Page History

Welcome to Release 4.69, a security release for the DSpace 4.x platform. For information on upgrading to DSpace 4, please see Upgrading DSpace.    

4.

...

9 Release Notes  

DSpace DSpace 4.6 9 is a security fix release to resolve an issue issues located in DSpace 4.x XMLUI and JSPUI (only). As it only provides a security -fixfixes, DSpace 4.6 9 should constitute an easy upgrade from DSpace 4.x for most users. No database changes or additional configuration changes should be necessary when upgrading from DSpace 4.x to 4.68.

This  This release addresses the following security issues discovered in DSpace 4.x and below: 

• DSpace JSPUI security fixfixes:

  • [HIGH SEVERITY]

      XML External Entity (XXE) vulnerability in pdfbox. (DS-3309

    A user can inject malicious Javascript into the names of EPeople or Groups. This is most severe in sites which allow anyone to register for a new account. (https://jira.duraspace.org/browse/DS-3866 - requires a JIRA account to access.) 

    • Reported by

      Seth Robbins
      

4.5 Release Notes

DSpace 4.5 is a security fix release to resolve several issues located in DSpace 4.x XMLUI and JSPUI. As it only provides security-fixes, DSpace 4.5 should constitute an easy upgrade from DSpace 4.x for most users. No database changes or additional configuration changes should be necessary when upgrading from DSpace 4.x to 4.5.

This release addresses the following security issues discovered in DSpace 4.x and below:

• XMLUI security fixes:
  • [HIGH SEVERITY] The XMLUI "themes/" path is vulnerable to a full directory traversal. (DS-3094 - requires a JIRA account to access.) This means that ANY files on your system which are readable to the Tomcat user account may be publicly accessed via your DSpace website.
    • Reported by Virginia Tech
      
• JSPUI security fixes: 
  • [MEDIUM SEVERITY] The JSPUI "Edit News" feature (accessible to Administrators) can be used to view/edit ANY files which are readable to the Tomcat user account (DS-3063 - requires a JIRA account to access.)
    • Reported by CINECA

4.4 Release Notes

• • • Julio Brafman

  • [MEDIUM SEVERITY] Any user was able to export metadata to CSV format if they knew the correct JSPUI path/parameters. Additionally, the exported CSV included metadata fields which are flagged as hidden in configuration. (https://jira.duraspace.org/browse/DS-3840 - requires a JIRA account to access.) 

    • Reported by Eike Kleiner (ZHAW, Zurich University of Applied Sciences)

In addition, this release fixes minor bugs in the 4.x releases. For more information, see the Changes in 4.x page.

4.9 Acknowledgments 

The 4.9 release was led by the Committers.

The following individuals provided code or bug fixes to the 4.9 release: Julio Brafman, Tim Donohue (tdonohue), Eike Kleiner, Kim Shepherd (kshepherd), Mark Wood (mwood).

4.8 Release Notes 

DSpace 4.8 DSpace 4.4 is a security fix release to resolve several issues located in DSpace 4.x XMLUI and JSPUI. As it only provides security -and bug fixes, DSpace 4.4 8 should constitute an easy upgrade from DSpace 4.x for most users. No database changes or additional configuration changes should be necessary when upgrading from DSpace 4.x to 4.8.  It is necessary to run a database update script.  See Upgrading From 4.0 to 4.x for details.

 This release addresses the following security issues discovered in DSpace 4.x and below: 

• JSPUI DSpace API security fixes: 
  • [MEDIUM HIGH SEVERITY]  BasicWorkflow system is vulnerable to unauthorized manipulations (DS-3647 - requires a JIRA account to access)
    • Reported by Pascal-Nicolas Becker
  • [LOW SEVERITY]  Apache Commons Collections vulnerability (COLLECTIONS-580) (DS-3520 Cross-site scripting (XSS injection) is possible in JSPUI search interface (in Firefox web browser). (DS-2736 - requires a JIRA account to access for two weeks, and then will be public): This vulnerability could allow someone to embed dangerous Javascript code into links to search results. If a user was emailed such a link and clicked it, the javascript would be run in their local browser. This vulnerability has existed since DSpace 3.x 
  • • Discovered by Genaro Contreras
      
  • [LOW SEVERITY] Expression language injection (EL Injection) is possible in JSPUI search interface. (DS-2737 - requires a JIRA account to access for two weeks, and then will be public): This vulnerability could allow someone to obtain information from the site/server using JSP syntax. This vulnerability has existed since DSpace 3.x
    • Discovered by Genaro Contreras

...

