CLONE - CVE-2020-25638 Potential for SQL injection on use_sql_comments logging enabled @ 5.2.x

The LGPL requirement of distributing the sources applies to the whole of the Hibernate ORM project. I think it’s reasonable to provide the original Hibernate sources and a patch, as long as another developer can derive the sources of the Hibernate library build you’re using without excessive effort. That’s how it normally works and how we interpret the license, but bear in mind this is not legal advice, I’m not a lawyer and I’m not qualified to give you any advice - I’m just trying to give you some practicality pointers of how such things are generally approached: if you’re in doubt about the interpretation of the license please get professional advice.

P.S. there is no need to keep in touch with us and such patches and sources don’t need to be public, they merely need to be available to your users.

Thank you , one clarification please, when referring to sharing the sources, do we refer to just the patches' sources, which would seem appropriate given the small change or would that apply to the whole projects' sources?

We’re not building a derivative work, but do want to make sure we understand and agree the same legal boundaries, as obviously, we won’t be able to share any commercial product’s sources and so I want to simplify the choices from the starting point.

If we’re OK in principle to only distributing the actual Hibernate patched library, its sources (and that will be confirmed from both side’s teams) then that would be excellent, we will figure out the project public location, the build, keep in touch privately with Hibernate team for reviewing/approving the wording regarding the distribution, the actual changes and agreeing on the licensing terms under which we distribute the changed library.

Thank you so much!

Hi , no problem

Please do read the license terms, they are quite clear: essentially your version would be considered a derivative work which and therefore also needs to be licensed under the same license as our project, and you’d need to make the sources available to whomever you distribute the custom build to.

Please be midful also of the Hibernate trademark; when re-distributing such things please make sure it’s clear that you’ve made customizations.

Hi , thank you for the explanation, and sorry for leaving the tags there, I wasn’t able to remove them - some permissions were missing.

A small question, If I was to fix this myself, what would be the licensing terms under which I would apply such fix?

Thank you kindly.

Dragos

Hello,

sorry but we’ll have to reject this, for various reasons. Firstly and most importantly, the issue was already resolved a long time ago; older versions which are not supported by the team are, by definition, not supported by our team: anyone is free to get the sources and apply their own patches, but when doing so there is no need to track issues on our issue tracker. We won’t be making new releases of versions which are not supported, that’s the very definition of it.

Secondarily, you marked the fix for versions which have already been tagged - this also makes no sense and I’ll have to edit it so as to not confuse changelogs of those versions.

If you have questions please use the forums or get in touch on the developer’s chat: see https://hibernate.org/community/.