Page History
Version 5.4
Table of Contents | ||||||
---|---|---|---|---|---|---|
|
Warning |
---|
Support for DSpace 5 ended on January 1, 2023. See Support for DSpace 5 and 6 is ending in 2023 |
Tip | ||
---|---|---|
| ||
DSpace 5.4 can be downloaded immediately from: More information on the 5.4 release (and the 5.x platform in general) can be found in the 5.x Release Notes |
Note | ||
---|---|---|
| ||
DSpace 5.4 contains security fixes for the JSPUI only. To ensure your 5.x JSPUI site is secure, we highly recommend JSPUI DSpace 5.x users upgrade to DSpace 5.4. |
Summary
DSpace 5.4 is a bug fix release to resolve several issues located in DSpace 5.0, 5.1, 5.2 or 5.3. As it only provides only bug fixes, DSpace 5.4 should constitute an easy upgrade from DSpace 5.x for most users. No database changes or additional configuration changes should be necessary when upgrading from DSpace 5.x to 5.4.
Major bug fixes include:
- JSPUI security fixes:
- [MEDIUM SEVERITY] Cross-site scripting (XSS injection) is possible in JSPUI search interface (in Firefox web browser). (DS-2736
- Google Scholar metadata did not guarantee proper ordering of authors (DS-2679)
[LOW SEVERITY] Possible to access files attached to "in-progress" submissions via a direct link (DS-2614 - requires a JIRA account to access for two weeks, and then will be public). : This vulnerability could allow anyone in the world to download a file attached to an "in-progress" submission if they are provided with a direct link to that file (from either UI). While a direct file link would be very hard to "guess" or stumble upon, this could allow an individual with deposit rights to make available content which has not been approved by local DSpace administrators. This vulnerability has at least existed since 5.0, but may effect versions as old as 3.0.- Discovered by Pascal-Nicolas Becker of Technische Universität Berlin
- Discovered by Genaro Contreras
- Discovered by Pascal-Nicolas Becker of Technische Universität Berlin
- [LOW SEVERITY] Expression language injection (EL Injection) is possible in JSPUI search interface. (DS-2737 - requires a JIRA account to access for two weeks, and then will be public): This vulnerability could allow someone to obtain information from the site/server using JSP syntax. This vulnerability has existed since DSpace 3.x
- Discovered by Genaro Contreras
- Discovered by Genaro Contreras
- Google Scholar fix:
- Google Scholar metadata did not guarantee proper ordering of authors (DS-2679)
- Search / Browse fixes (Discovery/Solr) for JSPUI and XMLUI:
- Resolved a significant memory leak when searching/browsing (gradual leak) (DS-2869)
- Resolved a significant memory spike when reindexing (only triggered when running "index-discovery" with no arguments) (DS-2832)
- Fixes to allow fielded or boolean searches to work once again (DS-2699, DS-2803)
- Solr logging was broken. It did not properly log to the "
[dspace]/log/solr.log
" files (DS-2790)
- OAI-PMH fixes:
- REST API fixes:
Deposit/Submission fixes:
Minor fixes to XMLUI Mirage2 theme
In addition, this release fixes a variety of minor bugs in the 5.x releases. For more information, see the Changes section below.
Upgrade Instructions
- For upgrade instructions from ANY PRIOR VERSION to 5.4, please see Upgrading DSpace
- When upgrading from any 5.x version, if you're reusing your 5.x configuration, make sure to change all instances of Filter attribute "red" to "ref" (e.g. <Filter red="exampleFilter" /> to <Filter ref="exampleFilter" />) in [dspace]/config/crosswalks/oai/oai.xml. "red" was a temporary workaround for a bug (xoai issue #32), which has now been fixed in DSpace 5.4.
No new features in DSpace 5.4
...