[RELEASE] iText 5 - 5.5.13.3

Merge branch 'release/5.5.13.3' into master

README.md

@@ -1,5 +1,18 @@
 ### **PLEASE NOTE: iText 5 is EOL, and has been replaced by [iText 7][itext7].  Only security fixes will be added**
-
+
+### Known Security Issues
+
+#### org.apache.santuario:xmlsec vulnerabilities
+The iText 5 targets Java 5 which means that we can not update `org.apache.santuario:xmlsec` version to 2.x.x or newer as
+it requires Java 8. If you are not using the com.itextpdf.text.pdf.security.MakeXmlSignature class then you can avoid
+adding `org.apache.santuario:xmlsec` dependency into your project. Which means that you would not be affected by
+the related vulnerabilities, for example https://snyk.io/vuln/SNYK-JAVA-ORGAPACHESANTUARIO-1655558. If you are using
+com.itextpdf.text.pdf.security.MakeXmlSignature class, for example for XFA signatures, then you can:
+- either use `org.apache.santuario:xmlsec` 1.5.8 as a dependency which is affected by the vulnerability specified above,
+ but works on Java 5+;
+- or use `org.apache.santuario:xmlsec` 2.1.7 or newer. But this would require java 8+ and affects on the output format
+(see https://issues.apache.org/jira/browse/SANTUARIO-494).
+
 We HIGHLY recommend customers use iText 7 for new projects, and to consider moving existing projects from iText 5 to iText 7 to benefit from the many improvements such as:
 
 - HTML to PDF (PDF/UA) conversion
@@ -31,9 +44,6 @@ You can also [build iText 5 from source][building].
 
 We also have RUPS — a tool that can help you debug PDFs. It's hosted on http://github.com/itext/rups
 
-If you have an idea on how to improve iText 5 and you want to submit code,
-please read our [Contribution Guidelines][contributing].
-
 iText is licensed as [AGPL][agpl] software.
 
 AGPL is a free / open source software license.
@@ -52,7 +62,6 @@ Contact sales for more info: http://itextpdf.com/sales
 
 [agpl]: LICENSE.md
 [building]: BUILDING.md
-[contributing]: CONTRIBUTING.md
 [extrajars]: EXTRAJARS.md
 [gratis]: https://en.wikipedia.org/wiki/Gratis_versus_libre
 [itext]: http://itextpdf.com/

itext/pom.xml

@@ -10,7 +10,7 @@
   </parent>
 
   <artifactId>itextpdf</artifactId>
-  <version>5.5.13.2</version>
+  <version>5.5.13.3</version>
 
   <name>iText Core</name>
   <description>A Free Java-PDF library</description>
@@ -75,25 +75,25 @@
     <dependency>
       <groupId>org.bouncycastle</groupId>
       <artifactId>bcprov-jdk15to18</artifactId>
-      <version>1.66</version>
+      <version>1.70</version>
       <optional>true</optional>
     </dependency>
     <dependency>
       <groupId>org.bouncycastle</groupId>
       <artifactId>bcpkix-jdk15on</artifactId>
-      <version>1.66</version>
+      <version>1.70</version>
       <optional>true</optional>
     </dependency>
     <dependency>
       <groupId>junit</groupId>
       <artifactId>junit</artifactId>
-      <version>4.8.2</version>
+      <version>4.13.2</version>
       <scope>test</scope>
     </dependency>
     <dependency>
       <groupId>org.apache.santuario</groupId>
       <artifactId>xmlsec</artifactId>
-      <version>1.5.6</version>
+      <version>1.5.8</version>
       <optional>true</optional>
     </dependency>
   </dependencies>

itext/src/main/java/com/itextpdf/awt/AsianFontMapper.java

@@ -1,7 +1,7 @@
 /*
  *
  * This file is part of the iText (R) project.
-    Copyright (c) 1998-2020 iText Group NV
+    Copyright (c) 1998-2022 iText Group NV
  * Authors: Bruno Lowagie, Paulo Soares, et al.
  *
  * This program is free software; you can redistribute it and/or modify

itext/src/main/java/com/itextpdf/awt/DefaultFontMapper.java

@@ -1,7 +1,7 @@
 /*
  *
  * This file is part of the iText (R) project.
-    Copyright (c) 1998-2020 iText Group NV
+    Copyright (c) 1998-2022 iText Group NV
  * Authors: Bruno Lowagie, Paulo Soares, et al.
  *
  * This program is free software; you can redistribute it and/or modify

itext/src/main/java/com/itextpdf/awt/FontMapper.java

@@ -1,7 +1,7 @@
 /*
  *
  * This file is part of the iText (R) project.
-    Copyright (c) 1998-2020 iText Group NV
+    Copyright (c) 1998-2022 iText Group NV
  * Authors: Bruno Lowagie, Paulo Soares, et al.
  *
  * This program is free software; you can redistribute it and/or modify

itext/src/main/java/com/itextpdf/awt/PdfGraphics2D.java

@@ -1,7 +1,7 @@
 /*
  *
  * This file is part of the iText (R) project.
-    Copyright (c) 1998-2020 iText Group NV
+    Copyright (c) 1998-2022 iText Group NV
  * Authors: Bruno Lowagie, Paulo Soares, et al.
  *
  * This program is free software; you can redistribute it and/or modify

itext/src/main/java/com/itextpdf/awt/PdfPrinterGraphics2D.java

@@ -1,7 +1,7 @@
 /*
  *
  * This file is part of the iText (R) project.
-    Copyright (c) 1998-2020 iText Group NV
+    Copyright (c) 1998-2022 iText Group NV
  * Authors: Bruno Lowagie, Paulo Soares, et al.
  *
  * This program is free software; you can redistribute it and/or modify

itext/src/main/java/com/itextpdf/awt/geom/PolylineShape.java

@@ -1,7 +1,7 @@
 /*
  *
  * This file is part of the iText (R) project.
-    Copyright (c) 1998-2020 iText Group NV
+    Copyright (c) 1998-2022 iText Group NV
  * Authors: Bruno Lowagie, Paulo Soares, et al.
  *
  * This program is free software; you can redistribute it and/or modify

itext/src/main/java/com/itextpdf/awt/geom/PolylineShapeIterator.java

@@ -1,7 +1,7 @@
 /*
  *
  * This file is part of the iText (R) project.
-    Copyright (c) 1998-2020 iText Group NV
+    Copyright (c) 1998-2022 iText Group NV
  * Authors: Bruno Lowagie, Paulo Soares, et al.
  *
  * This program is free software; you can redistribute it and/or modify