DSS v5.3.2

Following a security assessment from the Ruhr-Universität Bochum, we are delivering security patches for DSS versions 5.2 and 5.3.

Delivered patches are:

5.2 → 5.2.1
5.3.0 / 5.3.1 → 5.3.2

Please consider that use of older versions should be discouraged.

Download DSS v5.3.2

Here, you can download the latest version of the Digital Signature Services open-source library released in October 2018. You can read more about DSS and how it can help you here.

Source code is available in .zip and tar.gz

XAdES / ASiC with XAdES / TL-based signature validation

If your DSS integration is using XAdES, ASiC with XAdES, or TL-based signature validation, it is strongly encouraged to upgrade your version.

The patches enforce signature validations against different kinds of attack: XML Signature Wrapping (XSW), XPath injections, Server Side Request Forgeries (SSRF) and XML External Entities (XEE).

While upgrading, be sure that your integration :

doesn't use Xalan or XercesImpl dependencies
uses a patched Java version (JDK7u40+, JDK8 or higher)

PAdES

If you use dss-pades, it is also strongly encouraged to upgrade your DSS version, as these releases include a fix of PdfBox to patch vulnerabilities.

Issue

[DSS-1489] - XAdES : remove Xalan dependency
[DSS-1508] - PAdES : Upgrade PDFBox
[DSS-1509] - XAdES : enforce validation against XSW
[DSS-1510] - XAdES : enforce XML Security against XXE
[DSS-1511] - XAdES : enforce reference URI validation (SSRF / XPath injections)
[DSS-1512] - CommonDataLoader : enforce SSL certificates validation

Page tree

DSS v5.3.2

DSS v5.3.2

Download DSS v5.3.2

Source code is available in .zip and tar.gz

XAdES / ASiC with XAdES / TL-based signature validation

PAdES

Issue