Versions Compared

Old Version 21

changes.mady.by.user Kim Shepherd

Saved on

compared with

New Version 22

changes.mady.by.user Kim Shepherd

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: added security fixes

...

DSpace 6.3 is a bug fix release to resolve several issues located in previous 6.x releases. As it only provides only bug fixes, DSpace 6.3 should constitute an easy upgrade from DSpace 6.x for most users. No database changes should be necessary when upgrading from DSpace 6.x to 6.3. One configuration addition (orcid.api.url property) has been made to the default dspace.cfg to support the new ORCID API v2, for ORCID Authority Control users.


JSPUI security fixes include

  • [HIGH SEVERITY] A user can inject malicious Javascript into the names of EPeople or Groups. This is most severe in sites which allow anyone to register for a new account. (https://jira.duraspace.org/browse/DS-3866 - requires a JIRA account to access.) 

    • Reported by Julio Brafman

  • [MEDIUM SEVERITY] Any user was able to export metadata to CSV format if they knew the correct JSPUI path/parameters. Additionally, the exported CSV included metadata fields which are flagged as hidden in configuration. (https://jira.duraspace.org/browse/DS-3840 - requires a JIRA account to access.) 

    • Reported by Eike Kleiner (ZHAW, Zurich University of Applied Sciences)

Major bug fixes include:

  • Update DSpace ORCID Integration to use ORCID API v2 (instead of now obsolete ORCID v1): DS-3447
  • Update DSpace Statistics to use GeoIP API v2 (instead of now discontinued GeoIP API v1): DS-3832
  • Database specific fixes
    • Oracle database migration fix. Configurable Workflow migration threw errors: DS-3788
    • PostgreSQL JDBC driver upgraded to latest version (to allow for full compatibility with PostgreSQL v10): DS-3854
    • Fix issue where DSpace wasn't starting if it used a database connection pool supplied through JNDI: DS-3434
  • Bitstream deletion issues ("dspace cleanup" command)
    • Fixed issues where Bitstreams were not being flagged for deletion when an Item was deleted: DS-3729
    • Fixed issues where Bitstreams were not being removed from assetstore even when flagged as deleted: DS-3627 and DS-3461
      • Note: This issue was limited to 6.0, 6.1 or 6.2, and specifically occurred when Item Level Versioning was NOT enabled (which is the default setting) or when Item Level Versioning was first enabled on DSpace version 6.0, 6.1 or 6.2
    • Fixed issues where Bitstreams were removed from all versions of an Item (resulting in inaccurate versioning) when deleted from the latest version of an Item: DS-3627
      • Note: This issue was limited to 6.0, 6.1 or 6.2, and specifically ONLY occurred when Item Level Versioning was first enabled on DSpace version 4.x or 5.x (and that old versioning data had since been migrated to 6.x).
  • Other API-level fixes (affecting all UIs)
    • Fixed issues where Item Level Versioning accidentally duplicated both metadata (DS-3703) and bitstreams (DS-3702)
    • Fixed issue where Shibboleth authentication plugin appeared to login when no password provided: DS-3662
    • Fixed issues with Solr Search Query escaping in both UIs: DS-3507
    • Update last modified timestamp (on Item) when a new bitstream is added: DS-3734
    • Ensure ImageMagick thumbnails respect the orientation of original file: DS-3839
    • Fix MediaFilter "too many open files" issues (where it forgot to close an input stream): DS-3700
    • Fix PubMed Import submission step (StartSubmissionLookupStep) to use updated URL of PubMed API:  DS-3933
    • Cleanup EHCache configuration: DS-3694 and DS-3710
  • JSPUI fixes
    • Fixed issues with authority control popup: DS-3404
    • Fixed issues with pausing HTML5 uploads: DS-3865
  • XMLUI fixes
    • Fixed Mirage v2 build issues caused by Bower Registry URL change: DS-3936
    • Fixed performance issues for Items with 100+ bitstreams: DS-3883
    • Fixed occasional Hibernate LazyInitializationException when completing submissions: DS-3775
    • Fixed Unicode character issues in metadata: DS-3733
    • Fix issue where search results lose Community/Collection context when sorting: DS-3835
    • Fixed bitstream download issues which could leave AWS connections open when using S3 storage backendDS-3870
    • Update Mirage to use recommended MathJax inline delimiters (DS-3087) and to use new CDN location (DS-3560)
  • OAI-PMH Fixes
    • Ensure OAI-PMH updates harvestable items when an item is made private (DS-3707) or an embargo expires (DS-3715)
    • Fixed Unicode character issues in metadata: DS-3733 and DS-3556
    • Fix content type of OAI-PMH response: DS-3889
    • Enhanced "oai import" command to report on items that cause indexing issues: DS-3852
  • REST API fixes and minor improvements
    • Fixed issue where REST API was no longer able to return JSON responses: DS-3903
    • Fixed update bitstream data returning 500 response: DS-3511
    • Improvements to REST Based Quality Control Reports:
      • Enable login via Shibboleth: DS-3811
      • Add bitstream field data to item listing: DS-3704
      • Fix bug filtering for bitstream permissions: DS-3713
      • Improve ability to find withdrawn items: DS-3714

...