Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Bump itextpdf from 5.5.13 to 5.5.13.3 in /SIHV #4

Open
wants to merge 1 commit into
base: master
Choose a base branch
from

Conversation

dependabot[bot]
Copy link
Contributor

@dependabot dependabot bot commented on behalf of github Mar 27, 2023

Bumps itextpdf from 5.5.13 to 5.5.13.3.

Release notes

Sourced from itextpdf's releases.

iText 5.5.13.3

Since the release of iText 5.5.13 the iText 5 product line has transitioned to be in maintenance mode, meaning it only receives security related releases. While iText 5 is now EOL, we want to make sure that our users who have developed their solutions using iText 5 can safely continue using it.

For this particular release, we’ve backported a security bug fix from iText 7.2.0 and 7.1.17 to resolve a vulnerability that allowed the use of GhostScript in an unpredictable manner. See CVE-2021-43113 for more information.

In addition, we have updated the Apache XML Security for Java (org.apache.santuario:xmlsec) dependency to version 1.5.8 from version 1.5.6.

The Bouncy Castle Crypto API for Java has also been updated to version 1.67 due to a flaw in the OpenBSDBCrypt.checkPassword() method present in 1.65 and 1.66. This was disclosed in CVE-2020-28052, see the link for more details.

Note that if you use some of the older Java versions (Java 1.5-1.8) you might need to update the bouncy castle dependency to a different specific distribution. On Maven it's org.bouncycastle.bcprov-jdk15to18.

From https://www.bouncycastle.org/latest_releases.html:

"Further Note (users of Oracle JVM 1.7 or earlier, users of "pre-Java 9" toolkits): As of 1.63 we have started including signed jars for "jdk15to18", if you run into issues with either signature validation in the JCE or the presence of the multi-release versions directory in the regular "jdk15on" jar files try the "jdk15to18" jars instead."

An example of an exception which might occur if the “standard" bouncy-castle distribution is used together with older Java versions:

java.security.NoSuchAlgorithmException: 1.2.840.113549.3.2 KeyGenerator not available.

iText 5.5.13.2

core

  • security update of bouncy castle dependency

iText 5.5.13.1

core

  • security fix for clearer signatures validation
  • security improvement around decompression bombs
Commits
  • 0231a60 [RELEASE] iText 5 - 5.5.13.3
  • 8384f4a [RELEASE] 5.5.14-SNAPSHOT -> 5.5.13.3
  • 349e425 Add missing copyright headers and update copyright year
  • 465f48f Upgrade BouncyCastle to 1.70
  • 5654206 Upgrade BouncyCastle to 1.67
  • ce8bbac Improve input processing for ImageMagick and Ghostscript
  • 88737e7 Update org.apache.santuario:xmlsec version to 1.5.8
  • 02034fd Update junit version to 4.13.2
  • d3cfc80 Remove CONTRIBUTING.md
  • ec4a771 Revert "Update junit version"
  • Additional commits viewable in compare view

Dependabot compatibility score

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot merge will merge this PR after your CI passes on it
  • @dependabot squash and merge will squash and merge this PR after your CI passes on it
  • @dependabot cancel merge will cancel a previously requested merge and block automerging
  • @dependabot reopen will reopen this PR if it is closed
  • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
    You can disable automated security fix PRs for this repo from the Security Alerts page.

Bumps [itextpdf](https://github.com/itext/itextpdf) from 5.5.13 to 5.5.13.3.
- [Release notes](https://github.com/itext/itextpdf/releases)
- [Commits](itext/itextpdf@5.5.13...5.5.13.3)

---
updated-dependencies:
- dependency-name: com.itextpdf:itextpdf
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <[email protected]>
@dependabot dependabot bot added the dependencies Pull requests that update a dependency file label Mar 27, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
dependencies Pull requests that update a dependency file
Projects
None yet
Development

Successfully merging this pull request may close these issues.

0 participants