Versions Compared

Old Version 67

changes.mady.by.user Terrence W Brady

Saved on

compared with

New Version Current

changes.mady.by.user Tim Donohue

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.


Table of Contents

Info
titleOnline Version of Documentation also available

This documentation was produced with Confluence software. A PDF version was generated directly from Confluence. An online, updated version of this 5.x Documentation is also available at: https://wiki.duraspace.org/display/DSDOC5x


Warning

Support for DSpace 5 will be ending on January 1, 2023.  See Support for DSpace 5 and 6 is ending in 2023

Welcome to Release 5.811, a bug-fix release for the DSpace 5.x platform. For information on upgrading to DSpace 5, please see Upgrading DSpaceon upgrading to DSpace 5, please see Upgrading DSpace.

Table of Contents

5.11 Release Notes

Note
titleWe highly recommend all DSpace 5.x users upgrade to 5.11

DSpace 5.11 contains security and bug fixes for both the JSPUI and XMLUI. To ensure your 5.x site is secure, we highly recommend ALL DSpace 5.x users upgrade to DSpace 5.11.

DSpace 5.11 upgrade instructions are available at: Upgrading DSpace

Summary

DSpace 5.11 is a bug fix release to resolve several issues located in previous 5.x releases. As it only provides only security and bug fixes, DSpace 5.11 should constitute an easy upgrade from DSpace 5.x for most users. No database changes should be necessary when upgrading from DSpace 5.x to 5.11.

Security fixes include:

  • [HIGH] CVE-2022-31195 (impacts XMLUI and JSPUI) : Path traversal vulnerability in Simple Archive Format package import (ItemImportService API). This means a malicious SAF (simple archive format) package could cause a file/directory to be created anywhere the Tomcat/DSpace user can write to on the server. This path traversal is only possible by a user with special privileges (Administrators or someone with command-line access to the server).
    • Reported by Johannes Moritz of Ripstech
  • [HIGH] CVE-2022-31194 (impacts JSPUI only) : The JSPUI resumable upload implementations in SubmissionController and FileUploadRequest are vulnerable to multiple path traversal attacks, allowing an attacker to create files/directories anywhere on the server writable by the Tomcat/DSpace user, just by modifying some request parameters during submission. This path traversal can only be executed by a user with submitter rights.
    • Reported by Johannes Moritz of Ripstech
  • [HIGH] CVE-2022-31193 (impacts JSPUI only) : The JSPUI controlled vocabulary servlet is vulnerable to an open redirect attack, where an attacker can craft a malicious URL that looks like a legitimate DSpace/repository URL. When that URL is clicked by the target, it redirects them to a site of the attacker's choice.
    • Reported by Johannes Moritz of Ripstech
  • [MODERATE] CVE-2022-31191 (impacts JSPUI only) : The JSPUI spellcheck "Did you mean" HTML escapes the data-spell attribute in the link, but not the actual displayed text. Similarly, the JSPUI autocomplete HTML does not properly escape text passed to it. Both are vulnerable to Cross Site Scripting (XSS).
    • Reported by Hassan Bhuiyan, Brunel University London
  • [MODERATE] CVE-2022-31192 (impacts JSPUI) : The JSPUI "Request a Copy" feature is vulnerable to Cross Site Scripting (XSS) attacks.
    • Reported by Andrea Bollini of 4Science

Major bug fixes include:

Minor improvements include:

  • Fix Discovery index command when using the "-c" (clean) option: DS-4393 (#2605)
  • Avoid crosswalking invalid publish dates for Google Scholar: DS-4104 (#2295)

View the full list of changes for DSpace 5.11 on GitHub.

5.11 Acknowledgments

The 5.11 release was led by Alan Orth, Kim Shepherd, Nicholas Woodward and Hrafn Malmquist (of Cottage Labs)

The following individuals provided tests, code or bug fixes or review to the 5.11 release (in alphabetical order by given name): Andrea Bollini, Andrea Jenis Saroni, Andrew Bennet, Bram Luyten, Hrafn Malmquist, Iordanis Kostelidis, Jonas Van Goolen, Kim Shepherd, Kristof De Langhe, Lotte Hofstede, Luigi Andrea Pascarelli, Mark H. Wood, Pascal-Nicolas Becker, Philip Vissenaekens, samuel, Terry Brady, Tim Donohue.