• • )
    • Reported by Alan Orth

In addition, this release fixes minor bugs in the 4.x releases. For more information, see the Changes in 4.x page.

4.8 Acknowledgments 

The 4.8 release was led by the Committers.

The following individuals provided code or bug fixes to the 4.8 release: Pascal-Nicolas Becker (pnbecker), Tim Donohue (tdonohue), Samuel Cambien (samuelcambien), Jonas Van Goolen (Jonas VG (atmire)), Mark Wood (mwood).

 4.7 Release Notes 

DSpace 4.7 DSpace 4.3 is a security fix release to resolve several issues an issue located in DSpace 4.x XMLUI and JSPUI. As it only provides a security-fixesfix, DSpace 4.3 7 should constitute an easy upgrade from DSpace 4.x for most users. No database changes or additional configuration changes should be necessary when upgrading from DSpace 4.x to 4.37.

 This release addresses the following security issues discovered in DSpace 4.x and below: 

• JSPUI, XMLUI, REST security fixes:
  • JSPUI and XMLUI
    •  [MEDIUM SEVERITY]  XML External Entity (XXE) vulnerability in pdfbox. (DS-3309
  XMLUI Security Fixes
  
  • [HIGH SEVERITY] XMLUI Directory Traversal Vulnerabilities (DS-2445
    • - requires a JIRA account to access
    for two weeks, and then will be public): These vulnerabilities allow someone to potentially access any file on your local filesystem which is readable to the Tomcat user account. This includes files which are unrelated to DSpace or Tomcat, but are readable to all users on the filesystem (e.g. /etc/passwd, /etc/hosts, etc.). This also includes Tomcat configuration files (which may or may not contain passwords). These vulnerabilities have existed since DSpace 1.5.2.

    • Discovered by: Khalil Shreateh, with additional (related) vulnerabilities discovered by the DSpace Committer Team

  • In some configurations of Tomcat, simply removing any "allowLinking=true" settings from your Tomcat's <Context> configuration will limit the directory traversal vulnerability's severity to only allow access to files within the XMLUI web application directory. In addition, the Tomcat documentation details "allowLinking=true" as a possible security concern.  However, you still must upgrade or patch your DSpace in order to completely resolve this vulnerability.
• JSPUI Security Fixes
  • [MEDIUM SEVERITY] JSPUI Directory Traversal Vulnerability (DS-2448 - requires a JIRA account to access for two weeks, and then will be public): This vulnerability allows someone to potentially access any file within the JSPUI web application directory (e.g. WEB-INF/web.xml). This vulnerability is believed to have existed in all prior versions of DSpace.
    • Discovered by Khalil Shreateh
      
  • [LOW SEVERITY] Cross-site scripting (XSS injection) is possible in JSPUI Recent Submissions listings (DS-1702 - requires a JIRA account to access for two weeks, and then will be public): This vulnerability could allow a depositor/submitter to embed dangerous Javascript code into the metadata of a new submission, thus causing that code to be run across other user accounts. However, this vulnerability is only possible by someone with privileges to add content to your DSpace site. This vulnerability has existed since DSpace 1.5.x.
    
    • Discovered by: Jean-Paul Zhao of University of Toronto
      
  • [LOW SEVERITY] Cross-site scripting (XSS injection) is possible in JSPUI Discovery search form (DS-2044 - requires a JIRA account to access for two weeks, and then will be public): This vulnerability could allow someone to embed dangerous Javascript code into links to search results. If a user was emailed such a link and clicked it, the javascript would be run in their local browser. This vulnerability has existed since DSpace 3.x
    • 4.x / 5.x vulnerability discovered by  Gabriela Mircea of McMaster University and Khalil Shreateh
    • 3.x vulnerability discovered by İlyas Orak of Biznet Bilisim A.S.

4.2 Release Notes

• • • ) (NOTE: this ticket was actually fixed in an earlier, unannounced 4.6 release, but it is also included in 4.7)
      
      • Reported by Seth Robbins
  • JSPUI, XMLUI and REST
    
    • [MEDIUM SEVERITY]  Bitstreams of embargoed and/or withdrawn items can be accessed by anyone. (DS-3097 - requires a JIRA account to access)
      
      • Reported by Franziska Ackermann
        
• JSPUI security fix:
  • [HIGH SEVERITY]  Any registered user can modify inprogress submission. (DS-2895 - requires a JIRA account to access) 
    • Reported by Andrea Bollini

In addition, this release fixes minor bugs in the 4.x releases. For more information, see the Changes in 4.x page.

