To continue to advance the DSpace, Fedora and VIVO projects, your institution’s financial support is critical. Please talk to your leadership about joining DuraSpace as a member! Visit: http://duraspace.org/about_membership to learn more.

Old Release

This documentation relates to an old version of DSpace, version 4.x. Looking for another version? See all documentation.

Skip to end of metadata
Go to start of metadata

Online Version of Documentation also available

This documentation was produced with Confluence software. A PDF version was generated directly from Confluence. An online, updated version of this 4.x Documentation is also available at: https://wiki.duraspace.org/display/DSDOC4x


Welcome to Release 4.5, a security release for the DSpace 4.x platform. For information on upgrading to DSpace 4, please see Upgrading DSpace.
 

4.5 Release Notes

We highly recommend ALL users of DSpace 4.x upgrade to 4.5

DSpace 4.5 contains security fixes for both the XMLUI and JSPUI. To ensure your 4.x site is secure, we highly recommend ALL DSpace 4.x users upgrade to DSpace 4.5.

DSpace 4.5 upgrade instructions are available at: Upgrading DSpace

DSpace 4.5 is a security fix release to resolve several issues located in DSpace 4.x XMLUI and JSPUI. As it only provides security-fixes, DSpace 4.5 should constitute an easy upgrade from DSpace 4.x for most users. No database changes or additional configuration changes should be necessary when upgrading from DSpace 4.x to 4.5.

This release addresses the following security issues discovered in DSpace 4.x and below:

  • XMLUI security fixes:
    • [HIGH SEVERITY] The XMLUI "themes/" path is vulnerable to a full directory traversal. (DS-3094 - requires a JIRA account to access.) This means that ANY files on your system which are readable to the Tomcat user account may be publicly accessed via your DSpace website.
      • Reported by Virginia Tech
  • JSPUI security fixes: 
    • [MEDIUM SEVERITY] The JSPUI "Edit News" feature (accessible to Administrators) can be used to view/edit ANY files which are readable to the Tomcat user account (DS-3063 - requires a JIRA account to access.)
      • Reported by CINECA

4.4 Release Notes

We highly recommend any JSPUI users of DSpace 4.x upgrade to 4.4

DSpace 4.4 contains security fixes for the JSPUI only. To ensure your 4.x site is secure, we highly recommend JSPUI DSpace 4.x users upgrade to DSpace 4.4.

DSpace 4.4 is a security fix release to resolve several issues located in DSpace 4.x JSPUI. As it only provides security-fixes, DSpace 4.4 should constitute an easy upgrade from DSpace 4.x for most users. No database changes or additional configuration changes should be necessary when upgrading from DSpace 4.x to 4.4.

This release addresses the following security issues discovered in DSpace 4.x and below:

  • JSPUI security fixes: 
    • [MEDIUM SEVERITY] Cross-site scripting (XSS injection) is possible in JSPUI search interface (in Firefox web browser). (DS-2736 - requires a JIRA account to access for two weeks, and then will be public): This vulnerability could allow someone to embed dangerous Javascript code into links to search results. If a user was emailed such a link and clicked it, the javascript would be run in their local browser. This vulnerability has existed since DSpace 3.x 
      • Discovered by Genaro Contreras
    • [LOW SEVERITY] Expression language injection (EL Injection) is possible in JSPUI search interface. (DS-2737 - requires a JIRA account to access for two weeks, and then will be public): This vulnerability could allow someone to obtain information from the site/server using JSP syntax. This vulnerability has existed since DSpace 3.x
      • Discovered by Genaro Contreras

4.3 Release Notes

We highly recommend any users of DSpace 4.x upgrade to 4.3

DSpace 4.3 contains security fixes for both the XMLUI and JSPUI. To ensure your 4.x site is secure, we highly recommend all DSpace 4.x users upgrade to DSpace 4.3.

We also highly recommend removing any  "allowLinking=true" settings from your Tomcat's <Context> configuration. Previously our installation documentation erroneously listed examples which included "allowLinking=true", while the Tomcat documentation lists it as a possible security concern. The XMLUI Directory Traversal Vulnerability (see below) is also exacerbated by this setting.

DSpace 4.3 is a security fix release to resolve several issues located in DSpace 4.x. As it only provides security-fixes, DSpace 4.3 should constitute an easy upgrade from DSpace 4.x for most users. No database changes or additional configuration changes should be necessary when upgrading from DSpace 4.x to 4.3.

