All Versions
- DSpace 7.x (Current Release)
- DSpace 8.x (Unreleased)
- DSpace 6.x (EOL)
- DSpace 5.x (EOL)
- More Versions...
Page History
...
| Warning |
|---|
Support for DSpace 5 will be ending on January 1, 2023. See Support for DSpace 5 and 6 is ending in 2023 |
Welcome to Release 5.911, a bug-fix release for the DSpace 5.x platform. For information on upgrading to DSpace 5, please see Upgrading DSpace.
| Table of Contents |
|---|
5.11 Release Notes
| Note | ||
|---|---|---|
| ||
DSpace 5.11 contains security and bug fixes for both the JSPUI and XMLUI. To ensure your 5.x site is secure, we highly recommend ALL DSpace 5.x users upgrade to DSpace 5.11. DSpace 5.11 upgrade instructions are available at: Upgrading DSpace |
Summary
DSpace 5.11 is a bug fix release to resolve several issues located in previous 5.x releases. As it only provides only security and bug fixes, DSpace 5.11 should constitute an easy upgrade from DSpace 5.x for most users. No database changes should be necessary when upgrading from DSpace 5.x to 5.11.
Security fixes include:
- [HIGH] CVE-2022-31195 (impacts XMLUI and JSPUI) : Path traversal vulnerability in Simple Archive Format package import (ItemImportService API). This means a malicious SAF (simple archive format) package could cause a file/directory to be created anywhere the Tomcat/DSpace user can write to on the server. This path traversal is only possible by a user with special privileges (Administrators or someone with command-line access to the server).
- Reported by Johannes Moritz of Ripstech
- [HIGH] CVE-2022-31194 (impacts JSPUI only) : The JSPUI resumable upload implementations in SubmissionController and FileUploadRequest are vulnerable to multiple path traversal attacks, allowing an attacker to create files/directories anywhere on the server writable by the Tomcat/DSpace user, just by modifying some request parameters during submission. This path traversal can only be executed by a user with submitter rights.
- Reported by Johannes Moritz of Ripstech
- [HIGH] CVE-2022-31193 (impacts JSPUI only) : The JSPUI controlled vocabulary servlet is vulnerable to an open redirect attack, where an attacker can craft a malicious URL that looks like a legitimate DSpace/repository URL. When that URL is clicked by the target, it redirects them to a site of the attacker's choice.
- Reported by Johannes Moritz of Ripstech
- [MODERATE] CVE-2022-31191 (impacts JSPUI only) : The JSPUI spellcheck "Did you mean" HTML escapes the data-spell attribute in the link, but not the actual displayed text. Similarly, the JSPUI autocomplete HTML does not properly escape text passed to it. Both are vulnerable to Cross Site Scripting (XSS).
- Reported by Hassan Bhuiyan, Brunel University London
- [MODERATE] CVE-2022-31192 (impacts JSPUI) : The JSPUI "Request a Copy" feature is vulnerable to Cross Site Scripting (XSS) attacks.
- Reported by Andrea Bollini of 4Science
Major bug fixes include:
- Fix Mirage 2 build broken by disappearance of JRuby gems torquebox.org mirror: https://github.com/DSpace/DSpace/commit/0428da8dab7a02c592ec96ab9cea545f5b6de42d
- Database fixes
- Migrate
update-sequences.sqlscript todspace databasecommand: DS-4167 (#2361)
- Migrate
- XMLUI fixes
- Fix Discovery label for metadata values under authority control: DS-2852 (#1701)
- Fix missing date values while faceting: DS-3791 (#2679)
- Fix support for custom
sitemap.xmapin Mirage 2: DS-3545 (#1691)
- JSPUI fixes
- Fix bug in JSPUI Shibboleth session renewal: DS-3444 (#2566)
- Update Sherpa Romeo layout:DS-4377 (#2565)
- Fix issue with duplicate headers when bitstream title has a comma: DS-4340 (#2514)
- REST API fixes:
- Fix Maven build issue due to blocking of plaintext HTTP repositories: #3247 (see #3274)
- Improve performance of collections endpoints: DS-4342 (#2517)
Minor improvements include:
- Fix Discovery index command when using the "-c" (clean) option: DS-4393 (#2605)
- Avoid crosswalking invalid publish dates for Google Scholar: DS-4104 (#2295)
View the full list of changes for DSpace 5.11 on GitHub.
5.11 Acknowledgments
The 5.11 release was led by Alan Orth, Kim Shepherd, Nicholas Woodward and Hrafn Malmquist (of Cottage Labs)
The following individuals provided tests, code or bug fixes or review to the 5.11 release (in alphabetical order by given name): Andrea Bollini, Andrea Jenis Saroni, Andrew Bennet, Bram Luyten, Hrafn Malmquist, Iordanis Kostelidis, Jonas Van Goolen, Kim Shepherd, Kristof De Langhe, Lotte Hofstede, Luigi Andrea Pascarelli, Mark H. Wood, Pascal-Nicolas Becker, Philip Vissenaekens, samuel, Terry Brady, Tim Donohue.
5.10 Release Notes
| Note | ||
|---|---|---|
| ||
Unfortunately, bug fixes in the DSpace 5.9 release resulted in issues running DSpace 5.9 on Java 7, and with running the REST API and RDF interfaces. These issues are being resolved in an upcoming 5.10 release (see below for more details). Sites which are dependent on one of these features should consider upgrading directly from DSpace 5.8 to 5.10. |
...
Overview
Content Tools