Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[Security] Bump hibernate-validator from 4.0.0.GA to 5.0.0.Final #32

Open
wants to merge 1 commit into
base: master
Choose a base branch
from

Conversation

dependabot-preview[bot]
Copy link
Contributor

Bumps hibernate-validator from 4.0.0.GA to 5.0.0.Final. This update includes a security fix.

Vulnerabilities fixed

Sourced from The GitHub Security Advisory Database.

Privilege Escalation in Hibernate Validator In Hibernate Validator 5.2.x before 5.2.5 final, 5.3.x, and 5.4.x, it was found that when the security manager's reflective permissions, which allows it to access the private members of the class, are granted to Hibernate Validator, a potential privilege escalation can occur. By allowing the calling code to access those private members without the permission an attacker may be able to validate an invalid instance and access the private member value via ConstraintViolation#getInvalidValue().

Affected versions: < 4.3.4

Changelog

Sourced from hibernate-validator's changelog.

5.0.0.Final (11.04.2013)

** Bug * [HV-787] - javax.enterprise.inject.spi.Bean implementations should also implement PassivationCapable * [HV-788] - Upgrade BV API and TCK to final versions

** Improvement * [HV-752] - Check transitive dependencies from CDI API * [HV-785] - Improve structure of JavaDoc

** Task * [HV-781] - Align with latest Weld release

5.0.0.CR5 (02.04.2013)

** Bug * [HV-778] - Provide a way to deactivate cdi extension * [HV-782] - Multiple constraint-mappings files for one constraint to not work

** Improvement * [HV-648] - Script documentation and distribution upload * [HV-724] - Remove JavaDoc warnings * [HV-783] - Extract hierarchy related functionality from ReflectionHelper * [HV-786] - Update dependencies to Weld and BV TCK

5.0.0.CR4 (20.03.2013)

** Bug * [HV-678] - Constraint is validated several times if part of several groups * [HV-766] - Method return values are allowed to be marked with @​Valid in parallel methods * [HV-767] - Group conversions not correctly applied for inherited group * [HV-771] - @​ValidateOnExecution not retrieved from overridden methods for sub-classes * [HV-772] - @​ValidateOnExecution not always retrieved from highest method in inheritance hierarchy * [HV-773] - @​ValidateOnExecution(type=IMPLICIT) on type-level causes getters to be validated * [HV-774] - Consider return type when detecting getter methods * [HV-775] - Node#as() doesn't throw ClassCastException if wrong type is passed * [HV-776] - ValidationExtension should throw an exception in case of invalid @​ValidateOnExecution configuration

** Improvement * [HV-672] - Throw meaningful exception in case object and method passed to validateParameters() don't match * [HV-768] - Eagerly throw exceptions in case of illegal method constraints * [HV-770] - Cascaded return value validation causes exception when used with Weld * [HV-777] - Adapt to changed option name for excluding integration tests from TCK run

... (truncated)

Commits
  • 6464faa [maven-release-plugin] prepare release 5.0.0.Final
  • 502e5a6 Updating readme and changelog for 5.0.0.Final release
  • 456e2b1 HV-725 Chapter 1 updates - describing EL and CDI PE dependencies, making logg...
  • 58f6044 HV-785 Grouping portable extension package separately and adding additional e...
  • 25c44c1 HV-752 Removing explicit excludes from cdi-api dependency. jboss-interceptors...
  • a0ac9a7 HV-788 Upgrading to BV API and TCK final
  • 5ec0cf2 HV-781 Updating to Weld Core CR2
  • d550ed2 HV-787 Replacing deprecated assertion methods
  • a1df6a6 HV-787 Implementing PassivationCapable for ValidatorBean and ValidatorFactory...
  • 5b91095 [maven-release-plugin] prepare for next development iteration
  • Additional commits viewable in compare view

Dependabot compatibility score

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot merge will merge this PR after your CI passes on it
  • @dependabot squash and merge will squash and merge this PR after your CI passes on it
  • @dependabot cancel merge will cancel a previously requested merge and block automerging
  • @dependabot reopen will reopen this PR if it is closed
  • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
  • @dependabot use these labels will set the current labels as the default for future PRs for this repo and language
  • @dependabot use these reviewers will set the current reviewers as the default for future PRs for this repo and language
  • @dependabot use these assignees will set the current assignees as the default for future PRs for this repo and language
  • @dependabot use this milestone will set the current milestone as the default for future PRs for this repo and language
  • @dependabot badge me will comment on this PR with code to add a "Dependabot enabled" badge to your readme

Additionally, you can set the following in your Dependabot dashboard:

  • Update frequency (including time of day and day of week)
  • Pull request limits (per update run and/or open at any time)
  • Automerge options (never/patch/minor, and dev/runtime dependencies)
  • Out-of-range updates (receive only lockfile updates, if desired)
  • Security updates (receive only security updates, if desired)

@dependabot-preview dependabot-preview bot added dependencies Pull requests that update a dependency file security Pull requests that address a security vulnerability labels Apr 23, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
dependencies Pull requests that update a dependency file security Pull requests that address a security vulnerability
Projects
None yet
Development

Successfully merging this pull request may close these issues.

0 participants