BFO PDF Library 2.28.1 / Report Generator 1.2.8
The release we put out 10 days ago, PDF Library 2.28, unfortunately broke the application of new Digital Signatures when those signatures contain a timestamp. This is a common codepath for many users. We've release 2.28.1 to fix it.
As this impacts the Report Generator too, we're updating that too. Mostly however,
the fix we put in last week for the XML External Entity injection was still
triggering a false positive report for the
Veracode tool that triggerred
the original report. While unexploitable, the report was making some customers nervous.
This should be fixed with this release.
How did you miss this?
Timestamped signatures used to be part of our automated regression test, but were commented out a few years ago as the Timestamp server we were using at the time was unreliable. So we missed it. Now fixed in the codebase and in the regression tests.
Any other changes?
A much less common codepath is that we also broke converting a PDF to PDF/A if that
PDF has been cloned first (by calling
pdf = new PDF(pdf) and the
original PDF had no XMP metadata. That's now fixed too, and we took the opportunity
to re-run our
but with the additional step of cloning the PDF first, which caught a couple of changes
to the PDF/A-1 profile since that was last done.
In the Report Generator, a regression in 1.2.4 caused layout to fail if an invalid font was specified, and this is now fixed too.
Mea culpa. New downloads at https://bfo.com/download as usual.