4.7 Acknowledgments 

The 4.7 release was led by Andrea Pascarelli (4Science) and the Committers.

The following individuals provided code or bug fixes to the 4.7 release: Pascal-Nicolas Becker (pnbecker), Andrea Bollini (abollini), Andrea Pascarelli (lap82)

 4.6 Release Notes

DSpace 4.6 is a security fix release to resolve an issue located in DSpace 4.x XMLUI and JSPUI. As it only provides a security-fix, DSpace 4.6 should constitute an easy upgrade from DSpace 4.x for most users. No database changes or additional configuration changes should be necessary when upgrading from DSpace 4.x to 4.6.

This release addresses the following security issues discovered in DSpace 4.x and below:

• security fix:
  • [MEDIUM SEVERITY]  XML External Entity (XXE) vulnerability in pdfbox. (DS-3309 - requires a JIRA account to access)
    
    • Reported by Seth Robbins
      
• other fixes:
  • It was not possible to send mails using an ssl secured connection to the mail server (DS-2702)
   

In addition, this release fixes minor bugs in the 4.x releases. For more information, see the Changes in 4.x page.

4.6 Acknowledgments 

The 4.6 release was led by Andrea Pascarelli (4Science) and the Committers.

The following individuals provided code or bug fixes to the 4.6 release: Pascal-Nicolas Becker (pnbecker), Andrea Bollini (abollini),  Roeland Dillen (rradillen), Tim Donohue (tdonohue), Bram Luyten (bram-atmire), Andrea Pascarelli (lap82), Mark Wood (mwoodiupui)

4.5 Release Notes

DSpace 4.5 is a security fix release to resolve several issues located in DSpace 4.x XMLUI and JSPUI. As it only provides security-fixes, DSpace 4.5 should constitute an easy upgrade from DSpace 4.x for most users. No database changes or additional configuration changes should be necessary when upgrading from DSpace 4.x to 4.5.

This release addresses the following security issues discovered in DSpace 4.x and below:

• XMLUI security fixes:
  • [HIGH SEVERITY] The XMLUI "themes/" path is vulnerable to a full directory traversal. (DS-3094 - requires a JIRA account to access.) This means that ANY files on your system which are readable to the Tomcat user account may be publicly accessed via your DSpace website.
    • Reported by Virginia Tech
      
• JSPUI security fixes: 
  • [MEDIUM SEVERITY] The JSPUI "Edit News" feature (accessible to Administrators) can be used to view/edit ANY files which are readable to the Tomcat user account (DS-3063 - requires a JIRA account to access.)
    • Reported by CINECA

4.5 Acknowledgments 

The 4.5 release was led by Tim Donohue (DuraSpace) and the Committers.

The following individuals provided code or bug fixes to the 4.5 release: Andrea Bollini (abollini), Tim Donohue (tdonohue), Ivan Masar (helix84), Mark Wood (mwoodiupui)

4.4 Release Notes

DSpace 4.4 is a security fix release to resolve several issues located in DSpace 4.x JSPUI. As it only provides security-fixes, DSpace 4.4 should constitute an easy upgrade from DSpace 4.x for most users. No database changes or additional configuration changes should be necessary when upgrading from DSpace 4.x to 4.4.

This release addresses the following security issues discovered in DSpace 4.x and below:

• JSPUI security fixes: 
  • [MEDIUM SEVERITY] Cross-site scripting (XSS injection) is possible in JSPUI search interface (in Firefox web browser). (DS-2736 - requires a JIRA account to access for two weeks, and then will be public): This vulnerability could allow someone to embed dangerous Javascript code into links to search results. If a user was emailed such a link and clicked it, the javascript would be run in their local browser. This vulnerability has existed since DSpace 3.x 
    • Discovered by Genaro Contreras
      
  • [LOW SEVERITY] Expression language injection (EL Injection) is possible in JSPUI search interface. (DS-2737 - requires a JIRA account to access for two weeks, and then will be public): This vulnerability could allow someone to obtain information from the site/server using JSP syntax. This vulnerability has existed since DSpace 3.x
    • Discovered by Genaro Contreras

4.4 Acknowledgments 

The 4.4 release was led by Tim Donohue (DuraSpace), Andrea Schweer (U of Waikato) and the Committers.

