Old News

October 2023

Versions 4.0.0, 3.0.3, 2.3.4 and 2.2.6 of the Apache XML Security for Java library have been released. A security advisory has been fixed in these releases:

• CVE-2023-44483: Apache Santuario: Private Key disclosure in debug-log output

Please see the Security Advisories page for more information. 

September 2023

Version 4.0.0-M1 of the Apache XML Security for Java library has been released. This is a preview release of the forthcoming 4.0.0 release which is made available for testing, it should not be used in production. The main changes are:

• Java 11 requirement
• Removing SLF4J and using System.Logger
• AutoCloseable for several types

August 2023

Version 2.2.5 of the Apache XML Security for Java library has been released. It contains some dependency updates to fix CVE reports.

March 2023

Versions 3.0.2 and 2.3.3 of the Apache XML Security for Java library have been released. Support for the EdDSA has been added as part of these releases.

September 2022

Versions 3.0.1 and 2.3.2 of the Apache XML Security for Java library have been released. The main change is to remove Xalan as a provided (optional) dependency. This means that support for the XML Signature here() function is removed by default, but can be configured if needed (see this test for an example which plugs in this custom XPath implementation).

May 2022

Versions 3.0.0, 2.3.1, 2.2.4 and 2.1.8 of the Apache XML Security for Java library have been released. 3.0.0 is a new major release of the library that contains a change to the jakarta JAXB namespace for the streaming library. 2.1.8 is the last planned release of 2.1.x.

November 2021

Version 2.3.0 of the Apache XML Security for Java library has been released. This is a major new release of the library. Some of the significant changes include:

• A rewrite for the StAX output processor chain to make it
  deterministic - https://issues.apache.org/jira/browse/SANTUARIO-555
• Secure Validation is now enabled by default -
  https://issues.apache.org/jira/browse/SANTUARIO-574
• Local + HTTP ResourceResolvers are disabled by default -
  https://issues.apache.org/jira/browse/SANTUARIO-573

October 2021

Version 2.0.3 of the Apache XML Security for C++ library has been released. This release adds support for OpenSSL 3.0.0, though using a number of now-deprecated function calls.

September 2021

Version 2.2.3 and 2.1.7 of the Apache XML Security for Java library has been released. Please see the release notes for more information.

These releases contain a fix for a new CVE:

• CVE-2021-40690 - Bypass of the secureValidation property

Please refer to the security advisories page for further information.

May 2021

Version 2.2.2 of the Apache XML Security for Java library has been released to fix a few bugs.

Please see the release notes for more information.

November 2020

Version 2.2.1 and 2.1.6 of the Apache XML Security for Java library have been released to fix a few bugs.

Please see the release notes for more information.

June 2020

Version 2.2.0 of the Apache XML Security for Java library has been released. This is a new major release with the following features:

...