Release Notes - eSignature DSS - Version 5.7

Bug

• [DSS-1900] - Unable to init SunPKCS11 with Java 9+
• [DSS-2090] - PAdES visual signature always has whitespace above text
• [DSS-2106] - Demo WebApp 5.7.RC1 fixes
• [DSS-2118] - ASiC containers generation not working
• [DSS-2148] - OfflineRevocationSource : use RevocationTokenRefMatcher for references and identifiers comparision
• [DSS-2149] - Extending LTA signatures adds unnecessary revocation info objects
• [DSS-2150] - Incorrect ats-hash-index-v3 creation extending a signature with two archive time-stamps
• [DSS-2156] - X.509 Validation Constraints shall return INDETERMINATE/CHAIN_CONSTRAINTS_FAILURE
• [DSS-2160] - DSS includes manifest entries in the scope when detached documents are not provided

Improvement

• [DSS-2101] - DSS-Demo - TL flags vs country codes
• [DSS-2121] - Add a constructor to OnlineOCSPSource that receives a DataLoader
• [DSS-2123] - OCSPCertificateSource : add a method to retrieve the signing certificate(s) based on the ResponderId

Release Notes - eSignature DSS - Version 5.7.RC1

Bug / Issue

• [DSS-1616] - XAdES Signature validation systematically result in HASH_FAILURE because of TransformerException in digest calcul.
• [DSS-1918] - Validator does not recognize OpenDocument files created with LibreOffice 6.3
• [DSS-1943] - Not consistent revocation data is not skipped in ValidationContext
• [DSS-1955] - UnsupportedOperationException in getSignerRoles
• [DSS-1956] - ClassCastException in DSSASN1Utils.getCertificatesHashIndex
• [DSS-1957] - IllegalArgumentException in DSSASN1Utils.getTimeStampToken
• [DSS-1958] - Infinite loop on CRL streaming
• [DSS-1960] - DSS Demonstration displays TL as EXPIRED
• [DSS-1962] - Signature of owner password-protected PDF is invalid
• [DSS-1972] - Error validating PAdES with multiple document time-stamps
• [DSS-1977] - NULL character break the diagnostic data generation
• [DSS-1978] - Uncatched exception in case of wrong date format
• [DSS-1980] - Error extending to LT/LTA CAdES detached signatures with content time-stamp
• [DSS-1981] - DSS demonstration webapp: wrong label
• [DSS-1983] - Incorrect POE reference for ValidationDataObject of type signedData in PAdES LTA
• [DSS-1984] - Incorrect POE reference for ValidationDataObject of type signedData in ASiC-E and ASiC-S LTA with CAdES
• [DSS-1986] - Empty SignatureProductionPlaceV2 element in XAdES signatures created with the standalone application
• [DSS-1987] - MIssing POE reference in BestSignatureTime validating signatures with an AllDataObjectTimestamp
• [DSS-1988] - Possible POE incoherence in validation report of some T/LT SHA1 signatures
• [DSS-1997] - Validation fails if X509Certificate cannot be generated from the provided binaries
• [DSS-2006] - Wrong positioning of visual signature with pdf rotated document
• [DSS-2007] - Undeterministic validation behaviour in 5.6
• [DSS-2018] - Avoid to raise an exception in case of non-conformant mime-type
• [DSS-2021] - XAdES: SignatureScope in Diagnostic contains provided wrong files
• [DSS-2023] - Uncatched exception "key too small for specified hash and salt lengths"
• [DSS-2033] - XAdES : incorrect canonicalization usage
• [DSS-2038] - Improve CA/QC trust service consistency check
• [DSS-2039] - DSSException: Unable to convert X509CRL to X509CRLHolder on CAdES sign
• [DSS-2048] - Error "Missing Basic Building Blocks" with validation level "Basic Signatures" and T/LT/LTA signature
• [DSS-2043] - Revocation Information usage in signature validation
• [DSS-2045] - SoapDocumentValidationService not fully working after Tomcat restart
• [DSS-2049] - TL validity does not impact on signature qualification level
• [DSS-2057] - XAdES: Default canonicalization algorithm
• [DSS-2059] - LTA-extension using DSS 5.5 of a CAdES signature extended using ATSv2 does not include certificate and revocation values
• [DSS-2060] - CAdES : validation data is not added on old signature extension
• [DSS-2061] - CAdES : missing validation data on LTA signature extension
• [DSS-2070] - OUT_OF_BOUNDS_NOT_REVOKED from the "Validation process for Signatures with Time and Signatures with Long-Term Validation Material"

