github esig/dss 5.3.2
Security Patch 5.3.2

latest releases: 6.1, 6.1.RC1, 6.0...
6 years ago

Following a security assessment from the Ruhr-Universität Bochum, we are delivering security patches for DSS versions 5.2 and 5.3.

Delivered patches are:

  • 5.2 → 5.2.1
  • 5.3.0 / 5.3.1 → 5.3.2

Please consider that use of older versions should be discouraged.

XAdES / ASiC with XAdES / TL-based signature validation

If your DSS integration is using XAdES, ASiC with XAdES, or TL-based signature validation, it is strongly encouraged to upgrade your version.

The patches enforce signature validations against different kinds of attack: XML Signature Wrapping (XSW), XPath injections, Server Side Request Forgeries (SSRF) and XML External Entities (XEE).

While upgrading, be sure that your integration :

  • doesn't use Xalan or XercesImpl dependencies
  • uses a patched Java version (JDK7u40+, JDK8 or higher)

PAdES

If you use dss-pades, it is also strongly encouraged to upgrade your DSS version, as these releases include a fix of PdfBox to patch vulnerabilities.

Issue

  • [DSS-1489] - XAdES : remove Xalan dependency
  • [DSS-1508] - PAdES : Upgrade PDFBox
  • [DSS-1509] - XAdES : enforce validation against XSW
  • [DSS-1510] - XAdES : enforce XML Security against XXE
  • [DSS-1511] - XAdES : enforce reference URI validation (SSRF / XPath injections)
  • [DSS-1512] - CommonDataLoader : enforce SSL certificates validation

Don't miss a new dss release

NewReleases is sending notifications on new releases.