Page tree

CEF DIGITAL home page

CEF Digital

DSS v5.2.1

Back to the overview

DSS v5.2.1


Following a security assessment from the Ruhr-Universität Bochum, we are delivering security patches for DSS versions 5.2 and 5.3.

Delivered patches are:

(warning) Please consider that use of older versions should be discouraged. (warning)



Download DSS v5.2.1

Source code is also available in .zip and tar.gz
Bugs, issues or suggestions? Report it on JIRA

Release Note

XAdES / ASiC with XAdES / TL-based signature validation

If your DSS integration is using XAdES, ASiC with XAdES, or TL-based signature validation, it is strongly encouraged to upgrade your version.

The patches enforce signature validations against different kinds of attack: XML Signature Wrapping (XSW), XPath injections, Server Side Request Forgeries (SSRF) and XML External Entities (XEE).

While upgrading, be sure that your integration :

  • doesn't use Xalan or XercesImpl dependencies
  • uses a patched Java version (JDK7u40+, JDK8 or higher)

PAdES

If you use dss-pades, it is also strongly encouraged to upgrade your DSS version, as these releases include a fix of PdfBox to patch vulnerabilities.

Issue

  • [DSS-1489] - XAdES : remove Xalan dependency
  • [DSS-1508] - PAdES : Upgrade PDFBox
  • [DSS-1509] - XAdES : enforce validation against XSW
  • [DSS-1510] - XAdES : enforce XML Security against XXE
  • [DSS-1511] - XAdES : enforce reference URI validation (SSRF / XPath injections)
  • [DSS-1512] - CommonDataLoader : enforce SSL certificates validation
STANDARDS
eSignature standards
SOFTWARE
Digital Signature Services (DSS)
TESTING SERVICES
ETSI Signature Conformance Checker
SUPPORTING SERVICES
eSignature Service Desk
What is an electronic signature?
Start using DSS
Apply for eSignature grants