Contribute to the DSpace Development Fund

The newly established DSpace Development Fund supports the development of new features prioritized by DSpace Governance. For a list of planned features see the fund wiki page.

DSpace Release 5.4 Status

Created by Tim Donohue, last modified on Jan 17, 2023

Version 5.4

Support for DSpace 5 ended on January 1, 2023. See Support for DSpace 5 and 6 is ending in 2023

DSpace 5.4 was officially released to the public on November 9, 2015.

DSpace 5.4 can be downloaded immediately from:

https://github.com/DSpace/DSpace/releases/tag/dspace-5.4

More information on the 5.4 release (and the 5.x platform in general) can be found in the 5.x Release Notes

We highly recommend any JSPUI users of DSpace 5.x (or below) upgrade to 5.4

DSpace 5.4 contains security fixes for the JSPUI only. To ensure your 5.x JSPUI site is secure, we highly recommend JSPUI DSpace 5.x users upgrade to DSpace 5.4.

Summary

DSpace 5.4 is a bug fix release to resolve several issues located in DSpace 5.0, 5.1, 5.2 or 5.3. As it only provides only bug fixes, DSpace 5.4 should constitute an easy upgrade from DSpace 5.x for most users. No database changes or additional configuration changes should be necessary when upgrading from DSpace 5.x to 5.4.

Major bug fixes include:

JSPUI security fixes:
- [MEDIUM SEVERITY] Cross-site scripting (XSS injection) is possible in JSPUI search interface (in Firefox web browser). (DS-2736 - requires a JIRA account to access for two weeks, and then will be public): This vulnerability could allow someone to embed dangerous Javascript code into links to search results. If a user was emailed such a link and clicked it, the javascript would be run in their local browser. This vulnerability has existed since DSpace 3.x
  - Discovered by Genaro Contreras
- [LOW SEVERITY] Expression language injection (EL Injection) is possible in JSPUI search interface. (DS-2737 - requires a JIRA account to access for two weeks, and then will be public): This vulnerability could allow someone to obtain information from the site/server using JSP syntax. This vulnerability has existed since DSpace 3.x
  - Discovered by Genaro Contreras
Google Scholar fix:
- Google Scholar metadata did not guarantee proper ordering of authors (DS-2679)
Search / Browse fixes (Discovery/Solr) for JSPUI and XMLUI:
- Resolved a significant memory leak when searching/browsing (gradual leak) (DS-2869)
- Resolved a significant memory spike when reindexing (only triggered when running "index-discovery" with no arguments) (DS-2832)
- Fixes to allow fielded or boolean searches to work once again (DS-2699, DS-2803)
- Solr logging was broken. It did not properly log to the "[dspace]/log/solr.log" files (DS-2790)
OAI-PMH fixes:
- Upgraded the XOAI library to 3.2.10 to resolve several issues
- OAI did not support harvesting by date (YYYY-MM-DD) without a time (DS-2524, DS-2542)
- OAI getRecord was wrongly including all virtual sets (DS-2573)
- OAI was ignoring the "dspace.oai.url" setting in "oai.cfg" (DS-2744)
REST API fixes:
- /handle not reflecting updates (DS-2692)
- /collections/<id>/items ignores offset parameter (DS-2719)
- login/logout thread safety (DS-2830)
Deposit/Submission fixes:
- Fix issue where if PubMed server is down submission lookup fails (DS-2813)
- JSPUI: Allow reviewers to upload files (DS-2814)
Minor fixes to XMLUI Mirage2 theme

In addition, this release fixes a variety of minor bugs in the 5.x releases. For more information, see the Changes section below.

Upgrade Instructions

For upgrade instructions from ANY PRIOR VERSION to 5.4, please see Upgrading DSpace
When upgrading from any 5.x version, if you're reusing your 5.x configuration, make sure to change all instances of Filter attribute "red" to "ref" (e.g. <Filter red="exampleFilter" /> to <Filter ref="exampleFilter" />) in [dspace]/config/crosswalks/oai/oai.xml. "red" was a temporary workaround for a bug (xoai issue #32), which has now been fixed in DSpace 5.4.

No new features in DSpace 5.4

5.4 is a bug-fix release. This means it includes no new features and only includes the above listed fixes.

For a list of all new 5.x Features, please visit the 5.x Release Notes.

Changes

The following bug fixes were released in 5.4.

key	summary	type	created	updated	due	assignee	reporter	priority	status	resolution
Unable to locate Jira server for this macro. It may be due to Application Link configuration.

Organizational Details

Release Coordination

Release Coordinator: Committers Team (shared coordination) led by Andrea Schweer

Timeline and Proceeding

Release Timeline:

Release Date: TBA (tentative for early November)

No labels

All content on the LYRASIS Wiki is licensed under the CC BY (Attribution) license, unless otherwise noted.

Page tree