Stay Secure with the Latest Linux Advisories
Refine advisories
X Clear Filters
Get the latest News and Insights
Get the latest Linux and open source security news straight to your inbox.
Community Poll
What got you started with Linux?
Loading...
Explore Latest Linux Security advisories
We found -5 articles for you...
202
security advisoryremote accessimportantopenSUSE Leap 15.6: mybatis, ognl Important Security Fix CVE-2025-53192
An update that solves one vulnerability can now be installed.. # Security update for mybatis, ognl Announcement ID: SUSE-SU-2025:03285-1 Release Date: 2025-09-21T09:18:15Z Rating: important References: * bsc#1248252 Cross-References: * CVE-2025-53192 CVSS scores: * CVE-2025-53192 ( SUSE ): 8.6 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N * CVE-2025-53192 ( SUSE ): 8.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:L * CVE-2025-53192 ( NVD ): 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H Affected Products: * openSUSE Leap 15.6 An update that solves one vulnerability can now be installed. ## Description: This update for mybatis, ognl fixes the following issues: Version update to 3.5.7: * Bug fixes: * Improved performance under JDK 8. #2223 Version update to 3.5.8: * List of changes: * Avoid NullPointerException when mapping an empty string to java.lang.Character. #2368 * Fixed an incorrect argument when initializing static object. This resolves a compatibility issue with quarkus-mybatis. #2284 * Performance improvements. #2297 #2335 #2340 Version update to 3.5.9: * List of changes: * Add nullable to . If enabled, it skips the iteration when the collection is null instead of throwing an exception. To enable this feature globally, set nullableOnForEach=true in the config. #1883 Version update to 3.5.10: * Bug fixes: * Unexpected illegal reflective access warning (or InaccessibleObjectException on Java 16+) when calling method in OGNL expression. #2392 * IllegalAccessException when auto-mapping Records (JEP-359) #2195 * 'interrupted' status is not set when PooledConnection#getConnection() is interrupted. #2503 * Enhancements: * A new option argNameBasedConstructorAutoMapping is added. If enabled, constructor argument names are used to look up columns when auto-mapping. #2192 * Added a new property skipSetAutoCommitOnClose to JdbcTransactionFactory. Skipping setAutoCommit() callcould improve performance with some drivers. #2426 * can now be listed after in . #2541 Version update to 3.5.11: * Bug fixes: * OGNL could throw IllegalArgumentException when invoking inherited method. #2609 * returnInstanceForEmptyRow is not applied to constructor auto-mapping. #2665 Version update to 3.5.12 * User impactful changes * # 2703 Referencing collection parameter by name fails fixing #2693 * # 2709 Fix a race condition caused by other threads calling mapper methods while mapped tables are being constructed * # 2727 Enable ability to provide custom configuration to XMLConfigBuilder * # 2731 Adding mapper could fail under JPMS * # 2741 Add 'affectedData' attribute to @select, @SelectProvider, and * # 2767 Resolve resultType by namespace and id when not provided resultType and resultMap * # 2804 Search readable property when resolving constructor arg type by name * Minor correction: 'boolean' can never be null (primative) * General library updates * Uses parameters option for compiler now (needed by spring boot 3) (for reflection needs) * Code cleanup * # 2816 Use open rewrite to partially cleanup java code * # 2817 Add private constructors per open rewrite * # 2819 Add final where appropriate per open rewrite * # 2825 Cleanup if statement breaks / return logic * # 2826 Eclipse based cleanup * Build * # 2820 Remove test ci group profile in favor of more direct usage on GH-Actions and update deprecated surefire along in overview in README.md * Adjustments to