Improvement / New feature

• [DSS-1646] - Unable to sign large files
• [DSS-1852] - include signature expiry date in validation output
• [DSS-1854] - Add support for Ed25519 signatures
• [DSS-1872] - OpenPDF update
• [DSS-1935] - Add extracted certificates / revocation data / refs in the DiagnosticData for timestamp tokens
• [DSS-1953] - Improve PDF reports
• [DSS-1954] - Demo : add a warning in case of unsupported SubtleCrypto
• [DSS-1961] - Visual representation of a signature history
• [DSS-1969] - Confusing message in the validation report
• [DSS-1976] - Revocation tokens must embed certificate sources
• [DSS-1979] - CommitmentType refactoring
• [DSS-1995] - Support of ETSI TS 119 495
• [DSS-1996] - Review Alert/Detection/Handler
• [DSS-1998] - Upgrade OpenPdf
• [DSS-1999] - URL qwac validator
• [DSS-2000] - Refactoring CMS/CAdES/PAdES certificate sources
• [DSS-2002] - Display name of attributes and not only OIDs
• [DSS-2003] - Collect all revocation data from offline sources
• [DSS-2004] - Use PdfBox classes to calculate text size in Native PdfBox Drawer
• [DSS-2008] - Add check for unicity of the SigningCertificate attribute
• [DSS-2009] - Check the coverage in TimestampCoherenceOrderCheck
• [DSS-2010] - XAdES: AttrAuthoritiesCertValues must be added to timestamped references
• [DSS-2014] - CertificateSource review
• [DSS-2019] - Wrong condition in DSS cookbook example CreateKeyStoreApp.jav...

Release Notes - eSignature DSS - Version 5.6

Bug

• [DSS-1955] - UnsupportedOperationException in getSignerRoles
• [DSS-1956] - ClassCastException in DSSASN1Utils.getCertificatesHashIndex
• [DSS-1957] - IllegalArgumentException in DSSASN1Utils.getTimeStampToken
• [DSS-1958] - Infinite loop on CRL streaming
• [DSS-1960] - DSS Demonstration displays TL as EXPIRED
• [DSS-1977] - NULL character break the diagnostic data generation
• [DSS-1978] - Uncatched exception in case of wrong date format
• [DSS-1980] - Error extending to LT/LTA CAdES detached signatures with content time-stamp
• [DSS-1981] - DSS demonstration webapp: wrong label
• [DSS-1986] - Empty SignatureProductionPlaceV2 element in XAdES signatures created with the standalone application
• [DSS-1987] - MIssing POE reference in BestSignatureTime validating signatures with an AllDataObjectTimestamp
• [DSS-1988] - Possible POE incoherence in validation report of some T/LT SHA1 signatures

Task

• [DSS-1992] - Upgrade jackson dependencies

Improvement

• [DSS-1954] - Demo : add a warning in case of unsupported SubtleCrypto
• [DSS-1969] - Confusing message in the validation report

Release Notes - eSignature DSS - Version 5.6.RC1

The main points for this release are :