The following individuals provided code or bug fixes to the 4.4 release: Pascal-Nicolas Becker (pnbecker), CTU Developers (ctu-developers), Roeland Dillen (rradillen), Tim Donohue (tdonohue), Àlex Magaz Graça (rivaldi8), Bram Luyten (bram-atmire), Ivan Masar (helix84), Christian Scheible (christian-scheible), Andrea Schweer (aschweer), Jonas Van Goolen (jonas-atmire), Mark Wood (mwoodiupui)

4.3 Release Notes

DSpace 4.3 is a security fix release to resolve several issues located in DSpace 4.x. As it only provides security-fixes, DSpace 4.3 should constitute an easy upgrade from DSpace 4.x for most users. No database changes or additional configuration changes should be necessary when upgrading from DSpace 4.x to 4.3.

This release addresses the following security issues discovered in DSpace 4.x and below:

• XMLUI Security Fixes
  

  • [HIGH SEVERITY] XMLUI Directory Traversal Vulnerabilities (DS-2445 - requires a JIRA account to access for two weeks, and then will be public): These vulnerabilities allow someone to potentially access any file on your local filesystem which is readable to the Tomcat user account. This includes files which are unrelated to DSpace or Tomcat, but are readable to all users on the filesystem (e.g. /etc/passwd, /etc/hosts, etc.). This also includes Tomcat configuration files (which may or may not contain passwords). These vulnerabilities have existed since DSpace 1.5.2.

    • Discovered by: Khalil Shreateh, with additional (related) vulnerabilities discovered by the DSpace Committer Team

  • In some configurations of Tomcat, simply removing any "allowLinking=true" settings from your Tomcat's <Context> configuration will limit the directory traversal vulnerability's severity to only allow access to files within the XMLUI web application directory. In addition, the Tomcat documentation details "allowLinking=true" as a possible security concern.  However, you still must upgrade or patch your DSpace in order to completely resolve this vulnerability.
• JSPUI Security Fixes
  • [MEDIUM SEVERITY] JSPUI Directory Traversal Vulnerability (DS-2448 - requires a JIRA account to access for two weeks, and then will be public): This vulnerability allows someone to potentially access any file within the JSPUI web application directory (e.g. WEB-INF/web.xml). This vulnerability is believed to have existed in all prior versions of DSpace.
    • Discovered by Khalil Shreateh
      
  • [LOW SEVERITY] Cross-site scripting (XSS injection) is possible in JSPUI Recent Submissions listings (DS-1702 - requires a JIRA account to access for two weeks, and then will be public): This vulnerability could allow a depositor/submitter to embed dangerous Javascript code into the metadata of a new submission, thus causing that code to be run across other user accounts. However, this vulnerability is only possible by someone with privileges to add content to your DSpace site. This vulnerability has existed since DSpace 1.5.x.
    
    • Discovered by: Jean-Paul Zhao of University of Toronto
      
  • [LOW SEVERITY] Cross-site scripting (XSS injection) is possible in JSPUI Discovery search form (DS-2044 - requires a JIRA account to access for two weeks, and then will be public): This vulnerability could allow someone to embed dangerous Javascript code into links to search results. If a user was emailed such a link and clicked it, the javascript would be run in their local browser. This vulnerability has existed since DSpace 3.x
    • 4.x / 5.x vulnerability discovered by  Gabriela Mircea of McMaster University and Khalil Shreateh
    • 3.x vulnerability discovered by İlyas Orak of Biznet Bilisim A.S.

4.3 Acknowledgments 

The 4.3 release was led by Tim Donohue (DuraSpace) and the Committers.

The following individuals provided code or bug fixes to the 4.3 release: Terry Brady (terrywbrady), Roeland Dillen (rradillen), Tim Donohue (tdonohue), Ivan Masar (helix84), Andrea Pascarelli (lap82), Avi Romanoff (aroman), Christian Scheible (christian-scheible), Robin Taylor (robintaylor)

4.2 Release Notes

DSpace 4.2 provides bug-fixes and minor improvements to the 4.x platform. As it only provides bug-fixes, DSpace 4.2 should constitute an easy upgrade from DSpace 4.x for most users. No database changes or additional configuration changes should be necessary when upgrading from DSpace 4.x to 4.2 (except for  DS-2036 which may affect some Oracle users ; see  Fixing the effects of DS-2036 ).

