iText 220.127.116.11 is a maintenance release for iText 5. Although iText 5 is now EOL and will not be receiving any new features, we have released this update for our iText 5 users to incorporate improvements in the digital signing system for checking and verifying signatures with iText.
This is intended to address the security vulnerabilities in digital signatures published earlier this year by researchers from the Ruhr-University Bochum in Germany. To read more about the vulnerabilities and how to avoid them with iText, see the following blog post: https://itextpdf.com/en/blog/technical-notes/avoiding-pdf-digital-signature-vulnerabilities-itext.
Please ensure you update to this maintenance release, or consider upgrading to iText 7 for more comprehensive digital signature security and more features.
Additionally, we've also addressed a separate vulnerability using decompression bombs as an attack vector.
18.104.22.168 Core for Java and for .NET
1 security fix for clearer signatures validation, and 1 security improvement around decompression bombs have been added to iText 5 Core
[DEV-1964] iText incorrectly validates signatures for doctored PDF files.
[DEV-1989] Avoid resources depletion due to decompression bombs