build so shaded ognl and javassist no longer throw warnings * Build with jdk 21-ea as well now * Various test cleanup, updates, and additions * Turn on auto formatting of all java code including note to contributors on readme to skip formatting when necessary in code blocks * Tests may use jdk 11 now while retaining jdk 8 runtime * Pom cleanup / better clarification on parameters * Documentation *Various documentation updates Version update to 3.5.13: * Bug fix: * Unable to resolve result type when the target property has a getter with different return type #2834 Version update to 3.5.14: * Bug fixes: * Registered type handler is not used for anonymous enums #2956 * Discriminator does not work in constructor mapping #2913 Version update to 3.5.15: * Changes * XNode#toString() should output all child nodes. See #3001 and associated tickets on this issue * Fix performance of mappedColumnNames.contains by using 'set' rather than 'list'. See #3023 * Fix osgi issue with javassist. See #3031 * Updated shaded OGNL to 3.4.2. See #3035 * Add support method for generating dynamic sql on SQL class. See #2887 * General library updates * General document updates * Build * We now show builds from java 11, 17, 21, and 22 on Github Actions. Code is still java 8 compatible at this time. * Update vulnerable hsqldb to 2.7.2 fixing our tests that now work due to newer support. Note, users were never affected by this but at least one user pull request was attempted opened in addition to both renovate and dependabot and various reporting on it. * Now using more properties to define versions in pom to lower the frequency of pull requests from renovate Version update to 3.5.16: * Security: * Prevent Invocation from being used by vulnerable applications. #3115 * Bugs: * When database ID resolution is failed, invalid bound statement is used. #3040 * Enhancements: * It is now possible to write a custom map wrapper to customize how to map column name with dots or brackets. #13 #3062 * Performance: * Improved compatibility with Virtual Threads introduced by Loom. * Reduced memory footprint when performing the default (i.e. order based) constructor auto-mapping. #3113 * Build: * Include the shaded libraries (OGNL and Javassist) in the sources.jar. Version update to 3.5.17: * Bugs: *VendorDatabaseIdProvider#getDatabaseId() should return product name when properties is empty #3297 * Update NClobTypeHandler to use methods for national character set #3298 * Enhancements: * Allow DefaultSqlSessionFactory to provide a custom SqlSession #3128 Version update to 3.5.18: * Regressions * Fixed issue in 3.5.17 #3334 * New * Ignore empty xnode per #3349 * Share expression validator #3339 * Throw helpful error instead of IndexOutOfBoundsException (automapping) #3327 * Optimize mapper builder #3252 * Tests * Add TransactionFactory, Transaction test cases #3277 * Build * Reworked pom to match current java 17 build usage * Moved all tests to newer java standards * Cleaned up github actions * Run 'site' branch only on release commits Version update to 3.5.19: * Revert Regression introduced by #3349. * Initial packaging with version 3.4.7 ognl replaces the EOLed apache-commons-ognl that has an unpatched security bug (bsc#1248252, CVE-2025-53192) ## Patch Instructions: To install this SUSE update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: * openSUSE Leap 15.6 zypper in -t patch openSUSE-SLE-15.6-2025-3285=1 ## Package List: * openSUSE Leap 15.6 (noarch) * ognl-javadoc-3.4.7-150200.5.3.1 * mybatis-3.5.19-150200.5.9.1 * ognl-3.4.7-150200.5.3.1 * mybatis-javadoc-3.5.19-150200.5.9.1 ## References: * https://www.suse.com/security/cve/CVE-2025-53192.html * https://bugzilla.suse.com/show_bug.cgi?id=1248252 . Essential security patch released for myBatis and OGNL in openSUSE to mitigate the threat posed by vulnerability CVE-2025-53192, ensuring the protection of systems.. openSUSE security updates, myBatis vulnerabilities, OGNL exploit remediation. . Severity: Important. LinuxSecurity.com Team
