Release iText 5.5.13.3

Since the release of iText 5.5.13 the iText 5 product line has transitioned to be in maintenance mode, meaning it only receives security related releases. While iText 5 is now EOL, we want to make sure that our users who have developed their solutions using iText 5 can safely continue using it.

For this particular release, we’ve backported a security bug fix from iText 7.2.0 and 7.1.17 to resolve a vulnerability that allowed the use of GhostScript in an unpredictable manner. See CVE-2021-43113 for more information.

In addition, we have updated the Apache XML Security for Java (org.apache.santuario:xmlsec) dependency to version 1.5.8 from version 1.5.6.

The Bouncy Castle Crypto API for Java has also been updated to version 1.67 due to a flaw in the OpenBSDBCrypt.checkPassword() method present in 1.65 and 1.66. This was disclosed in CVE-2020-28052, see the link for more details.

Note that if you use some of the older Java versions (Java 1.5-1.8) you might need to update the bouncy castle dependency to a different specific distribution. On Maven it's org.bouncycastle.bcprov-jdk15to18.

From https://www.bouncycastle.org/latest_releases.html:

"Further Note (users of Oracle JVM 1.7 or earlier, users of "pre-Java 9" toolkits): As of 1.63 we have started including signed jars for "jdk15to18", if you run into issues with either signature validation in the JCE or the presence of the multi-release versions directory in the regular "jdk15on" jar files try the "jdk15to18" jars instead." 

An example of an exception which might occur if the “standard" bouncy-castle distribution is used together with older Java versions:
> java.security.NoSuchAlgorithmException: 1.2.840.113549.3.2 KeyGenerator not available

As for iTextSharp, we have also updated the C# Bouncy Castle dependency to 1.8.9 due to a Timing Attack vulnerability present in version 1.8.6.1. For more information, see https://security.snyk.io/vuln/SNYK-DOTNET-BOUNCYCASTLE-1296078