Page tree

CEF DIGITAL home page

CEF Digital

DSS v5.3.2

Back to the overview

DSS v5.3.2


Following a security assessment from the Ruhr-Universität Bochum, we are delivering security patches for DSS versions 5.2 and 5.3.

Delivered patches are:

(warning) Please consider that use of older versions should be discouraged. (warning)



Download DSS v5.3.2

Here, you can download the latest version of the Digital Signature Services open-source library released in October 2018. You can read more about DSS and how it can help you here.

Source code is available in .zip and tar.gz

  

XAdES / ASiC with XAdES / TL-based signature validation

If your DSS integration is using XAdES, ASiC with XAdES, or TL-based signature validation, it is strongly encouraged to upgrade your version.

The patches enforce signature validations against different kinds of attack: XML Signature Wrapping (XSW), XPath injections, Server Side Request Forgeries (SSRF) and XML External Entities (XEE).

While upgrading, be sure that your integration :

  • doesn't use Xalan or XercesImpl dependencies
  • uses a patched Java version (JDK7u40+, JDK8 or higher)

PAdES

If you use dss-pades, it is also strongly encouraged to upgrade your DSS version, as these releases include a fix of PdfBox to patch vulnerabilities.

Issue

  • [DSS-1489] - XAdES : remove Xalan dependency
  • [DSS-1508] - PAdES : Upgrade PDFBox
  • [DSS-1509] - XAdES : enforce validation against XSW
  • [DSS-1510] - XAdES : enforce XML Security against XXE
  • [DSS-1511] - XAdES : enforce reference URI validation (SSRF / XPath injections)
  • [DSS-1512] - CommonDataLoader : enforce SSL certificates validation