• Complete rewriting of the TL/LOTL loading with :
  • online / offline refresh
  • 3 caches (download / parse / validate)
  • multiple LOTL support
  • multiple TL support (not linked to a LOTL)
  • Pivot LOTL support
  • Synchronization strategy (eg : expired TL/LOTL are rejected/accepted)
  • multi-lingual support (trust service matching)
  • alerting (eg : LOTL/OJ location desynchronization,...)
  • complete reporting (summary of download / parsing / validation)
• Independant timestamp creation and validation (not linked to a signature, with ASiC and PDF)
• Timestamp qualification
• Internationalization of the validation reports
• Multiple Trusted Sources support
• XAdES support of different prefixes / versions

Release Notes - eSignature DSS - Version 5.6.RC1

Bug

• [DSS-1140] - XAdES build break too easily in apply transformations (+XSLT)
• [DSS-1531] - XAdES 1.2.2 extension
• [DSS-1568] - PDFObjFactory.setInstance does not properly restore default behaviour
• [DSS-1612] - Missing signer for LOTL results in TOTAL_PASSED certificate validation
• [DSS-1674] - Trusted certificate and trust service matches
• [DSS-1684] - No DataLoader defined to load Certificates from AIA extension
• [DSS-1754] - Invalid signature on LOTL does not prevent DSS from using corresponding trust anchors in validation process
• [DSS-1755] - After TSLValidationJob.refresh the new state is not always used
• [DSS-1756] - Incorrect signing algorithm in diagnostic time stamp basic signature
• [DSS-1765] - XAdES level T with a self-signed certificate ends with an error in 5.5.RC1
• [DSS-1767] - JdbcRevocationSource - drop table not working
• [DSS-1768] - PLAIN-ECDSA Cryptographic check fails...
• [DSS-1770] - Enveloped XaDES scope validation issue
• [DSS-1788] - XAdES: PublicKey only validation is not handled correctly
• [DSS-1789] - Cannot sign DocumentDigest with CAdES Baseline LT ou LTA
• [DSS-1791] - Handling of unknown key sizes (algorithm expiration date not found)
• [DSS-1792] - ASiC validator doesn't consider files within /META-INF as signed data objects
• [DSS-1794] - Embedded CRL's in PDF not found by DSS Validator.
• [DSS-1809] - ASiC-E with CAdES : Validation of archive manifest files
• [DSS-1801] - ETSI VR misspelled SignatureValidationProcessID URI
• [DSS-1802] - ETSI VR RevocationValues for CAdES Signatures
• [DSS-1803] - Standalone demostration app error configuring mock TSA keystore
• [DSS-1804] - Rootfile attribute missing when a new ASiCArchiveManifest is added to ASIC-E with CAdES container
• [DSS-1805] - ASiC-E: Adding the revocation data for a previous ArchiveTimeStamp modifies the CAdES signature file
• [DSS-1806] - Wrong information added to XAdES TimeStampValidationData
• [DSS-1807] - ETSI VR Certificate Chain - Intermediate certificate
• [DSS-1811] - XAdES : incorrect digest algorithm used for detached references (DigestDocument)
• [DSS-1838] - NullPointerException when trying to sign a DETACHED CAdES pkcs7 signature file with DETACHED CAdES
• [DSS-1842] - Issue with validation with external certificate submission
• [DSS-1867] - Removed empty-check for policyDigestMethodString in XAdESSignature breaks validation of XAdES Signatures
• [DSS-1869] - Bad URI encoding in ASiCManifest.xml in CAdES signature containers
• [DSS-1881] - WebServices : unable to create a RSASSA-PSS signature
• [DSS-1886] - NullPointerException during XAdES verification
• [DSS-1888] - PdfBoxSignatureService logs personal data
• [DSS-1889] - CommonsDataLoader does not allow loading SSL truststores from the classpath
• [DSS-1892] - Verifying multiple Counter Signatures
• [DSS-1896] - Validator skips online requested OCSPs on VTS process
• [DSS-1912] - Method getTimestampList returns timestamp without signing certificate (while using getTimestampIdsList does not)
• [DSS-1920] - Certificates in CertificateValues should be considered as candidates for signing certificates
• [DSS-1931] - New default OCSP certID hashalg SHA-256 leads to problems with PKIs
• [DSS-1932] - Revocation consistency check fails if certificate and CRL were generated at the same second
• [DSS-1936] - Validating signature generated with 2047 RSA key fails
• [DSS-1937] - Failed validation of XAdES signatures with more than one XML Element with ID=""
• [DSS-1942] - JdbcRevocationSource : unable to store a CRL with particular signature algorithms

