Hotfix 1.10.10
Release Date: 15/12/2023
Fixes
-
Fixes use case where adding fields on relative positions is very slow. Creating documents with relative positions is now 10x faster.
Security Vulnerabilities
Known vulnerabilities
Dependency | Severity | Vulnerability | Description |
---|---|---|---|
bouncycastle |
MEDIUM |
CVE-2023-33202 |
The iText 7.1.x and 7.2.x suite relies on version 1.67 of the BouncyCastle provider. We have reached out to the vendor, who has assured us that a solution is forthcoming. |
Whitelist vulnerabilities
Dependency | Vulnerability | Description |
---|---|---|
spring-web |
CVE-2016-1000027 |
Spring dismissed this CVE: "The vendor’s position is that untrusted data is not an intended use case. The product’s behavior will not be changed because some users rely on deserialization of trusted data." |
jackson-databind |
CVE-2023-35116 |
"The vendor’s perspective is that the product is not intended for use with untrusted input." |
liquibase-core |
CVE-2022-0839 |
This vulnerability does not affect eSign as it does not support external inputs to liquibase libraries |
h2 |
CVE-2021-42392 |
These vulnerabilities only affect H2 databases, which are intended for demo purposes only and should not be used in production environments |
itext-core |
CVE-2022-24198 |
iText dismissed this CVE: "Vendor does not view this as a vulnerability and has not found it to be exploitable." |
itext-* |
CVE-2021-43113 |
This library is included in iText’s bundle but eSign never uses said library. Removed from eSign 1.11.0 and upwards. |
quartz |
CVE-2023-39017 |
Quartz functionalities are not exposed to the outside. |
jose4j |
CVE-2023-31582 |
This vulnerability does not affect eSign as it does not allow the configuration of the number of hashing iterations (which is set at a safe level). |