DSpace 3.6 was officially released to the public on March 21, 2016.
More information on the 3.6 release (and the 3.x platform in general) can be found in the 3.x Documentation Preface.
Upgrade instructions can be found at Upgrading a DSpace Installation
We highly recommend any XMLUI users of DSpace 3.x (or below) upgrade to 3.6
DSpace 3.6 contains a security fix for the XMLUI only. To ensure your 3.x XMLUI site is secure, we highly recommend XMLUI DSpace 3.x users upgrade to DSpace 3.6.
As noted in the 3.4 release notes, we also highly recommend removing any "allowLinking=true" settings from your Tomcat's <Context> configuration. Previously our installation documentation erroneously listed examples which included "allowLinking=true", while the Tomcat documentation lists it as a possible security concern.
We highly recommend DSpace 1.x.x users upgrade to DSpace 3.6, 4.5 or 5.5
If you are running an older, unsupported version of DSpace (1.x.x), we highly recommend upgrading to DSpace 3.6, DSpace 4.5 or DSpace 5.5 to ensure your site is secure. Per our DSpace Software Support Policy, all DSpace 1.x.x versions are now End-Of-Life.
If you are considering an upgrade from DSpace 1.x.x, note that, as of DSpace 5, your existing data (i.e. database contents, search/browse indexes) will now be automatically upgraded from ANY prior version of DSpace. Therefore, you may wish to consider upgrading directly to DSpace 5.x, as the 5.x upgrade process is simplified.
DSpace 3.6 is an XMLUI security fix release to resolve an issue located in DSpace 3.5 or below. As it only provides security-fixes, DSpace 3.6 should constitute an easy upgrade from DSpace 3.x for most users. No database changes or additional configuration changes should be necessary when upgrading from DSpace 3.x to 3.6.
This release addresses the following security issues discovered in DSpace 3.x and below:
- [HIGH SEVERITY] The XMLUI "themes/" path is vulnerable to a full directory traversal. (DS-3094 - requires a JIRA account to access.) This means that ANY files on your system which are readable to the Tomcat user account may be publicly accessed via your DSpace website.
- Reported by Virginia Tech
- For upgrade instructions for 3.x to 3.6 please see Upgrading From 3.0 to 3.x.
- If you are upgrading from 1.8.x to 3.6, please see Upgrading From 1.8.x to 3.x
- For general upgrade instructions, please see Upgrading a DSpace Installation
No new features in DSpace 3.6
3.6 is a security-fix release. This means it includes no new features and only includes the above listed security fixes
For a list of all new 3.x Features, please visit the DSpace Release 3.0 Notes.
- Release Coordinator: Committers Team (shared coordination)
Timeline and Proceeding
- Release Date: March 21, 2016