The maintenance of Hibernate projects focuses on the latest series. When a series reaches end-of-life, it is no longer maintained and thus will no longer receive fixes for bugs or even vulnerabilities.
Application developers temporarily unable to upgrade from end-of-life'd versions of Hibernate projects but still requiring fixes for security vulnerabilities should look for commercial, end-of-life support.
Commercial Offerings
Below are commercial offerings that the Hibernate team is familiar with, and which provide end-of-life support for Hibernate projects (among others).
Red Hat JBoss Enterprise Application Platform (JBoss EAP)
Red Hat’s Jakarta EE application server based on WildFly.
The Extended Life Cycle Support subscription generally covers end-of-life’d versions of Hibernate projects.