5.10 Release Notes 

Note
titleWe recommend sites dependent on Java 7, REST API and/or RDF skip DSpace 5.9 and update to DSpace 5.10

Unfortunately, bug fixes in the DSpace 5.9 release resulted in issues running DSpace 5.9 on Java 7, and with running the REST API and RDF interfaces. These issues are being resolved in an upcoming 5.10 release (see below for more details). Sites which are dependent on one of these features should consider upgrading directly from DSpace 5.8 to 5.10.

Summary

DSpace 5.10 is a bug fix release to resolve JAR dependency issues found in DSpace 5.9 for users running Java 7 (regardless of Tomcat version).

This release also addresses a bug in the DSpace 5.9 release that prevented VIEW statistics from being logged by DSpace.

Other minor bug fixes have been included in the release.

Major bug fixes include

Other fixes include

In addition, this release fixes a variety of minor bugs in the 5.x releases. For more information, see the Changes section below.

Upgrade Instructions

  • For upgrade instructions from ANY PRIOR VERSION to 5.10, please see Upgrading DSpace

  • When upgrading from any 5.x version, if you're reusing your 5.x configuration, make sure to change all instances of Filter attribute "red" to "ref" (e.g. <Filter red="exampleFilter" /> to <Filter ref="exampleFilter" />) in [dspace]/config/crosswalks/oai/xoai.xml. "red" was a temporary workaround for a bug (xoai issue #32), which was first fixed in DSpace 5.4.

No new features in DSpace 5.10

Note

5.10 is a bug-fix release. This means it includes no new features and only includes the above listed fixes.

For a list of all new 5.x Features, please visit the 5.x Release Notes.

5.10 Acknowledgments 

The 5.10 release was led by Terrence W Brady.

The following individuals provided code or bug fixes to the 5.10 release: Terrence W Brady , Alexander Sulfrian , Philip Vissenaekens (Atmire) , Jozsef Marton.

5.9 Release Notes 

Note
titleWe highly recommend ALL JSPUI users of DSpace 5.x upgrade to 5.9

DSpace 5.9 contains security fixes for the JSPUI (only). To ensure your 5.x JSPUI site is secure, we highly recommend ALL JSPUI DSpace 4.x users upgrade to DSpace 5.9.

DSpace 5.x XMLUI users may also wish to upgrade as several major bugs have been fixed in the XMLUI as well.

DSpace 5.9 upgrade instructions are available at: Upgrading DSpace

DSpace 5.9 is a security & bug fix release to resolve several issues located in previous 5.x releases. As it only provides bug/security fixes, DSpace 5.9 should constitute an easy upgrade from DSpace 5.x for most users. No database changes or additional configuration changes should be necessary when upgrading from DSpace 5.x to 5.9.

JSPUI security fixes include

  • [HIGH SEVERITY] A user can inject malicious Javascript into the names of EPeople or Groups. This is most severe in sites which allow anyone to register for a new account. (https://jira.duraspace.org/browse/DS-3866 - requires a JIRA account to access.) 

    • Reported by Julio Brafman

  • [MEDIUM SEVERITY] Any user was able to export metadata to CSV format if they knew the correct JSPUI path/parameters. Additionally, the exported CSV included metadata fields which are flagged as hidden in configuration. (https://jira.duraspace.org/browse/DS-3840 - requires a JIRA account to access.) 