New Feature / Improvement

• [DSS-1309] - Validate against custom XSD
• [DSS-1414] - Ability to locally specify an PdfObjFactory instance
• [DSS-1494] - Improve OpenDocument support
• [DSS-1525] - The parameter signatureName in PAdESSignatureParameters
• [DSS-1595] - Support for Pivot in cache
• [DSS-1631] - Provide OpenAPI v3 spec for REST API
• [DSS-1727] - Add webService for TimeStamp creation
• [DSS-1746] - Parameterizable xades version in XAdESSignatureBuilder
• [DSS-1750] - XAdES : review XPath expression generation
• [DSS-1751] - XAdES : customizable prefixes
• [

Release Notes - eSignature DSS - Version 5.5

Bug

• [DSS-1756] - Incorrect signing algorithm in diagnostic time stamp basic signature
• [DSS-1765] - XAdES level T with a self-signed certificate ends with an error in 5.5.RC1
• [DSS-1766] - PAdES : possibility to deleguate the CMS creation
• [DSS-1767] - JdbcRevocationSource - drop table not working
• [DSS-1768] - PLAIN-ECDSA Cryptographic check fails...
• [DSS-1770] - Enveloped XaDES scope validation issue
• [DSS-1788] - XAdES: PublicKey only validation is not handled correctly
• [DSS-1789] - Cannot sign DocumentDigest with CAdES Baseline LT ou LTA
• [DSS-1791] - Handling of unknown key sizes (algorithm expiration date not found)
• [DSS-1801] - ETSI VR misspelled SignatureValidationProcessID URI
• [DSS-1803] - Standalone demostration app error configuring mock TSA keystore
• [DSS-1804] - Rootfile attribute missing when a new ASiCArchiveManifest is added to ASIC-E with CAdES container
• [DSS-1805] - ASiC-E: Adding the revocation data for a previous ArchiveTimeStamp modifies the CAdES signature file
• [DSS-1807] - ETSI VR Certificate Chain - Intermediate certificate
• [DSS-1811] - XAdES : incorrect digest algorithm used for detached references (DigestDocument)