Issues which have been resolved in 4.2 include:

• Fixed occasional "Out of Memory" errors when indexing large bitstreams/files in Discovery (DS-1958)

• Fixed issue where REST API was not releasing "context" and ignored database pooling (DS-1986)

• Fixed Solr commit delays when "did you mean" functionality is enabled in Discovery (DS-2060)

• Fixed the "dspace classpath" command (DS-1998)

• Fixed issue where thumbnails were not displayed when using JSPUI + Oracle database (DS-2013)

• Fixed validation of OAI-PMH response (DS-1928)
• Fixed several Oracle database upgrade script errors (DS-2036, DS-2038, DS-2056, and DS-1957)
• Fixed Maven build issue on Windows operating systems (DS-1940)
• Other minor fixes See Changes in 4.x section for a list of all fixes.

4.2 Acknowledgments 

The 4.2 release was led by Robin Taylor (U of Edinburgh) and the Committers.

The following individuals provided code or bug fixes to the 4.2 release: Pascal-Nicolas Becker (pnbecker), Peter Dietz (peterdietz), Roeland Dillen (rradillen), Tim Donohue (tdonohue), Denis Fdz, Keith Gilbertson (keithgee), Panagiotis Koutsourakis (kutsurak), Bram Luyten (bram-atmire), Mini-Pillai, Ivan Masar (helix84), Thomas Misilo (misilot), Hardy Pottinger (hardyoyo), Antoine Snyers (antoine-atmire), Robin Taylor (robintaylor), Kevin Van de Velde (KevinVdV), Mark Wood (mwoodiupui)

4.1 Release Notes

DSpace 4.1 DSpace 4.2 provides bug-fixes and minor improvements to the 4.x platform. As it only provides bug-fixes, DSpace 4.2 1 should constitute an easy upgrade from DSpace 4.x for most users. No database changes or additional configuration changes should be necessary when upgrading from DSpace 4.x to 4.2 1 (except for DS-2036 which may affect some Oracle users 1536; see Fixing the effects of DS-20361536).

Issues which have been resolved in 4.2 1 include:

• Fixed occasional "Out of Memory" errors when indexing large bitstreams/files in Discovery (DS-1958)

• Fixed issue where REST API was not releasing "context" and ignored database pooling (DS-1986)

• Fixed Solr commit delays when "did you mean" functionality is enabled in Discovery (DS-2060)

• Fixed the "dspace classpath" command (DS-1998)

• Fixed issue where thumbnails were not displayed when using JSPUI + Oracle database (DS-2013)

• Fixed validation of OAI-PMH response (DS-1928)
• Fixed several Oracle database upgrade script errors (DS-2036, DS-2038, DS-2056, and DS-1957)
• Fixed Maven build issue on Windows operating systems (DS-1940)
• issue where having a period (.) in your handle prefix generated incorrect identifiers (DS-1536)
• Fixed broken quick build (from [dspace-src]/dspace) (DS-1867)
• Fixed a crash of DSpace during CSV import via BTE (DS-1857)
• Fixed collection harvesting to DSpace via ORE (DS-1848)
• Fixed deposit of new items via SWORD (DS-1846)
• Fixed search hit highlighting in XMLUI (DS-1907)
• Fixed broken 'stat-initial' script (DS-1795)
• Other minor fixes. See Other minor fixes See Changes in 4.x section for a list of all fixes.

4.1

...

Acknowledgments 

DSpace 4.1 provides bug-fixes and minor improvements to the 4.x platform. As it only provides bug-fixes, DSpace 4.1 should constitute an easy upgrade from DSpace 4.x for most users. No database changes or additional configuration changes should be necessary when upgrading from DSpace 4.x to 4.1 (except for DS-1536; see Fixing the effects of DS-1536).

Issues which have been resolved in 4.1 include:

...

The 4.1 release was led by Mark Wood (IUPUI) and the Committers.

...

The following individuals provided code or bug fixes to the 4.1 release: Andrea Bollini (abollini), Roeland Dillen (rradillen), Tim Donohue (tdonohue), Àlex Magaz Graça (rivaldi8), Panagiotis Koutsourakis (kutsurak), marsaoua, Ivan Masar (helix84), João Melo (lyncodev), Thomas Misilo (misilot), Andrea Pascarelli (lap82), Adán Román Ruiz, Andrea Schweer (aschweer), Kim Shepherd (kshepherd), Kostas Stamatis (kstamatis), Kevin Van de Velde (KevinVdV), Mark Wood (mwoodiupui)

4.0 Release Notes

The following is a list of the new features included for the 4.x platform (not an exhaustive list):

...