    • Reported by Eike Kleiner (ZHAW, Zurich University of Applied Sciences)

Major bug fixes include

  • Update DSpace ORCID Integration to use ORCID API v2 (instead of now obsolete ORCID v1): DS-3447
  • Update DSpace Statistics to use GeoIP API v2 (instead of now discontinued GeoIP API v1): DS-3832
  • Other API-level fixes (affecting all UIs)
    • PostgreSQL JDBC driver upgraded to latest version (to allow for full compatibility with PostgreSQL v10): DS-3854
    • Ensure ImageMagick thumbnails respect the orientation of original file: DS-3839
  • OAI-PMH Fixes
    • Enhanced "oai import" command to report on items that cause indexing issues: DS-3852
    • Fix 500 error when no Community or Collection: DS-3853
  • XMLUI Fixes
    • Fixed Mirage v2 build issues caused by Bower Registry URL change: DS-3936
    • Fixed performance issues for Items with 100+ bitstreams: DS-3883
    • Fix issue where search results lose Community/Collection context when sorting: DS-3835
    • Update Mirage to use recommended MathJax inline delimiters (DS-3087) and to use new CDN location (DS-3560)

In addition, this release fixes minor bugs in the 5.x releases. For more information, see the Changes in 5.x page.

5.9 Acknowledgments 

The 5.9 release was led by the DSpace Committers.

The following individuals provided code or bug fixes to the 5.9 release: Pascal-Nicolas Becker, Ben Bosman, Terry Brady, Tim Donohue, Alex Magaz Graça, Lotte Hofstede, Ivan Masár, Hardy Pottinger, Kim Shepherd, Jonas Van Goolen and Mark H. Wood.

5.8 Release Notes 

Note
titleWe recommend users of DSpace 5.x who use the ImageMagick Thumbnail filter process to upgrade to 5.8

DSpace 5.8 contains a fix to the ImageMagick thumbnail creation process. We highly recommend ALL DSpace 5.x users upgrade to DSpace 5.8.

DSpace 5.8 upgrade instructions are available at: Upgrading DSpace

DSpace 5.8 contains a fix for a bug introduced in DSpace 5.7. As it only provides bug /security fixes, DSpace 5.8 should constitute an easy upgrade from DSpace 5.x for most users. No database changes or additional configuration changes should be necessary when upgrading from DSpace 5.x to 5.8.
 

...

  • Resolve a performance issue in the ImageMagick Thumbnail Creation process for PDF files JiraserverDuraSpace JIRAserverIdc815ca92-fd23-34c2-8fe3-956808caf8c5key(DS-3661)

Other fixes

  • Update automated testing resources (DS-3674)
  • Set a particular version for CSS processing in Mirage2

...

The following individuals provided code or bug fixes to the 5.7 8 release: Terry Brady (terrywbrady), Tim Donohue (tdonohue), Hardy Pottinger (hardyoyo).  Release support provided by Mark Wood (mwood).

...

  • Solr statistics upgrade fixes:
    • Resolve issues where index data was not being properly upgraded (DS-2486, DS-2487, DS-2489)
    • Failure when "sharding" the Solr statistics index (DS-2212) 
  • OAI fixes:
    • Handle dates correctly in resumption tokens, so that harvesting captures the full specified range. (DS-2546, DS-2582) 
    • List all authors in METS formatted metadata. (DS-2474)
    • Change the declared OAI deletion mode to "transient", which corresponds to what DSpace actually does. (DS-2491)
    • Restore the ability to create additional Filters for OAI-PMH interface. (DS-2423)
  • REST API fixes:
    • Wrong SQL in REST /items/find-by-metadata-field.  (DS-2501)
    • Listing collections would fail when using Oracle DB.  (DS-2508)
    • Correctly apply bitstream policies.  (DS-2511)
  • Other notable fixes:
    • "dspace update-handle-prefix" failed when using Oracle DB. (DS-2218)
    • Do not index items that are still in a submitter's workspace. (DS-2403)
    • Remember the context (community, collection) during browsing. (DS-2482)
    • Better handle upload of file with a semicolon in its name. (DS-2513)
    • EZID DOI minting properly sets the URI of the identified item. (DS-2518)
    • Update of the list of robots recognized by DSpace. (DS-2531)

In addition, this release fixes a variety of minor bugs in the 5.x releases. For more information, see the Changes in 5.x page.

...