Page tree

Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Table of Contents

Info
titleOnline Version of Documentation also available

This documentation was produced with Confluence software. A PDF version was generated directly from Confluence. An online, updated version of this 4.x Documentation is also available at: https://wiki.duraspace.org/display/DSDOC4x


Welcome to Release 4.89, a security release for the DSpace 4.x platform. For information on upgrading to DSpace 4, please see Upgrading DSpace.
 

4.9 Release Notes  

Note
titleWe highly recommend ALL JSPUI users of DSpace 4.x upgrade to 4.9

DSpace 4.9 contain security fixes for the JSPUI (only). To ensure your 4.x site is secure, we highly recommend ALL JSPUI DSpace 4.x users upgrade to DSpace 4.9.

DSpace 4.9 upgrade instructions are available at: Upgrading DSpace

DSpace 4.9 is a security fix release to resolve issues located in DSpace 4.x JSPUI (only). As it only provides security fixes, DSpace 4.9 should constitute an easy upgrade from DSpace 4.x for most users. No additional configuration changes should be necessary when upgrading from DSpace 4.x to 4.8.

 This release addresses the following security issues discovered in DSpace 4.x and below: 

  • DSpace JSPUI security fixes:
    • [HIGH SEVERITY] A user can inject malicious Javascript into the names of EPeople or Groups. This is most severe in sites which allow anyone to register for a new account. (https://jira.duraspace.org/browse/DS-3866 - requires a JIRA account to access.) 

      • Reported by Julio Brafman

    • [MEDIUM SEVERITY] Any user was able to export metadata to CSV format if they knew the correct JSPUI path/parameters. Additionally, the exported CSV included metadata fields which are flagged as hidden in configuration. (https://jira.duraspace.org/browse/DS-3840 - requires a JIRA account to access.) 

      • Reported by Eike Kleiner (ZHAW, Zurich University of Applied Sciences)

In addition, this release fixes minor bugs in the 4.x releases. For more information, see the Changes in 4.x page.

4.9 Acknowledgments 

The 4.9 release was led by the Committers.

The following individuals provided code or bug fixes to the 4.9 release: Julio Brafman, Tim Donohue (tdonohue), Eike Kleiner, Kim Shepherd (kshepherd), Mark Wood (mwood).

4.8 Release Notes 

Note
titleWe highly recommend ALL users of DSpace 4.x upgrade to 4.8

DSpace 4.8 contain security fixes for both the XMLUI and JSPUI. To ensure your 4.x site is secure, we highly recommend ALL DSpace 4.x users upgrade to DSpace 4.8.

DSpace 4.8 upgrade instructions are available at: Upgrading DSpace

 DDSpace 4.8 is a security fix release to resolve issues located in DSpace 4.x XMLUI and JSPUI. As it only provides security and bug fixes, DSpace 4.8 should constitute an easy upgrade from DSpace 4.x for most users. No additional configuration changes should be necessary when upgrading from DSpace 4.x to 4.8.  It is necessary to run a database update script.  See Upgrading From 4.0 to 4.x for details.

...

Note
titleWe highly recommend ALL users of DSpace 4.x upgrade to 4.7

DSpace 4.7 contain security fix for both the XMLUI and JSPUI. To ensure your 4.x site is secure, we highly recommend ALL DSpace 4.x users upgrade to DSpace 4.7.

DSpace 4.7 upgrade instructions are available at: Upgrading DSpace

 DDSpace 4.7 is a security fix release to resolve an issue located in DSpace 4.x XMLUI and JSPUI. As it only provides a security-fix, DSpace 4.7 should constitute an easy upgrade from DSpace 4.x for most users. No database changes or additional configuration changes should be necessary when upgrading from DSpace 4.x to 4.7.

...