Release Notes - eSignature DSS - Version 5.5.RC1

Bug

• [DSS-1223] - Augmentation of ASiC-E CAdES with long term availability
• [DSS-1272] - Adding a sencond archive timestamp to LTA signatures does not add the validaton material for validating the first archive timesatmp
• [DSS-1273] - Revocation information of archive time-stamp when a new archive time-stamp is added to an ASiC-E container
• [DSS-1344] - A CAdES signature validated by DSS as incomplete is reported as valid after extension using DSS
• [DSS-1421] - Archive time-stamp NO_SIGNING_CERTIFICATE_FOUND error in ASIC-E with CAdES
• [DSS-1461] - CRL signature verification not handled properly
• [DSS-1469] - CAdES archive timestamp is reported as broken after extension using DSS
• [DSS-1538] - Cannot analyze signatures Exception Error
• [DSS-1541] - TOTAL_PASSED although CRYPTO_CONSTRAINTS_FAILURE
• [DSS-1543] - Exception when signing a PDF's existing signature field using LTA level.
• [DSS-1546] - KeyStore entry instance type should be checked before casting
• [DSS-1551] - DSS indicates that the certificate is not qualified, but I do not see any TLS overrules in the report
• [DSS-1565] - Certificate Chain Validation
• [DSS-1583] - CommonsDataLoader with LDAP URLs...
• [DSS-1585] - Some IDs in XAdES signatures are not unique
• [DSS-1586] - BER encoding used on timestamps instead of DER
• [DSS-1601] - The AbstractPdfSignatureService implementations are package-private
• [DSS-1602] - Certificate's digest algorithm not properly recognized. Signatures rejected with CRYPTO_CONSTRAINTS_FAILURE.
• [DSS-1610] - Document with LTA level signature is not valid (NO_POE) anymore after signature certificate expiration.
• [DSS-1617] - NullPointerException in RepositoryRevocationSource
• [DSS-1619] - ATSv2 Message imprint mismatch when signeddata has 2 signerinfos
• [DSS-1627] - Pdf content in PdfBoxSignatureService log
• [DSS-1628] - Insecure RNG used
• [DSS-1630] - CertificatePool : certificate conflict by SubjectName
• [DSS-1632] - DetailedReport schema not matching actual reports
• [DSS-1635] - XAdES signature is no longer considered valid after the first of the two archive timestamps expired
• [DSS-1636] - Exception when trying to validate DETACHED XAdES with contentTimestamp when not providing the original documents
• [DSS-1639] - ZIP bombing
• [DSS-1651] - Validation of containers which have no mimetype
• [DSS-1656] - No null check for XmlXCV leads to NullPointerException when signature was altered
• [DSS-1661] - NullPointerException in ReferenceDataExistenceCheck and ReferenceDataIntactCheck if XmlDigestMatcher has null type
• [DSS-1663] - Fix for DSS-1630 costs 30% performance
• [DSS-1666] - Invalid WSDL for Validation service
• [DSS-1669] - CRL signature validation with ECDSA fails
• [DSS-1670] - CAdES signature is no longer considered valid after the first of two ATSv2 archive timestamps expired
• [DSS-1671] - Add an empty SignatureField to a PDF document Before signing using DSS
• [DSS-1679] - CHAIN_CONSTRAINTS_FAILURE leads to TOTAL_FAILED. Shouldn't it be INDETERMINATE ?
• [DSS-1686] - XAdES signature is no longer considered QESig after the first of the two archive timestamps expired
• [DSS-1690] - Unstable validation result for a PAdES signature with two document timestamps
• [DSS-1693] - Extension of XAdES-LTA signature copies old instead of embedding current revocation data
• [DSS-1694] - Detailed report shows OUT_OF_BOUNDS_NO_POE for earlier timestamps even when properly covered by a valid archive timestamp
• [DSS-1696] - Extension of PAdES signatures removes the earlier CRL and certificate references (when there are duplicates)
• [DSS-1709] - ASiC validators do not report when they could not parse the provided file
• [DSS-1715] - eSig DSS 5.4.1 vulnerable to pdf-insecurity.org Signature Wrapping Attack
• [DSS-1716] - SignatureImageAndPositionProcessor does not take zoom into account
• [DSS-1717] - Revocation data freshness constraint checking not enforced
• [DSS-1719] - CAdES: Improve Id generation
• [DSS-1725] - Issue to validate the DK TL
• [DSS-1729] - CAdES LTA with ASiC_E container fails validation if signature and archive timestamp servers are different
• [DSS-1731] - OCSP validation issue
• [DSS-1740] - AlgoExpirationDate of ECDSA192 inconsistent in default policy

Improvement

• [DSS-1157] - AdvancedSignature with added info lost in reports
• [DSS-1264] - Improve cryptographic constraint
• [DSS-1388] - DSS is Adding Signature Tags Same Line at XAdES
• [DSS-1392] - OCSP - cache implementantion
• [DSS-1433] - Support text in PDF visible signatures
• [DSS-1445] - Demo : allows to replay a diagnostic-data
• [DSS-1548] - Needed more options to generate XAdES signatures. More parameters in XAdESSignatureBuilder?
• [DSS-1554] - ...

eSignature DSS - Version 5.4

Release Notes - eSignature DSS - Version 5.4

Bug

• [DSS-1549] - Certificate wrapper incorrect isRevoked implementation
• [DSS-1563] - The original document remains locked after signing
• [DSS-1564] - Wrong detection of missing revocation data

