Info |
---|
title | Online Version of Documentation also available |
---|
|
This documentation was produced with Confluence software. A PDF version was generated directly from Confluence. An online, updated version of this 5.x Documentation is also available at: https://wiki.duraspace.org/display/DSDOC5x |
Warning |
---|
Support for DSpace 5 will be ending on January 1, 2023. See Support for DSpace 5 and 6 is ending in 2023 |
Welcome to Release 5.911, a bug-fix release for the DSpace 5.x platform. For information on upgrading to DSpace 5, please see Upgrading DSpace.
5.
...
11 Release Notes
...
Note |
---|
title | We recommend sites dependent on Java 7, REST API and/or RDF skip highly recommend all DSpace 5.9 and update to x users upgrade to 5.11 |
---|
|
DSpace 5. | 10Unfortunately, 11 contains security and bug fixes for both the JSPUI and XMLUI. To ensure your 5.x site is secure, we highly recommend ALL DSpace 5.x users upgrade to DSpace 5.11. DSpace 5.11 upgrade instructions are available at: Upgrading DSpace |
Summary
DSpace 5.11 is a bug fix release to resolve several issues located in previous 5.x releases. As it only provides only security and bug fixes, DSpace 5.11 should constitute an easy upgrade from DSpace 5.x for most users. No database changes should be necessary when upgrading from DSpace 5.x to 5.11.
Security fixes include:
- [HIGH] CVE-2022-31195 (impacts XMLUI and JSPUI) : Path traversal vulnerability in Simple Archive Format package import (ItemImportService API). This means a malicious SAF (simple archive format) package could cause a file/directory to be created anywhere the Tomcat/DSpace user can write to on the server. This path traversal is only possible by a user with special privileges (Administrators or someone with command-line access to the server).
- Reported by Johannes Moritz of Ripstech
- [HIGH] CVE-2022-31194 (impacts JSPUI only) : The JSPUI resumable upload implementations in SubmissionController and FileUploadRequest are vulnerable to multiple path traversal attacks, allowing an attacker to create files/directories anywhere on the server writable by the Tomcat/DSpace user, just by modifying some request parameters during submission. This path traversal can only be executed by a user with submitter rights.
- Reported by Johannes Moritz of Ripstech
- [HIGH] CVE-2022-31193 (impacts JSPUI only) : The JSPUI controlled vocabulary servlet is vulnerable to an open redirect attack, where an attacker can craft a malicious URL that looks like a legitimate DSpace/repository URL. When that URL is clicked by the target, it redirects them to a site of the attacker's choice.
- Reported by Johannes Moritz of Ripstech
- [MODERATE] CVE-2022-31191 (impacts JSPUI only) : The JSPUI spellcheck "Did you mean" HTML escapes the data-spell attribute in the link, but not the actual displayed text. Similarly, the JSPUI autocomplete HTML does not properly escape text passed to it. Both are vulnerable to Cross Site Scripting (XSS).
- Reported by Hassan Bhuiyan, Brunel University London
- [MODERATE] CVE-2022-31192 (impacts JSPUI) : The JSPUI "Request a Copy" feature is vulnerable to Cross Site Scripting (XSS) attacks.
- Reported by Andrea Bollini of 4Science
Major bug fixes include:
- Fix Mirage 2 build broken by disappearance of JRuby gems torquebox.org mirror: https://github.com/DSpace/DSpace/commit/0428da8dab7a02c592ec96ab9cea545f5b6de42d
- Database fixes
- Migrate
update-sequences.sql
script to dspace database
command: DS-4167 (#2361)
- XMLUI fixes
- JSPUI fixes
- REST API fixes:
- Fix Maven build issue due to blocking of plaintext HTTP repositories: #3247 (see #3274)
- Improve performance of collections endpoints: DS-4342 (#2517)
Minor improvements include:
- Fix Discovery index command when using the "-c" (clean) option: DS-4393 (#2605)
- Avoid crosswalking invalid publish dates for Google Scholar: DS-4104 (#2295)
View the full list of changes for DSpace 5.11 on GitHub.
5.11 Acknowledgments
The 5.11 release was led by Alan Orth, Kim Shepherd, Nicholas Woodward and Hrafn Malmquist (of Cottage Labs)
The following individuals provided tests, code or bug fixes or review to the 5.11 release (in alphabetical order by given name): Andrea Bollini, Andrea Jenis Saroni, Andrew Bennet, Bram Luyten, Hrafn Malmquist, Iordanis Kostelidis, Jonas Van Goolen, Kim Shepherd, Kristof De Langhe, Lotte Hofstede, Luigi Andrea Pascarelli, Mark H. Wood, Pascal-Nicolas Becker, Philip Vissenaekens, samuel, Terry Brady, Tim Donohue.
5.10 Release Notes
Note |
---|
title | We recommend sites dependent on Java 7, REST API and/or RDF skip DSpace 5.9 and update to DSpace 5.10 |
---|
|
Unfortunately, bug fixes in the DSpace 5.9 release resulted in issues running DSpace 5.9 in the DSpace 5.9 release resulted in issues running DSpace 5.9 on Java 7, and with running the REST API and RDF interfaces. These issues are being resolved in an upcoming 5.10 release (see below for more details). Sites which are dependent on one of these features should consider upgrading directly from DSpace 5.8 to 5.10. |
...
Other minor bug fixes have been included in the release.
Major bug fixes include
Jira |
---|
server | DuraSpace JIRA |
---|
serverId | c815ca92-fd23-34c2-8fe3-956808caf8c5 |
---|
key | DS-4000 |
---|
|
Jira |
---|
server | DuraSpace JIRA |
---|
serverId | c815ca92-fd23-34c2-8fe3-956808caf8c5 |
---|
key | DS-4020 |
---|
|
Other fixes include
Other fixes include
In addition, this release fixes a variety of minor bugs in the 5.x releases. For more information, see the Changes section below.
...
- Solr statistics upgrade fixes:
- Resolve issues where index data was not being properly upgraded (DS-2486, DS-2487, DS-2489)
- Failure when "sharding" the Solr statistics index (DS-2212)
- OAI fixes:
- Handle dates correctly in resumption tokens, so that harvesting captures the full specified range. (DS-2546, DS-2582)
- List all authors in METS formatted metadata. (DS-2474)
- Change the declared OAI deletion mode to "transient", which corresponds to what DSpace actually does. (DS-2491)
- Restore the ability to create additional Filters for OAI-PMH interface. (DS-2423)
- REST API fixes:
- Wrong SQL in REST /items/find-by-metadata-field. (DS-2501)
- Listing collections would fail when using Oracle DB. (DS-2508)
- Correctly apply bitstream policies. (DS-2511)
- Other notable fixes:
- "
dspace update-handle-prefix
" failed when using Oracle DB. (DS-2218)
- Do not index items that are still in a submitter's workspace. (DS-2403)
- Remember the context (community, collection) during browsing. (DS-2482)
- Better handle upload of file with a semicolon in its name. (DS-2513)
- EZID DOI minting properly sets the URI of the identified item. (DS-2518)
- Update of the list of robots recognized by DSpace. (DS-2531)
In addition, this release fixes a variety of minor bugs in the 5.x releases. For more information, see the Changes in 5.x page.
...