[SignServer-announce] SignServer security notice

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 454-5900

XML processing workers in SignServer has been discovered to be
vulnerable to an XML External Entity attack.

Systems configured with the affected modules could allow an attacker to
access local files, bypass certain protection mechanisms or cause high
CPU usage.

Users using any of the following workers are recommended to upgrade to
the latest version of SignServer or to disable access to those workers
from untrusted users:
- XML signer and validator
- XAdES signer and validator
- OOXML signer
- ODF signer

Note that installations where those workers are not configured are not
affected by this vulnerability.

This issue has been resolved in SignServer 3.6.2 by disallowing document
type definitions in user supplied XML documents.

For upgrade instructions, please see doc/UPGRADE.txt.

Regards,
PrimeKey SignServer Team