_comments at all you are not affected.
In addition to the security fix the release introduces :
A fix for the NPE thrown when an Entity
Ahas a map collection having an Embeddable with an association to
Aas index (HHH-14257)
An improvement that permits to use a query hint to specify the table names to which a native query refers. During the auto flush, Hibernate will check whether there are pending operation affected by those tables, and if so automatically flush those changes. When the native query performs an update or delete operation, the table names are also used to determine if any second level cache region is affected and then need to be invalidated (HHH-14325)
All details are available and up to date on the dedicated page on hibernate.org.