Release Notes - eSignature DSS - Version 5.4.RC1

Bug / Issue

• [DSS-1161] - Scope validation of a PAdES signature
• [DSS-1225] - Incomplete LT and LTA signatures if a Trusted List is not properly loaded
• [DSS-1255] - PDF signatures without revocation info
• [DSS-1342] - ConcurrentModificationException on DSS 5.0
• [DSS-1413] - Unable to put a role inside PAdES signature
• [DSS-1419] - SHA3 support in CAdES
• [DSS-1420] - SHA3 support in PAdES
• [DSS-1431] - TSLRepository#clearRepository() fails if the cache directory doesn't exist
• [DSS-1432] - TSL service name is not historized
• [DSS-1439] - Signature level -LT is produced with a -T setting (and a self-signed certificate)
• [DSS-1443] - DSS 5.3 reports only B level for PDF documents with a document timestamp
• [DSS-1444] - PDFDocumentValidator does not report when it could not parse the provided PDF
• [DSS-1447] - CommonCertificateVerifier.setSignatureCRLSource/setSignatureOCSPSource seem to be used in a non-thread-safe way in DSS demo application
• [DSS-1449] - Validation Certificate
• [DSS-1450] - NPE in CommonCertificateSource.get(final X500Principal x500Principal)
• [DSS-1453] - Validation or extension of a signature can influence the validation result of another signature
• [DSS-1468] - Broken signatures created due to DSS-1334 as attached signatures validate fine if an original document with null file name is provided as detached content
• [DSS-1475] - Bad URI encoding in XAdES detached signatures (e.g. ASiC-E with XAdES)
• [DSS-1482] - Problem fetching TSL for PT, parser error: Cannot add overlapping item
• [DSS-1483] - Certificate is ignored in KeyStoreCertificateSource if it is part of the private key entry (certificate chain)
• [DSS-1485] - XAdES Reference incorrect - ID is not resolved correctly for namespace prefixed id attribute
• [DSS-1496] - Include intermediate certificates that issued timestamp certificates
• [DSS-1503] - XADES - non-conformant hash algo for SignignCertificateV2
• [DSS-1505] - Validation proof chain gap after LTA extension using DSS
• [DSS-1508] - PAdES : Upgrade PDFBox
• [DSS-1509] - XAdES : enforce validation against XSW
• [DSS-1510] - XAdES : enforce XML Security against XXE
• [DSS-1511] - XAdES : enforce reference URI validation (SSRF / XPath injections)
• [DSS-1512] - CommonDataLoader : enforce SSL certificates validation
• [DSS-1515] - DssUtils wrongly replaces plus character with space
• [DSS-1523] - Extension of PAdES signatures creates copies of already existing validation data objects instead of referencing them
• [DSS-1524] - Could not find a resolver for URI null and Base
• [DSS-1537] - Signature format is always XAdES-BASELINE-T for XAdES-LT/LTA signed files in detailed report
• [DSS-1543] - Exception when signing a PDF's existing signature field using LTA level.