Sep 22, 2025
•Important
OpenSUSE
100
security advisoryremote accessimportantopenSUSE Leap 15.6: Mybatis Ognl Important Issue CVE-2025-53192
* bsc#1248252 Cross-References: * CVE-2025-53192 . # Security update for mybatis, ognl Announcement ID: SUSE-SU-2025:03285-1 Release Date: 2025-09-21T09:18:15Z Rating: important References: * bsc#1248252 Cross-References: * CVE-2025-53192 CVSS scores: * CVE-2025-53192 ( SUSE ): 8.6 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N * CVE-2025-53192 ( SUSE ): 8.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:L * CVE-2025-53192 ( NVD ): 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H Affected Products: * openSUSE Leap 15.6 An update that solves one vulnerability can now be installed. ## Description: This update for mybatis, ognl fixes the following issues: Version update to 3.5.7: * Bug fixes: * Improved performance under JDK 8. #2223 Version update to 3.5.8: * List of changes: * Avoid NullPointerException when mapping an empty string to java.lang.Character. #2368 * Fixed an incorrect argument when initializing static object. This resolves a compatibility issue with quarkus-mybatis. #2284 * Performance improvements. #2297 #2335 #2340 Version update to 3.5.9: * List of changes: * Add nullable to . If enabled, it skips the iteration when the collection is null instead of throwing an exception. To enable this feature globally, set nullableOnForEach=true in the config. #1883 Version update to 3.5.10: * Bug fixes: * Unexpected illegal reflective access warning (or InaccessibleObjectException on Java 16+) when calling method in OGNL expression. #2392 * IllegalAccessException when auto-mapping Records (JEP-359) #2195 * 'interrupted' status is not set when PooledConnection#getConnection() is interrupted. #2503 * Enhancements: * A new option argNameBasedConstructorAutoMapping is added. If enabled, constructor argument names are used to look up columns when auto-mapping. #2192 * Added a new property skipSetAutoCommitOnClose to JdbcTransactionFactory. Skipping setAutoCommit() call could improveperformance with some drivers. #2426 * can now be listed after in . #2541 Version update to 3.5.11: * Bug fixes: * OGNL could throw IllegalArgumentException when invoking inherited method. #2609 * returnInstanceForEmptyRow is not applied to constructor auto-mapping. #2665 Version update to 3.5.12 * User impactful changes * # 2703 Referencing collection parameter by name fails fixing #2693 * # 2709 Fix a race condition caused by other threads calling mapper methods while mapped tables are being constructed * # 2727 Enable ability to provide custom configuration to XMLConfigBuilder * # 2731 Adding mapper could fail under JPMS * # 2741 Add 'affectedData' attribute to @select, @SelectProvider, and * # 2767 Resolve resultType by namespace and id when not provided resultType and resultMap * # 2804 Search readable property when resolving constructor arg type by name * Minor correction: 'boolean' can never be null (primative) * General library updates * Uses parameters option for compiler now (needed by spring boot 3) (for reflection needs) * Code cleanup * # 2816 Use open rewrite to partially cleanup java code * # 2817 Add private constructors per open rewrite * # 2819 Add final where appropriate per open rewrite * # 2825 Cleanup if statement breaks / return logic * # 2826 Eclipse based cleanup * Build * # 2820 Remove test ci group profile in favor of more direct usage on GH-Actions and update deprecated surefire along in overview in README.md * Adjustments to build so shaded ognl and javassist no longer throw warnings * Build with jdk 21-ea as well now * Various test cleanup, updates, and additions * Turn on auto formatting of all java code including note to contributors on readme to skip formatting when necessary in code blocks * Tests may use jdk 11 now while retaining jdk 8 runtime * Pom cleanup / better clarification on parameters * Documentation * Variousdocumentation updates Version update to 3.5.13: * Bug fix: * Unable to resolve result type when the target property has a getter with different return type #2834 Version update to 3.5.14: * Bug fixes: * Registered type handler is not used for anonymous enums #2956 * Discriminator does not work in constructor mapping #2913 Version update to 3.5.15: * Changes * XNode#toString() should output all child nodes. See #3001 and associated tickets on this issue * Fix performance of mappedColumnNames.contains by using 'set' rather than 'list'. See #3023 * Fix osgi issue with javassist. See #3031 * Updated shaded OGNL to 3.4.2. See #3035 * Add support method for generating dynamic sql on SQL class. See #2887 * General library updates * General document updates * Build * We now show builds from java 11, 17, 21, and 22 on Github Actions. Code is still java 8 compatible at this time. * Update vulnerable hsqldb to 2.7.2 fixing our tests that now work due to newer support. Note, users were never affected by this but at least one user pull request was attempted opened in addition to both renovate and dependabot and various reporting on it. * Now using more properties to define versions in pom to lower the frequency of pull requests from renovate Version update to 3.5.16: * Security: * Prevent Invocation from being used by vulnerable applications. #3115 * Bugs: * When database ID resolution is failed, invalid bound statement is used. #3040 * Enhancements: * It is now possible to write a custom map wrapper to customize how to map column name with dots or brackets. #13 #3062 * Performance: * Improved compatibility with Virtual Threads introduced by Loom. * Reduced memory footprint when performing the default (i.e. order based) constructor auto-mapping. #3113 * Build: * Include the shaded libraries (OGNL and Javassist) in the sources.jar. Version update to 3.5.17: * Bugs: * VendorDatabaseIdProvider#getDatabaseId()should return product name when properties is empty #3297 * Update NClobTypeHandler to use methods for national character set #3298 * Enhancements: * Allow DefaultSqlSessionFactory to provide a custom SqlSession #3128 Version update to 3.5.18: * Regressions * Fixed issue in 3.5.17 #3334 * New * Ignore empty xnode per #3349 * Share expression validator #3339 * Throw helpful error instead of IndexOutOfBoundsException (automapping) #3327 * Optimize mapper builder #3252 * Tests * Add TransactionFactory, Transaction test cases #3277 * Build * Reworked pom to match current java 17 build usage * Moved all tests to newer java standards * Cleaned up github actions * Run 'site' branch only on release commits Version update to 3.5.19: * Revert Regression introduced by #3349. * Initial packaging with version 3.4.7 ognl replaces the EOLed apache-commons-ognl that has an unpatched security bug (bsc#1248252, CVE-2025-53192) ## Patch Instructions: To install this SUSE update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: * openSUSE Leap 15.6 zypper in -t patch openSUSE-SLE-15.6-2025-3285=1 ## Package List: * openSUSE Leap 15.6 (noarch) * ognl-javadoc-3.4.7-150200.5.3.1 * mybatis-3.5.19-150200.5.9.1 * ognl-3.4.7-150200.5.3.1 * mybatis-javadoc-3.5.19-150200.5.9.1 ## References: * https://www.suse.com/security/cve/CVE-2025-53192.html * https://bugzilla.suse.com/show_bug.cgi?id=1248252 . Significant security enhancement for mybatis and ognl on openSUSE Leap 15.6 tackles critical problems and weaknesses.. mybatis update, ognl update, openSUSE security, important security fixes. . Severity: Important. LinuxSecurity.com Team
Sep 22, 2025
•Important
