Since the release of iText 5.5.13 the iText 5 product line has transitioned to be in maintenance mode, meaning it only receives security related releases. While iText 5 is now EOL, we want to make sure that our users who have developed their solutions using iText 5 can safely continue using it.
For this particular release, we’ve backported a security bug fix from iText 7.2.0 and 7.1.17 to resolve a vulnerability that allowed the use of GhostScript in an unpredictable manner. See CVE-2021-43113 for more information.
In addition, we have updated the Apache XML Security for Java (
org.apache.santuario:xmlsec) dependency to version 1.5.8 from version 1.5.6.
The Bouncy Castle Crypto API for Java has also been updated to version 1.67 due to a flaw in the
OpenBSDBCrypt.checkPassword() method present in 1.65 and 1.66. This was disclosed in CVE-2020-28052, see the link for more details.
Note that if you use some of the older Java versions (Java 1.5-1.8) you might need to update the bouncy castle dependency to a different specific distribution. On Maven it's
"Further Note (users of Oracle JVM 1.7 or earlier, users of "pre-Java 9" toolkits): As of 1.63 we have started including signed jars for "jdk15to18", if you run into issues with either signature validation in the JCE or the presence of the multi-release versions directory in the regular "jdk15on" jar files try the "jdk15to18" jars instead."
An example of an exception which might occur if the “standard" bouncy-castle distribution is used together with older Java versions:
> java.security.NoSuchAlgorithmException: 1.2.840.113549.3.2 KeyGenerator not available
As for iTextSharp, we have also updated the C# Bouncy Castle dependency to 1.8.9 due to a Timing Attack vulnerability present in version 188.8.131.52. For more information, see https://security.snyk.io/vuln/SNYK-DOTNET-BOUNCYCASTLE-1296078