Since the release of iText 5.5.13 the iText 5 product line has transitioned to be in maintenance mode, meaning it only receives security related releases and bug fixes. While iText 5 is now EOL, we want to make sure that our users who have developed their solutions using iText 5 can safely continue using it.
For this particular release, we have updated bouncycastle, so that in case you use it elsewhere in your project, you will be using the most up to date version.
Note that if you use some of the older Java versions (Java 1.5-1.8) you might need to update the bouncy castle dependency to a different specific distribution. On Maven it's
org.bouncycastle.bcprov-jdk15to18. From https://www.bouncycastle.org/latest_releases.html:
"Further Note (users of Oracle JVM 1.7 or earlier, users of "pre-Java 9" toolkits): As of 1.63 we have started including signed jars for "jdk15to18", if you run into issues with either signature validation in the JCE or the presence of the multi-release versions directory in the regular "jdk15on" jar files try the "jdk15to18" jars instead."
An example of an exception which might occur if the"standard" bouncy-castle distribution is used together with older Java versions:
> java.security.NoSuchAlgorithmException: 1.2.840.113549.3.2 KeyGenerator not available
We have also double-checked if iText 5 was vulnerable to the PDF Shadow Attacks recently reported, and we are happy to report it is not vulnerable.