SuSE
100
security advisorymoderateupdateSUSE: 2024:1530-2 Moderate: Grafana And Mybatis Security Advisory
* bsc#1219912 * bsc#1222155 * jsc#MSQA-760 Cross-References: . # Security update for grafana and mybatis Announcement ID: SUSE-SU-2024:1530-2 Rating: moderate References: * bsc#1219912 * bsc#1222155 * jsc#MSQA-760 Cross-References: * CVE-2023-6152 * CVE-2024-1313 CVSS scores: * CVE-2023-6152 ( SUSE ): 5.4 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L * CVE-2024-1313 ( SUSE ): 6.5 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N Affected Products: * openSUSE Leap 15.6 * SUSE Linux Enterprise Desktop 15 SP6 * SUSE Linux Enterprise Real Time 15 SP6 * SUSE Linux Enterprise Server 15 SP6 * SUSE Linux Enterprise Server for SAP Applications 15 SP6 * SUSE Package Hub 15 15-SP6 An update that solves two vulnerabilities and contains one feature can now be installed. ## Description: This update for grafana and mybatis fixes the following issues: grafana was updated to version 9.5.18: * Grafana now requires Go 1.20 * Security issues fixed: * CVE-2024-1313: Require same organisation when deleting snapshots (bsc#1222155) * CVE-2023-6152: Add email verification when updating user email (bsc#1219912) * Other non-security related changes: * Version 9.5.17: * [FEATURE] Alerting: Backport use Alertmanager API v2 * Version 9.5.16: * [BUGFIX] Annotations: Split cleanup into separate queries and deletes to avoid deadlocks on MySQL * Version 9.5.15: * [FEATURE] Alerting: Attempt to retry retryable errors * Version 9.5.14: * [BUGFIX] Alerting: Fix state manager to not keep datasource_uid and ref_id labels in state after Error * [BUGFIX] Transformations: Config overrides being lost when config from query transform is applied * [BUGFIX] LDAP: Fix enable users on successfull login * Version 9.5.13: * [BUGFIX] BrowseDashboards: Only remember the most recent expanded folder * [BUGFIX] Licensing: Pass func to update env variables when starting plugin * Version 9.5.12: * [FEATURE] Azure: Add support for WorkloadIdentity authentication * Version 9.5.9: * [FEATURE] SSE: Fix DSNode to not panic when response has empty response * [FEATURE] Prometheus: Handle the response with different field key order * [BUGFIX] LDAP: Fix user disabling mybatis: * `apache-commons-ognl` is now a non-optional dependency * Fixed building with log4j v1 and v2 dependencies ## Patch Instructions: To install this SUSE update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: * openSUSE Leap 15.6 zypper in -t patch openSUSE-SLE-15.6-2024-1530=1 * SUSE Package Hub 15 15-SP6 zypper in -t patch SUSE-SLE-Module-Packagehub-Subpackages-15-SP6-2024-1530=1 ## Package List: * openSUSE Leap 15.6 (noarch) * mybatis-javadoc-3.5.6-150200.5.6.1 * mybatis-3.5.6-150200.5.6.1 * openSUSE Leap 15.6 (aarch64 ppc64le s390x x86_64) * grafana-9.5.18-150200.3.56.1 * grafana-debuginfo-9.5.18-150200.3.56.1 * SUSE Package Hub 15 15-SP6 (aarch64 ppc64le s390x x86_64) * grafana-9.5.18-150200.3.56.1 * grafana-debuginfo-9.5.18-150200.3.56.1 ## References: * https://www.suse.com/security/cve/CVE-2023-6152.html * https://www.suse.com/security/cve/CVE-2024-1313.html * https://bugzilla.suse.com/show_bug.cgi?id=1219912 * https://bugzilla.suse.com/show_bug.cgi?id=1222155 * https://jira.suse.com/login.jsp?permissionViolation=true&os_destination=%2Fbrowse%2FMSQA-760&page_caps=&user_role= . SUSE issues essential security patches for grafana and mybatis, addressing significant vulnerabilities. Immediate attention recommended.. grafana updates,mybatis security,SUSE advisory,security patches. . LinuxSecurity.com Team
Jun 24, 2024
SuSE
100
security advisorysecurity issuemoderate severitySUSE: 2024:1530-1 Moderate: Grafana And Mybatis Security Issues
