Contribute to the DSpace Development Fund

The newly established DSpace Development Fund supports the development of new features prioritized by DSpace Governance. For a list of planned features see the fund wiki page.

DSpace Release 4.7 Status

Created by Luigi Andrea Pascarelli (4Science), last modified by Tim Donohue on Oct 13, 2016

Version 4.7

DSpace 4.7 was officially released to the public on October 13, 2016.

DSpace 4.7 can be downloaded immediately from:

https://github.com/DSpace/DSpace/releases/tag/dspace-4.7

More information on the 4.7 release (and the 4.x platform in general) can be found in the 4.x Release Notes.

Upgrade instructions can be found at Upgrading DSpace

We highly recommend ALL users of DSpace 4.x upgrade to 4.7

DSpace 4.7 contains security fixes for both the XMLUI and JSPUI. To ensure your 4.x site is secure, we highly recommend ALL DSpace 4.x users upgrade to DSpace 4.7.

As noted in the 4.3 release notes, we also highly recommend removing any "allowLinking=true" settings from your Tomcat's <Context> configuration. Previously our installation documentation erroneously listed examples which included "allowLinking=true", while the Tomcat documentation lists it as a possible security concern.

We highly recommend DSpace 1.x.x users upgrade to DSpace 3.6, 4.7 or 5.6

If you are running an older, unsupported version of DSpace (1.x.x), we highly recommend upgrading to DSpace 3.6, DSpace 4.7 or DSpace 5.6 to ensure your site is secure. Per our DSpace Software Support Policy, all DSpace 1.x.x versions are now End-Of-Life.

If you are considering an upgrade from DSpace 1.x.x, note that, as of DSpace 5, your existing data (i.e. database contents, search/browse indexes) will now be automatically upgraded from ANY prior version of DSpace. Therefore, you may wish to consider upgrading directly to DSpace 5.x, as the 5.x upgrade process is simplified.

Summary

DSpace 4.7 is a security fix release to resolve several issues located in previous 4.x releases. As it only provides only security fixes, DSpace 4.6 should constitute an easy upgrade from DSpace 4.x for most users. No database changes or additional configuration changes should be necessary when upgrading from DSpace 4.x to 4.7.

This release addresses the following security issues discovered in DSpace 4.x and below:

JSPUI, XMLUI, REST security fixes:
- JSPUI and XMLUI
  - [MEDIUM SEVERITY] XML External Entity (XXE) vulnerability in pdfbox. (DS-3309 - requires a JIRA account to access) (NOTE: this ticket was actually fixed in an earlier, unannounced 4.6 release, but it is also included in 4.7)
    - Reported by Seth Robbins
- JSPUI, XMLUI and REST
  - [MEDIUM SEVERITY] Bitstreams of embargoed and/or withdrawn items can be accessed by anyone. (DS-3097 - requires a JIRA account to access)
    - Reported by Franziska Ackermann
JSPUI security fix:
- [HIGH SEVERITY] Any registered user can modify inprogress submission. (DS-2895 - requires a JIRA account to access)
  - Reported by Andrea Bollini

Upgrade Instructions

For upgrade instructions for 4.x to 4.7, please see Upgrading From 4.0 to 4.x.
If you are upgrading from 3.x to 4.7, please see Upgrading From 3.x to 4.x.
For general upgrade instructions, please see Upgrading DSpace.

No new features in DSpace 4.7

4.7 is a security-fix release. This means it includes no new features and only includes the above listed security fixes.

For a list of all new 4.x Features, please visit the 4.x Release Notes.

Organizational Details

Release Coordination

Release Coordinator: Committers Team (shared coordination)

Timeline and Proceeding

Release Timeline:

Release Date: October 13, 2016

Release Process will proceed according to the following Maven release process: Release Procedure

No labels

All content on the LYRASIS Wiki is licensed under the CC BY (Attribution) license, unless otherwise noted.

Page tree