From 88737e7182ee6829084f53e233145f8616b2e7ee Mon Sep 17 00:00:00 2001 From: Kate Ivanova Date: Wed, 20 Oct 2021 16:22:09 +0300 Subject: [PATCH] Update org.apache.santuario:xmlsec version to 1.5.8 DEV-2009 --- README.md | 15 ++++++++++++++- itext/pom.xml | 2 +- 2 files changed, 15 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index 5095e84ef..fa7719f2d 100644 --- a/README.md +++ b/README.md @@ -1,5 +1,18 @@ ### **PLEASE NOTE: iText 5 is EOL, and has been replaced by [iText 7][itext7]. Only security fixes will be added** - + +### Known Security Issues + +#### org.apache.santuario:xmlsec vulnerabilities +The iText 5 targets Java 5 which means that we can not update `org.apache.santuario:xmlsec` version to 2.x.x or newer as +it requires Java 8. If you are not using the com.itextpdf.text.pdf.security.MakeXmlSignature class then you can avoid +adding `org.apache.santuario:xmlsec` dependency into your project. Which means that you would not be affected by +the related vulnerabilities, for example https://snyk.io/vuln/SNYK-JAVA-ORGAPACHESANTUARIO-1655558. If you are using +com.itextpdf.text.pdf.security.MakeXmlSignature class, for example for XFA signatures, then you can: +- either use `org.apache.santuario:xmlsec` 1.5.8 as a dependency which is affected by the vulnerability specified above, + but works on Java 5+; +- or use `org.apache.santuario:xmlsec` 2.1.7 or newer. But this would require java 8+ and affects on the output format +(see https://issues.apache.org/jira/browse/SANTUARIO-494). + We HIGHLY recommend customers use iText 7 for new projects, and to consider moving existing projects from iText 5 to iText 7 to benefit from the many improvements such as: - HTML to PDF (PDF/UA) conversion diff --git a/itext/pom.xml b/itext/pom.xml index b95d3e910..daeefeee5 100644 --- a/itext/pom.xml +++ b/itext/pom.xml @@ -93,7 +93,7 @@ org.apache.santuario xmlsec - 1.5.6 + 1.5.8 true