A new version of Hibernate ORM is available today: 5.4.24.Final, we recommend upgrading your applications.

Security Update

This release introduces a security fix relating to CVE-2020-25638.

The flaw has been present in Hibernate ORM since many years, so many older versions are affected.

An upgrade is recommended, but if you are using a very old version which makes it difficult to upgrade to the latest supported versions (series 5.4 and 5.3 at time of writing this), you can disable SQL comments by setting:

hibernate.use_sql_comments=false

This property also happens to be disabled by default, so unless you had it enabled explicitly you are not affected.

If you’re running Hibernate ORM from series 5.3.x, you might prefer to use version 5.3.20.Final instead, which also includes the fix for this CVE.

Other Bugfixes and Improvements

In addition to the security fix the release introduces :

  • A fix for the NPE thrown when an Entity A has a map collection having an Embeddable with an association to A as index (HHH-14257).

  • An improvement that permits to use a query hint to specify the table names to which a native query refers. During the auto flush, Hibernate will check whether there are pending operation affected by those tables, and if so automatically flush those changes. When the native query performs an update or delete operation, the table names are also used to determine if any second level cache region is affected and then need to be invalidated (HHH-14325).

  • Bytecode enhanced entities wouldn’t always detect dirty state correctly for mutable embeddable types (HHH-14329).

  • Pessimistic locking modes could trigger an invalid FOR UPDATE clause on outer joins statements (HHH-14333).

  • Padded batch style entity loaders were not compatible with entity graph load influencers (HHH-14312).

  • Easier to define affected Query Spaces for native queries (HHH-14325).

You can find the full list of changes in this version here (or, for people without a Hibernate Jira account, here).

Getting 5.4.24.Final

All details are available and up to date on the dedicated page on hibernate.org.

Feedback, issues, ideas?

To get in touch, use the usual channels:


Back to top