Since the release of iText 5.5.13 the iText 5 product line has transitioned to be in maintenance mode, meaning it only receives security related releases. While iText 5 is now EOL, we want to make sure that our users who have developed their solutions using iText 5 can safely continue using it.
For this particular release, we’ve backported a security bug fix from iText 7.2.0 and 7.1.17 to resolve a vulnerability that allowed the use of GhostScript in an unpredictable manner. See CVE-2021-43113 for more information.
In addition, we have updated the Apache XML Security for Java (org.apache.santuario:xmlsec) dependency to version 1.5.8 from version 1.5.6.
We have also updated the C# Bouncy Castle dependency to 1.8.9 due to a Timing Attack vulnerability present in version 1.8.6.1. For more information, see https://security.snyk.io/vuln/SNYK-DOTNET-BOUNCYCASTLE-1296078