Saved searches

Use saved searches to filter your results more quickly

Cancel Create saved search Sign up Reseting focus

You signed in with another tab or window. Reload to refresh your session. You signed out in another tab or window. Reload to refresh your session. You switched accounts on another tab or window. Reload to refresh your session.

itext / itextpdf Public

Releases: itext/itextpdf

Releases · itext/itextpdf

iText 5.5.13.4

13 Jun 14:00 This tag was signed with the committer’s verified signature. iText-CI iText Continuous Integration GPG key ID: 9C628F391EF60A4C Choose a tag to compare Could not load tags Nothing to show

Security update of Bouncy Castle dependency to fix CVE-2024-29857.

While in the past we would ask our users to update this transitive dependency themselves, there has been a slight change in the Bouncy Castle API which warranted this release.

iText 5.5.13.3

25 Feb 09:32 This tag was signed with the committer’s verified signature. iText-CI iText Continuous Integration GPG key ID: 035FD9539EE015A2 Choose a tag to compare Could not load tags Nothing to show

Since the release of iText 5.5.13 the iText 5 product line has transitioned to be in maintenance mode, meaning it only receives security related releases. While iText 5 is now EOL, we want to make sure that our users who have developed their solutions using iText 5 can safely continue using it.

For this particular release, we’ve backported a security bug fix from iText 7.2.0 and 7.1.17 to resolve a vulnerability that allowed the use of GhostScript in an unpredictable manner. See CVE-2021-43113 for more information.

In addition, we have updated the Apache XML Security for Java (org.apache.santuario:xmlsec) dependency to version 1.5.8 from version 1.5.6.

The Bouncy Castle Crypto API for Java has also been updated to version 1.67 due to a flaw in the OpenBSDBCrypt.checkPassword() method present in 1.65 and 1.66. This was disclosed in CVE-2020-28052, see the link for more details.

Note that if you use some of the older Java versions (Java 1.5-1.8) you might need to update the bouncy castle dependency to a different specific distribution. On Maven it's org.bouncycastle.bcprov-jdk15to18.

"Further Note (users of Oracle JVM 1.7 or earlier, users of "pre-Java 9" toolkits): As of 1.63 we have started including signed jars for "jdk15to18", if you run into issues with either signature validation in the JCE or the presence of the multi-release versions directory in the regular "jdk15on" jar files try the "jdk15to18" jars instead."

An example of an exception which might occur if the “standard" bouncy-castle distribution is used together with older Java versions:

java.security.NoSuchAlgorithmException: 1.2.840.113549.3.2 KeyGenerator not available.