New Feature / Improvement

• [DSS-1220] - Augmentation of signatures with invalid time-stamps, archive-time-stamps and revoked certificates
• [DSS-1312] - Upgrade to Java 8 or 9
• [DSS-1389] - Certify documents
• [DSS-1405] - Add support of KeyHash in OCSP Responses
• [DSS-1406] - OCSP - handling of the id-commonpki-at-certHash extension
• [DSS-1407] - The CAdESCertificateSource class misinterprets the "complete-certificate-references" unsigned attribute
• [DSS-1415] - Implementation improvement for POJO/jaxb objects
• [DSS-1418] - Support of bridge certificates
• [DSS-1428] - Add new parameter to choose the message-digest algorithm
• [DSS-1436] - Provide getters methods on the TSL Condition subtypes
• [DSS-1440] - Improve validation granularity
• [DSS-1454] - DSS should avoid console (System.out) logging
• [DSS-1460] - XAdES internally-detached
• [DSS-1473] - Libreoffice Default XAdES Signature Validation
• [DSS-1474] - Improve OnlineOCSPSource : allows to loop on several locations
• [DSS-1477] - Refactoring CertificateToken
• [DSS-1478] - Refactoring CertificatePool
• [DSS-1479] - Allows to throw exception in case of extension failure
• [DSS-1480] - Integration OpenPDF
• [DSS-1487] - Review signature scopes + add constraints in the policy
• [DSS-1488] - Standalone application : allow to open the scene with SceneBuilder
• [DSS-1489] - XAdES : remove Xalan dependency
• [DSS-1498] - Support for ds:Manifest in ASiC-E XAdES
• [DSS-1499] - Allows to ignore unknown OCSP/CRL
• [DSS-1501] - Expose SignedDocumentValidator.getOriginalDocuments as API method (REST preferably)
• [DSS-1514] - Webservice API - RemoteDocument - Add possibility to pass absolute path to file
• [DSS-1520] - Expose the HttpClientBuilder from CommonsDataLoader
• [

Security Patch 5.3.2

Following a security assessment from the Ruhr-Universität Bochum, we are delivering security patches for DSS versions 5.2 and 5.3.

Delivered patches are:

• 5.2 → 5.2.1
• 5.3.0 / 5.3.1 → 5.3.2

Please consider that use of older versions should be discouraged.

XAdES / ASiC with XAdES / TL-based signature validation

If your DSS integration is using XAdES, ASiC with XAdES, or TL-based signature validation, it is strongly encouraged to upgrade your version.

The patches enforce signature validations against different kinds of attack: XML Signature Wrapping (XSW), XPath injections, Server Side Request Forgeries (SSRF) and XML External Entities (XEE).

While upgrading, be sure that your integration :

• doesn't use Xalan or XercesImpl dependencies
• uses a patched Java version (JDK7u40+, JDK8 or higher)

PAdES

If you use dss-pades, it is also strongly encouraged to upgrade your DSS version, as these releases include a fix of PdfBox to patch vulnerabilities.

Issue

• [DSS-1489] - XAdES : remove Xalan dependency
• [DSS-1508] - PAdES : Upgrade PDFBox
• [DSS-1509] - XAdES : enforce validation against XSW
• [DSS-1510] - XAdES : enforce XML Security against XXE
• [DSS-1511] - XAdES : enforce reference URI validation (SSRF / XPath injections)
• [DSS-1512] - CommonDataLoader : enforce SSL certificates validation

Security Patch 5.2.1

Following a security assessment from the Ruhr-Universität Bochum, we are delivering security patches for DSS versions 5.2 and 5.3.

Delivered patches are:

• 5.2 → 5.2.1
• 5.3.0 / 5.3.1 → 5.3.2

Please consider that use of older versions should be discouraged.

XAdES / ASiC with XAdES / TL-based signature validation

If your DSS integration is using XAdES, ASiC with XAdES, or TL-based signature validation, it is strongly encouraged to upgrade your version.

The patches enforce signature validations against different kinds of attack: XML Signature Wrapping (XSW), XPath injections, Server Side Request Forgeries (SSRF) and XML External Entities (XEE).

While upgrading, be sure that your integration :

• doesn't use Xalan or XercesImpl dependencies
• uses a patched Java version (JDK7u40+, JDK8 or higher)

PAdES

If you use dss-pades, it is also strongly encouraged to upgrade your DSS version, as these releases include a fix of PdfBox to patch vulnerabilities.

Issue

• [DSS-1489] - XAdES : remove Xalan dependency
• [DSS-1508] - PAdES : Upgrade PDFBox
• [DSS-1509] - XAdES : enforce validation against XSW
• [DSS-1510] - XAdES : enforce XML Security against XXE
• [DSS-1511] - XAdES : enforce reference URI validation (SSRF / XPath injections)
• [DSS-1512] - CommonDataLoader : enforce SSL certificates validation