XDocReport means XML Document reporting. It's Java API to merge XML document created with MS Office (docx) or OpenOffice (odt), LibreOffice (odt) with a Java model to generate report and convert it if you need to another format (PDF, XHTML...).
Security update of Bouncy Castle dependency to fix CVE-2024-29857.
While in the past we would ask our users to update this transitive dependency themselves, there has been a slight change in the Bouncy Castle API which warranted this release.
iText 5.5.13.3
Since the release of iText 5.5.13 the iText 5 product line has transitioned to be in maintenance mode, meaning it only receives security related releases. While iText 5 is now EOL, we want to make sure that our users who have developed their solutions using iText 5 can safely continue using it.
For this particular release, we’ve backported a security bug fix from iText 7.2.0 and 7.1.17 to resolve a vulnerability that allowed the use of GhostScript in an unpredictable manner. See CVE-2021-43113 for more information.
In addition, we have updated the Apache XML Security for Java (org.apache.santuario:xmlsec) dependency to version 1.5.8 from version 1.5.6.
The Bouncy Castle Crypto API for Java has also been updated to version 1.67 due to a flaw in the OpenBSDBCrypt.checkPassword() method present in 1.65 and 1.66. This was disclosed in CVE-2020-28052, see the link for more details.
Note that if you use some of the older Java versions (Java 1.5-1.8) you might need to update the bouncy castle dependency to a different specific distribution. On Maven it's org.bouncycastle.bcprov-jdk15to18.
"Further Note (users of Oracle JVM 1.7 or earlier, users of "pre-Java 9" toolkits): As of 1.63 we have started including signed jars for "jdk15to18", if you run into issues with either signature validation in the JCE or the presence of the multi-release versions directory in the regular "jdk15on" jar files try the "jdk15to18" jars instead."
An example of an exception which might occur if the “standard" bouncy-castle distribution is used together with older Java versions:
java.security.NoSuchAlgorithmException: 1.2.840.113549.3.2 KeyGenerator not available.
iText 5.5.13.2
core
security update of bouncy castle dependency
iText 5.5.13.1
core
security fix for clearer signatures validation
security improvement around decompression bombs
iText 5.5.13
iText 5.5.13 is a maintenance release that rolls up 4 bugfixes for iText 5 Core from the past 5 months:
As of this release XFA Worker is no longer supported on .NET 2.0 - instead you need to use .NET 4.0.
Support has been added for License Key Library 3.0.1. Users on License Key Library 1.0.x should migrate to 3.0.1.
3 bugfixes for iText 5 Core 5.5.13.
1 bugfix for XFA Worker5.5.13 (commercial add-on, not on GitHub).
Please be informed that at the same time we release pdfXFA1.0.3, an add-on for iText 7. All bugfixes for XFA Worker 5.5.13 were ported to pdfXFA 1.0.3.
Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.
Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it
- `@dependabot merge` will merge this PR after your CI passes on it
- `@dependabot squash and merge` will squash and merge this PR after your CI passes on it
- `@dependabot cancel merge` will cancel a previously requested merge and block automerging
- `@dependabot reopen` will reopen this PR if it is closed
- `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
- `@dependabot show ignore conditions` will show all of the ignore conditions of the specified dependency
- `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
Bumps com.itextpdf:itext-pdfa from 5.5.7 to 5.5.13.4.
Release notes
Sourced from com.itextpdf:itext-pdfa's releases.
... (truncated)
Commits
aabad9a
[RELEASE] iText 5 - 5.5.13.4e8a0a1f
[RELEASE] iText 5.5.13.48e80984
Bump bouncycastle version to the latest to fix vulnerabilitiesfb12ce1
Fix DefaultSplitCharacter.isSplitCharacter performance issue93997e9
Switch to java8 for xtra module together with updating to earliest stable ver...5ba1ff4
Upgrade all dependencies to org.bouncycastle:bcprov-jdk15to18 from 1.70 to 1.71799b5ff
Upgrade upgrade org.bouncycastle:bcprov-jdk15to18 from 1.70 to 1.71cf48281
[RELEASE] Merge master into develop0231a60
[RELEASE] iText 5 - 5.5.13.38384f4a
[RELEASE] 5.5.14-SNAPSHOT -> 5.5.13.3Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting
@dependabot rebase
.Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually - `@dependabot show