* bsc#1219912 * bsc#1222155 * jsc#MSQA-760 Cross-References: . # Security update for grafana and mybatis Announcement ID: SUSE-SU-2024:1530-1 Rating: moderate References: * bsc#1219912 * bsc#1222155 * jsc#MSQA-760 Cross-References: * CVE-2023-6152 * CVE-2024-1313 CVSS scores: * CVE-2023-6152 ( SUSE ): 5.4 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L * CVE-2024-1313 ( SUSE ): 6.5 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N Affected Products: * openSUSE Leap 15.5 * SUSE Linux Enterprise Desktop 15 SP5 * SUSE Linux Enterprise High Performance Computing 15 SP5 * SUSE Linux Enterprise Micro 5.5 * SUSE Linux Enterprise Real Time 15 SP5 * SUSE Linux Enterprise Server 15 SP5 * SUSE Linux Enterprise Server for SAP Applications 15 SP5 * SUSE Package Hub 15 15-SP5 An update that solves two vulnerabilities and contains one feature can now be installed. ## Description: This update for grafana and mybatis fixes the following issues: grafana was updated to version 9.5.18: * Grafana now requires Go 1.20 * Security issues fixed: * CVE-2024-1313: Require same organisation when deleting snapshots (bsc#1222155) * CVE-2023-6152: Add email verification when updating user email (bsc#1219912) * Other non-security related changes: * Version 9.5.17: * [FEATURE] Alerting: Backport use Alertmanager API v2 * Version 9.5.16: * [BUGFIX] Annotations: Split cleanup into separate queries and deletes to avoid deadlocks on MySQL * Version 9.5.15: * [FEATURE] Alerting: Attempt to retry retryable errors * Version 9.5.14: * [BUGFIX] Alerting: Fix state manager to not keep datasource_uid and ref_id labels in state after Error * [BUGFIX] Transformations: Config overrides being lost when config from query transform is applied * [BUGFIX] LDAP: Fix enable users on successfull login * Version 9.5.13: * [BUGFIX] BrowseDashboards: Only remember the most recent expanded folder * [BUGFIX] Licensing: Pass func to update envvariables when starting plugin * Version 9.5.12: * [FEATURE] Azure: Add support for Workload Identity authentication * Version 9.5.9: * [FEATURE] SSE: Fix DSNode to not panic when response has empty response * [FEATURE] Prometheus: Handle the response with different field key order * [BUGFIX] LDAP: Fix user disabling mybatis: * `apache-commons-ognl` is now a non-optional dependency * Fixed building with log4j v1 and v2 dependencies ## Patch Instructions: To install this SUSE update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: * SUSE Package Hub 15 15-SP5 zypper in -t patch SUSE-SLE-Module-Packagehub-Subpackages-15-SP5-2024-1530=1 * openSUSE Leap 15.5 zypper in -t patch openSUSE-SLE-15.5-2024-1530=1 ## Package List: * SUSE Package Hub 15 15-SP5 (aarch64 ppc64le s390x x86_64) * grafana-9.5.18-150200.3.56.1 * grafana-debuginfo-9.5.18-150200.3.56.1 * openSUSE Leap 15.5 (aarch64 ppc64le s390x x86_64) * grafana-9.5.18-150200.3.56.1 * grafana-debuginfo-9.5.18-150200.3.56.1 * openSUSE Leap 15.5 (noarch) * mybatis-3.5.6-150200.5.6.1 * mybatis-javadoc-3.5.6-150200.5.6.1 ## References: * https://www.suse.com/security/cve/CVE-2023-6152.html * https://www.suse.com/security/cve/CVE-2024-1313.html * https://bugzilla.suse.com/show_bug.cgi?id=1219912 * https://bugzilla.suse.com/show_bug.cgi?id=1222155 * https://jira.suse.com/login.jsp?permissionViolation=true&os_destination=%2Fbrowse%2FMSQA-760&page_caps=&user_role= . Essential patches for grafana and mybatis resolve vulnerabilities affecting SUSE. Remain vigilant and updated.. Grafana Update, Mybatis Patch, SUSE Security Advisory, Linux Security Update. . LinuxSecurity.com Team
May 06, 2024
SuSE
Get the latest News and Insights
Get the latest Linux and open source security news straight to your inbox.
Community Poll
What got you started with Linux?
Search Topics
Powered By
Linux Security - Your source for Top Linux News, Advisories, HOWTOs and Feature Releases
QUICK LINKS
subscribe to newsletters!
Like staying secure? So do we.
Sign up for updates, tips, and alerts!