This release addresses the following security issues discovered in DSpace 4.x and below:

  • XMLUI Security Fixes
    • [HIGH SEVERITY] XMLUI Directory Traversal Vulnerabilities (DS-2445 - requires a JIRA account to access for two weeks, and then will be public): These vulnerabilities allow someone to potentially access any file on your local filesystem which is readable to the Tomcat user account. This includes files which are unrelated to DSpace or Tomcat, but are readable to all users on the filesystem (e.g. /etc/passwd, /etc/hosts, etc.). This also includes Tomcat configuration files (which may or may not contain passwords). These vulnerabilities have existed since DSpace 1.5.2.

      • Discovered by: Khalil Shreateh, with additional (related) vulnerabilities discovered by the DSpace Committer Team

    • In some configurations of Tomcat, simply removing any "allowLinking=true" settings from your Tomcat's <Context> configuration will limit the directory traversal vulnerability's severity to only allow access to files within the XMLUI web application directory. In addition, the Tomcat documentation details "allowLinking=true" as a possible security concern.  However, you still must upgrade or patch your DSpace in order to completely resolve this vulnerability.
  • JSPUI Security Fixes
    • [MEDIUM SEVERITY] JSPUI Directory Traversal Vulnerability (DS-2448 - requires a JIRA account to access for two weeks, and then will be public): This vulnerability allows someone to potentially access any file within the JSPUI web application directory (e.g. WEB-INF/web.xml). This vulnerability is believed to have existed in all prior versions of DSpace.
    • [LOW SEVERITY] Cross-site scripting (XSS injection) is possible in JSPUI Recent Submissions listings (DS-1702 - requires a JIRA account to access for two weeks, and then will be public): This vulnerability could allow a depositor/submitter to embed dangerous Javascript code into the metadata of a new submission, thus causing that code to be run across other user accounts. However, this vulnerability is only possible by someone with privileges to add content to your DSpace site. This vulnerability has existed since DSpace 1.5.x.
    • [LOW SEVERITY] Cross-site scripting (XSS injection) is possible in JSPUI Discovery search form (DS-2044 - requires a JIRA account to access for two weeks, and then will be public): This vulnerability could allow someone to embed dangerous Javascript code into links to search results. If a user was emailed such a link and clicked it, the javascript would be run in their local browser. This vulnerability has existed since DSpace 3.x

4.2 Release Notes

DSpace 4.2 provides bug-fixes and minor improvements to the 4.x platform. As it only provides bug-fixes, DSpace 4.2 should constitute an easy upgrade from DSpace 4.x for most users. No database changes or additional configuration changes should be necessary when upgrading from DSpace 4.x to 4.2 (except for  DS-2036 which may affect some Oracle users ; see  Fixing the effects of DS-2036 ).

Issues which have been resolved in 4.2 include:

  • Fixed occasional "Out of Memory" errors when indexing large bitstreams/files in Discovery (DS-1958)

  • Fixed issue where REST API was not releasing "context" and ignored database pooling (DS-1986)

  • Fixed Solr commit delays when "did you mean" functionality is enabled in Discovery (DS-2060)

  • Fixed the "dspace classpath" command (DS-1998)

  • Fixed issue where thumbnails were not displayed when using JSPUI + Oracle database (DS-2013)

  • Fixed validation of OAI-PMH response (DS-1928)
  • Fixed several Oracle database upgrade script errors (DS-2036DS-2038, DS-2056, and DS-1957)
  • Fixed Maven build issue on Windows operating systems (DS-1940)
  • Other minor fixes See Changes in 4.x section for a list of all fixes.

4.1 Release Notes

DSpace 4.1 provides bug-fixes and minor improvements to the 4.x platform. As it only provides bug-fixes, DSpace 4.1 should constitute an easy upgrade from DSpace 4.x for most users. No database changes or additional configuration changes should be necessary when upgrading from DSpace 4.x to 4.1 (except for DS-1536; see Fixing the effects of DS-1536).

Issues which have been resolved in 4.1 include:

  • Fixed issue where having a period (.) in your handle prefix generated incorrect identifiers (DS-1536)
  • Fixed broken quick build (from [dspace-src]/dspace) (DS-1867)
  • Fixed a crash of DSpace during CSV import via BTE (DS-1857)
  • Fixed collection harvesting to DSpace via ORE (DS-1848)
  • Fixed deposit of new items via SWORD (DS-1846)
  • Fixed search hit highlighting in XMLUI (DS-1907)
  • Fixed broken 'stat-initial' script (DS-1795)
  • Other minor fixes. See Changes in 4.x section for a list of all fixes.

4.0 Release Notes

The following is a list of the new features included for the 4.x platform (not an exhaustive list):

DSpace 4.0 ships with a number of new features. Certain features are automatically enabled by default while others require deliberate activation. 
The following non-exhaustive list contains the major new features in 4.0 that are enabled by default:

Discovery: Search & Browse is now enabled by default in both XMLUI and JSPUI.

