Contribute to the DSpace Development Fund

The newly established DSpace Development Fund supports the development of new features prioritized by DSpace Governance. For a list of planned features see the fund wiki page.

Version 4.4

DSpace 4.4 was officially released to the public on November 9, 2015.

DSpace 4.3 can be downloaded immediately from:

More information on the 4.4 release (and the 4.x platform in general) can be found in the 4.x Release Notes.

We highly recommend JSPUI users of DSpace 4.x upgrade to 4.4

DSpace 4.4 contains security fixes for the JSPUI only. To ensure your 4.x site is secure, we highly recommend JSPUI DSpace 4.x users upgrade to DSpace 4.4.

As noted in the 4.3 release notes, we also highly recommend removing any  "allowLinking=true" settings from your Tomcat's <Context> configuration. Previously our installation documentation erroneously listed examples which included "allowLinking=true", while the Tomcat documentation lists it as a possible security concern.

We highly recommend DSpace 1.x.x users upgrade to DSpace 3.4, 4.3 or 5.1

If you are running an older, unsupported version of DSpace (1.x.x), we highly recommend upgrading to DSpace 3.5, DSpace 4.4 or DSpace 5.4 to ensure your site is secure. Several of these security vulnerabilities also affect sites which are running DSpace 1.x.x releases. Per our DSpace Software Support Policy, all DSpace 1.x.x versions are now End-Of-Life.

If you are considering an upgrade from DSpace 1.x.x, note that, as of DSpace 5, your existing data (i.e. database contents, search/browse indexes) will now be automatically upgraded from ANY prior version of DSpace. Therefore, you may wish to consider upgrading directly to DSpace 5.4, as the 5.x upgrade process is simplified.

 

Summary

DSpace 4.4 is a security fix release to resolve several issues located in DSpace 4.x JSPUI. As it only provides security-fixes, DSpace 4.4 should constitute an easy upgrade from DSpace 4.x for most users. No database changes or additional configuration changes should be necessary when upgrading from DSpace 4.x to 4.4.

This release addresses the following security issues discovered in DSpace 4.x and below:

  • JSPUI Security Fixes
    • [MEDIUM SEVERITY] Cross-site scripting (XSS injection) is possible in JSPUI search interface (in Firefox web browser). (DS-2736 - requires a JIRA account to access for two weeks, and then will be public): This vulnerability could allow someone to embed dangerous Javascript code into links to search results. If a user was emailed such a link and clicked it, the javascript would be run in their local browser. This vulnerability has existed since DSpace 3.x 
      • Discovered by Genaro Contreras
    • [LOW SEVERITY] Expression language injection (EL Injection) is possible in JSPUI search interface. (DS-2737 - requires a JIRA account to access for two weeks, and then will be public): This vulnerability could allow someone to obtain information from the site/server using JSP syntax. This vulnerability has existed since DSpace 3.x
      • Discovered by Genaro Contreras

 

Upgrade Instructions

No new features in DSpace 4.4

4.4 is a security-fix release. This means it includes no new features and only includes the above listed security fixes

For a list of all new 4.x Features, please visit the 4.x Release Notes.

Organizational Details

Release Coordination

  • Release Coordinator: Committers Team (shared coordination) led by Tim Donohue and Andrea Schweer

Timeline and Proceeding

Release Timeline:

  • Release Date: November 9, 2015

 

Release Process will proceed according to the following Maven release process: Release Procedure

  • No labels

All content on the LYRASIS Wiki is licensed under the CC BY (Attribution) license, unless otherwise noted.