All Versions
- DSpace 7.x (Current Release)
- DSpace 8.x (Unreleased)
- DSpace 6.x (EOL)
- DSpace 5.x (EOL)
- More Versions...
Page History
| Table of Contents |
|---|
| Info | ||
|---|---|---|
| ||
This documentation was produced with Confluence software. A PDF version was generated directly from Confluence. An online, updated version of this 5.x Documentation is also available at: https://wiki.duraspace.org/display/DSDOC5x |
| Warning |
|---|
Support for DSpace 5 will be ending on January 1, 2023. See Support for DSpace 5 and 6 is ending in 2023 |
Welcome to Release 5.911, a bug-fix release for the DSpace 5.x platform. For information on upgrading to DSpace 5, please see Upgrading DSpace.
| Table of Contents |
|---|
5.
...
11 Release Notes
...
| Note | ||
|---|---|---|
| ||
DSpace 5. | 10Unfortunately, 11 contains security and bug fixes for both the JSPUI and XMLUI. To ensure your 5.x site is secure, we highly recommend ALL DSpace 5.x users upgrade to DSpace 5.11. DSpace 5.11 upgrade instructions are available at: Upgrading DSpace |
Summary
DSpace 5.11 is a bug fix release to resolve several issues located in previous 5.x releases. As it only provides only security and bug fixes, DSpace 5.11 should constitute an easy upgrade from DSpace 5.x for most users. No database changes should be necessary when upgrading from DSpace 5.x to 5.11.
Security fixes include:
- [HIGH] CVE-2022-31195 (impacts XMLUI and JSPUI) : Path traversal vulnerability in Simple Archive Format package import (ItemImportService API). This means a malicious SAF (simple archive format) package could cause a file/directory to be created anywhere the Tomcat/DSpace user can write to on the server. This path traversal is only possible by a user with special privileges (Administrators or someone with command-line access to the server).
- Reported by Johannes Moritz of Ripstech
- [HIGH] CVE-2022-31194 (impacts JSPUI only) : The JSPUI resumable upload implementations in SubmissionController and FileUploadRequest are vulnerable to multiple path traversal attacks, allowing an attacker to create files/directories anywhere on the server writable by the Tomcat/DSpace user, just by modifying some request parameters during submission. This path traversal can only be executed by a user with submitter rights.
- Reported by Johannes Moritz of Ripstech
- [HIGH] CVE-2022-31193 (impacts JSPUI only) : The JSPUI controlled vocabulary servlet is vulnerable to an open redirect attack, where an attacker can craft a malicious URL that looks like a legitimate DSpace/repository URL. When that URL is clicked by the target, it redirects them to a site of the attacker's choice.
- Reported by Johannes Moritz of Ripstech
- [MODERATE] CVE-2022-31191 (impacts JSPUI only) : The JSPUI spellcheck "Did you mean" HTML escapes the data-spell attribute in the link, but not the actual displayed text. Similarly, the JSPUI autocomplete HTML does not properly escape text passed to it. Both are vulnerable to Cross Site Scripting (XSS).
- Reported by Hassan Bhuiyan, Brunel University London
- [MODERATE] CVE-2022-31192 (impacts JSPUI) : The JSPUI "Request a Copy" feature is vulnerable to Cross Site Scripting (XSS) attacks.
- Reported by Andrea Bollini of 4Science
Major bug fixes include:
- Fix Mirage 2 build broken by disappearance of JRuby gems torquebox.org mirror: https://github.com/DSpace/DSpace/commit/0428da8dab7a02c592ec96ab9cea545f5b6de42d
- Database fixes
- Migrate
update-sequences.sqlscript todspace databasecommand: DS-4167 (#2361)
- Migrate
- XMLUI fixes
- Fix Discovery label for metadata values under authority control: DS-2852 (#1701)
- Fix missing date values while faceting: DS-3791 (#2679)
- Fix support for custom
sitemap.xmapin Mirage 2: DS-3545 (#1691)
- JSPUI fixes
- Fix bug in JSPUI Shibboleth session renewal: DS-3444 (#2566)
- Update Sherpa Romeo layout:DS-4377 (#2565)
- Fix issue with duplicate headers when bitstream title has a comma: DS-4340 (#2514)
- REST API fixes:
- Fix Maven build issue due to blocking of plaintext HTTP repositories: #3247 (see #3274)
- Improve performance of collections endpoints: DS-4342 (#2517)
Minor improvements include:
- Fix Discovery index command when using the "-c" (clean) option: DS-4393 (#2605)
- Avoid crosswalking invalid publish dates for Google Scholar: DS-4104 (#2295)
View the full list of changes for DSpace 5.11 on GitHub.