Note: The Lucene/DB-based search & browse backend is still supported, but is deprecated and might be removed in a future release. Any new features should use the Discovery API instead of tying directly to Lucene, Solr or Elastic Search.

  • Discovery general enhancements
    • Solr libraries were upgraded to version 4.4 (JSPUI, XMLUI and OAI modules) - by lap
    • Solr search accent insensitive - by ab
    • Solr-based item counter - by im, ab
  • Discovery UI enhancements (both JSPUI and XMLUI)
    • Query spell checking ("did you mean") - XMLUI by kv, JSPUI by lap, ab

Contributors:
lap - Luigi Andrea Pascarelli with the support of CINECA
ab - Andrea Bollini with the support of CINECA
kv - Kevin Van de Velde with the support of @mire
im - Ivan Masár

A new Bootstrap-based default look and feel for JSPUI (see DS-1675 for screenshots)

Kindly contributed by Andrea Bollini & Luigi Andrea Pascarelli with the support of CINECA

JSPUI new features

 

JSPUI porting of features previously available only on XMLUI

Kindly contributed by Keiji Suzuki & Luigi Andrea Pascarelli with the support of CINECA

UI support for metadata batch import from various bibliographic formats

  • Update to Biblio-Transformation-Engine 0.9.2.2
  • Added data loader for OAI-PMH
  • New configuration format to support simultaneous input mappings from the various supported metadata formats
  • New interface for administrators in JSPUI (for file data loaders like bibtex, csv, tsv, endnote and ris)

Kindly contributed by the Greek National Documentation Centre/EKT

SWORDv2 module update, which provides the following improvements: 
  • some general bug fixes including: bitstream url construction, config options, context management and connection pool, ORIGINAL bundle problem (DS-1149)
  • proper METSDSpaceSIP support in both deposit and update
  • proper authentication for accessing actionable bitstreams (i.e. those that can be replaced via sword), tightened security options around mediated actions, and add extra security to the access of descriptive documents (deposit receipts, statements)
  • more configuration options: bundles to expose in Statements, DepositMO extensions (for individual files), and many more
  • some general refactoring
  • addition of 404 responses where necessary
  • better support for add/replace of metadata, and how metadata updates are handled on archived items
  • update to latest version of Java Server library
  • new bitstream formats in the bitstream registry

Kindly contributed by Richard Jones with the support of Cottage Labs

Improved command line features

Kindly contributed by Mark H. Wood with the support of IUPUI University Library

Support simple embargo in XMLUI item display and in AIP import/export

DS-1697 - Convey effective dates in METSRIGHTS information Closed

DS-1514 - Embargo settings on item import Closed

Kindly contributed by Ivan Masár and Terry Brady with the support of Georgetown University

Language switch for xmlui and some basic i18n stuff

DS-842 - Language switch for xmlui and some basic i18n stuff Closed

Kindly contributed by Claudia Jürgen with the support of TU Dortmund University

Filtering of web spiders from statistics can now match by the spider host's DNS name or the spider's User-Agent string.

DS-790 - SOLR - Spider detection to match on hostname or useragent Closed

Kindly contributed by Mark H. Wood with the support of IUPUI University Library

Several improvements to help Google Scholar better index your content (requested by Google Scholar team). See also Search Engine Optimization recommendations, for ways to further enhance Google Scholar (and other search engine) findability.

DS-1481 - "dc.date.issued" is often incorrectly set (reported from Google) Closed

DS-1482 - Add a way for harvesters to find recently added items (request from Google) Closed

DS-1483 - Store link to "primary bitstream" in citation_pdf_url for Google Scholar (request from Google) Closed

Kindly contributed by several members of the DSpace Committer team (see individual tickets for more details).

 
The following list contains all features that are included in the DSpace 4.0 release, but need to be enabled manually.
Review the documentation for these features carefully, especially if you are upgrading from an older version of DSpace.

DOI Support

  • Support for minting new DOIs
  • Support for the DataCite and EZID DOI providers

DS-1535 - DOI support for dspace-api Closed DS-1678 - EZID DOI provider for DSpace Closed

Kindly contributed by Pascal-Nicolas Becker & Mark Wood with the support of TU Berlin and IUPUI University Library

Support running handle server and application container on separate machines

DS-1637 - Support running handle server and application container on separate machines Closed

Kindly contributed by Pascal-Nicolas Becker, Andrea Bollini & Mark Wood with the support of TU Berlin and CINECA

Mobile Theme for XMLUI matures from beta (DS-1679)

Kindly contributed by Elias Tzoc and James Russell with the support of Miami University

Improvements to LDAP Authentication

Kindly contributed by Ivan Masár and Sam Ottenhoff of Longsight for Allegheny College (DS-1078).