5.11 Acknowledgments
The 5.11 release was led by Alan Orth, Kim Shepherd, Nicholas Woodward and Hrafn Malmquist (of Cottage Labs)
The following individuals provided tests, code or bug fixes or review to the 5.11 release (in alphabetical order by given name): Andrea Bollini, Andrea Jenis Saroni, Andrew Bennet, Bram Luyten, Hrafn Malmquist, Iordanis Kostelidis, Jonas Van Goolen, Kim Shepherd, Kristof De Langhe, Lotte Hofstede, Luigi Andrea Pascarelli, Mark H. Wood, Pascal-Nicolas Becker, Philip Vissenaekens, samuel, Terry Brady, Tim Donohue.
5.10 Release Notes
| Note | ||
|---|---|---|
| ||
Unfortunately, bug fixes in the DSpace 5.9 release resulted in issues running DSpace 5.9 in the DSpace 5.9 release resulted in issues running DSpace 5.9 on Java 7, and with running the REST API and RDF interfaces. These issues are being resolved in an upcoming 5.10 release (see below for more details). Sites which are dependent on one of these features should consider upgrading directly from DSpace 5.8 to 5.10. |
...
Other minor bug fixes have been included in the release.
Major bug fixes include
Jira server DuraSpace JIRA serverId c815ca92-fd23-34c2-8fe3-956808caf8c5 key DS-4000 Jira server DuraSpace JIRA serverId c815ca92-fd23-34c2-8fe3-956808caf8c5 key DS-4020
Other fixes include
- DS-4000: DSpace 5.9 - REST Service Does Not Run
- DS-3938: After upgrading PostgreSQL JDBC driver, DSpace does not run on JDK 7
- DS-4020: DSpace 5.9 is not saving VIEW events to statistics repo (SEARCH and WORKFLOW are saved)
Other fixes include
- DS-4007: PDF Text Extractor can cause strings like "content-type" to show up in search snippets
Jira server DuraSpace JIRA serverId c815ca92-fd23-34c2-8fe3-956808caf8c5 key DS-4007To fully realize the benefit of this fix, a full discover reindex is recommended.
- If you don't reindex, newly added bitstreams would no longer display the file metadata in their index. (But, old bitstreams would still continue to display file metadata until you do a full reindex).
- Institutions unaffected/unconcerned by this bug do not need to reindex. If you do choose to reindex, then the bug would be fully fixed
- DS-2948: Filter-media-> file metadata indexed in full text
- DS-3664: Color Profile Detection Method in ImageMagick filter is prohibitively slow
In addition, this release fixes a variety of minor bugs in the 5.x releases. For more information, see the Changes section below.
...
- Solr statistics upgrade fixes:
- OAI fixes:
- Handle dates correctly in resumption tokens, so that harvesting captures the full specified range. (DS-2546, DS-2582)
- List all authors in METS formatted metadata. (DS-2474)
- Change the declared OAI deletion mode to "transient", which corresponds to what DSpace actually does. (DS-2491)
- Restore the ability to create additional Filters for OAI-PMH interface. (DS-2423)
- REST API fixes:
- Other notable fixes:
- "
dspace update-handle-prefix" failed when using Oracle DB. (DS-2218) - Do not index items that are still in a submitter's workspace. (DS-2403)
- Remember the context (community, collection) during browsing. (DS-2482)
- Better handle upload of file with a semicolon in its name. (DS-2513)
- EZID DOI minting properly sets the URI of the identified item. (DS-2518)
- Update of the list of robots recognized by DSpace. (DS-2531)
- "
In addition, this release fixes a variety of minor bugs in the 5.x releases. For more information, see the Changes in 5.x page.
...
Overview
Content Tools