Media filter generates better-looking thumbnails

DS-1259 - use better image downscaling method in filter-media Closed

Kindly contributed by Jason Sherman with the support of University of Science and Arts of Oklahoma

Curation Task for Consuming Web Services

DS-1647 - Curation Task for Consuming Web Services Closed

Kindly contributed by Richard Rodgers with the support of Massachusetts Institute of Technology

Request a Copy for JSPUI and XMLUI (DS-824)

  • For items with restricted access, allows users to ask the original author for a copy of the item

Original contribution of Adán Román Ruiz (Arvo Consultores). JSPUI version adapted from the Universidade do Minho. XMLUI version funded by Instituto Oceanográfico de España. Additional improvements/bug fixes by Andrea Bollini (CINECA).

A new REST web service API module based on Jersey (a JAX RS 1.0 implementation) (DS-1696)

Provides:

  • Read-only access to unrestricted communities, collections, items and bitstreams
  • Handle lookup
  • JSON (and XML) output formats

Kindly contributed by Peter Dietz with the support of Ohio State University Libraries

The following individuals have contributed directly to this release of DSpace:  Adan Roman, Alan Orth, Alexey Maslov, Àlex Magaz Graça, Andrea Bollini, Andrea Schweer, Andrew Waterman, Anja Le Blanc, Bavo Van Geit (@mire), Bram Luyten (@mire), Brian Freels-Stendel, Cedric Devaux, Christian Scheible, Christos Rodosthenous, Claudia Jürgen, Clint Bellanger, Denis Fdz, DSpace @ Lyncode, Elias Tzoc, Fabio Bolognesi, Hardy Pottinger, Hélder Silva, Hilton Gibson, Ian Boston, Ivan Masár, james bardin, James Halliday, Jason Sherman, João Melo, Jonathan Blood, Jose Blanco, Juan Corrales Correyero, Keiji Suzuki, Kevin Van de Velde, Kim Shepherd, Kostas Maistrelis, Kostas Stamatis, LifeH2O, Luigi Andrea Pascarelli, Marco Fabiani, Marco Weiss, Marina Muilwijk, Mark Diggory, Mark H. Wood, Michael White, Moises A., Moises Alvarez, Onivaldo Rosa Junior, Pascal-Nicolas Becker, Peter Dietz, Rania Stathopoulou, Raul Ruiz, Richard Jones, Richard Rodgers, Robert Ruiz, Robin Taylor, Roeland Dillen, Samuel Ottenhoff, Sara Amato, Sean Carte, Stuart Lewis, Terry Brady, Thomas Autry, Thomas Misilo, Tiago Murakami, Tim Donohue, Toni Prieto, usha sharma, and others who reviewed and commented on their work.  Many of these could not do this work without the support (release time and financial) of their associated institutions. We offer thanks to those institutions for supporting their staff to take time to contribute to the DSpace project.

A big thank you also goes out to the DSpace Community Advisory Team (DCAT), who helped the developers to prioritize and plan out several of the new features that made it into this release. The current DCAT members include: Amy Lana, Augustine Gitonga, Bram Luyten, Ciarán Walsh, Claire Bundy, Dibyendra Hyoju, Elena Feinstein, Elin Stangeland, Iryna Kuchma, Jim Ottaviani, Leonie Hayes, Maureen Walsh, Michael Guthrie, Sarah Molloy, Sarah Shreeves, Sue Kunda, Valorie Hollister and Yan Han.

We apologize to any contributor accidentally left off this list. DSpace has such a large, active development community that we sometimes lose track of all our contributors. Our ongoing list of all known people/institutions that have contributed to DSpace software can be found on our DSpace Contributors page. Acknowledgments to those left off will be made in future releases.

Want to see your name appear in our list of contributors? All you have to do is report an issue, fix a bug, improve our documentation or help us determine the necessary requirements for a new feature! Visit our Issue Tracker to report a bug, or join dspace-devel mailing list to take part in development work. If you'd like to help improve our current documentation, please get in touch with one of our Committers with your ideas. You don't even need to be a developer! Repository managers can also get involved by volunteering to join the DSpace Community Advisory Team and helping our developers to plan new features.

The Release Team consisted of Mark H. Wood, Hardy Pottinger and Andrea Bollini.

Additional thanks to Tim Donohue from DuraSpace for keeping all of us focused on the work at hand, for calming us when we got excited, and for the general support for the DSpace project.

  • No labels