Versions Compared

Old Version 58

changes.mady.by.user Tim Donohue

Saved on

compared with

New Version 59

changes.mady.by.user Tim Donohue

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: Move acknowledgments to per release

...

The 5.6 release was led by Andrea Pascarelli (4Science) and the Committers.

5.5 Release Notes

The following individuals provided code or bug fixes to the 5.6 release: Andrea Bollini (abollini), Tim Donohue (tdonohue), Claudia Juergen (cjuergen), Bram Luyten (bram-atmire), Ivan Masar (helix84), oooriii, Andrea Pascarelli (lap82), Hardy Pottinger (hardyoyo), Roeland Dillen (rradillen), Andrea Schweer (aschweer), William Tantzen (wilee53), Mark Wood (mwoodiupui), Bruno Nocera Zanette

5.5 Release Notes

Note
titleWe highly recommend ALL users of DSpace 5.x upgrade to 5.5

DSpace 5.5 contains security fixes for the XMLUI and JSPUI. To ensure your 5.x site is secure, we highly recommend ALL DSpace 5.x users upgrade to DSpace 5.5.

DSpace 5.5 upgrade

Note
titleWe highly recommend ALL users of DSpace 5.x upgrade to 5.5

DSpace 5.5 contains security fixes for the XMLUI and JSPUI. To ensure your 5.x site is secure, we highly recommend ALL DSpace 5.x users upgrade to DSpace 5.5.

DSpace 5.5 upgrade instructions are available at: Upgrading DSpace

...

The following individuals provided code or bug fixes to the 5.4 release: Pascal-Nicolas Becker (pnbecker), Arnaud de Bossoreille (arnodb), Brad Dewar (bdewar), Peter Dietz (peterdietz), Tim Donohue (tdonohue), Ondrej Košarko (kosarko), Aleksander Kotynski-Buryla (akotynski), Ivan Masar (helix84), Hardy Pottinger (hpottingerhardyoyo), Christian Scheible (christian-scheible), Andrea Schweer (aschweer), Bill Tantzen (wilee53), Jonas Van Goolen, Chris Wilper (cwilper), Mark H Wood (mwoodiupui), Jun Won Jung (RomanticCat)

...

The following individuals provided code or bug fixes to the 5.3 release: Roeland Dillen (rradillen), Tim Donohue (tdonohue), Ondřej Košarko (kosarko), Bram Luyten (bram-atmire), Pascal-Nicolas Becker (pnbecker), Pablo Buenaposada (pablobuenaposada), Nicolas Schwab (nicolasschwab), Andrea Schweer (aschweer), Àlex Magaz Graça (rivaldi8), Roeland Dillen (rradillen), junwei1229, and , junwei1229, and Claudia Juergen (cjuergen).

...

The 5.2 release was led by Hardy Pottinger (University of Missouri Library Systems) and the Committers.

5.1 Release Notes

Note
titleWe highly recommend any users of DSpace 5.x upgrade to 5.1

DSpace 5.1 contains security fixes for both the XMLUI and JSPUI. To ensure your 5.x site is secure, we highly recommend all DSpace 5.x users upgrade to DSpace 5.1.

We also highly recommend removing any  "allowLinking=true" settings from your Tomcat's <Context> configuration. Previously our installation documentation erroneously listed examples which included "allowLinking=true", while the Tomcat documentation lists it as a possible security concern. The XMLUI Directory Traversal Vulnerability (see below) is also exacerbated by this setting.

Info
titleDSpace 1.x.x, 3.x or 4.x users may wish to consider upgrading directly to DSpace 5.1

Several of the security vulnerabilities patched in DSpace 5.1 (and backported to 4.3 and 3.4) also affect sites running unsupported DSpace 1.x.x releases. In order to ensure your site is patched, we highly recommend upgrading to DSpace 3.4, DSpace 4.3 or DSpace 5.1.

If you are considering an upgrade from DSpace 1.x.x, note that, as of DSpace 5, your existing data (i.e. database contents, search/browse indexes) will now be automatically upgraded from ANY prior version of DSpace. Therefore, you may wish to consider upgrading directly to DSpace 5.1, as the 5.x upgrade process is simplified.

DSpace 5.1 is a security and bug fix release to resolve several issues located in DSpace 5.0. As it only provides bug fixes, DSpace 5.1 should constitute an easy upgrade from DSpace 5.0 for most users. No database changes or additional configuration changes should be necessary when upgrading from DSpace 5.0 to 5.1.

This release addresses the following security issues discovered in DSpace 5.x and below:

The following individuals provided code or bug fixes to the 5.2 release: Pascal-Nicolas Becker (pnbecker),  CTU Developers (ctu-developers), Roeland Dillen (rradillen), Tim Donohue (tdonohue), Àlex Magaz Graça (rivaldi8), Claudia Juergen (cjuergen), Ondřej Košarko (kosarko), Panagiotis Koutsourakis (kutsurak), Bram Luyten (bram-atmire), Ivan Masar (helix84), minusdavid, Hardy Pottinger (hardyoyo), Christian Scheible (christian-scheible), Andrea Schweer (aschweer), Antoine Snyers (antoine-atmire), Kevin Van de Velde (KevinVdV), Tim Van den Langenbergh (TimothyXL), Chris Wilper (cwilper), Mark Wood (mwoodiupui)

5.1 Release Notes

Note
titleWe highly recommend any users of DSpace 5.x upgrade to 5.1

DSpace 5.1 contains security fixes for both the XMLUI and JSPUI. To ensure your 5.x site is secure, we highly recommend all DSpace 5.x users upgrade to DSpace 5.1.

We also highly recommend removing any  "allowLinking=true" settings from your Tomcat's <Context> configuration. Previously our installation documentation erroneously listed examples which included "allowLinking=true", while the Tomcat documentation lists it as a possible security concern. The XMLUI Directory Traversal Vulnerability (see below) is also exacerbated by this setting.


Info
titleDSpace 1.x.x, 3.x or 4.x users may wish to consider upgrading directly to DSpace 5.1

Several of the security vulnerabilities patched in DSpace 5.1 (and backported to 4.3 and 3.4) also affect sites running unsupported DSpace 1.x.x releases. In order to ensure your site is patched, we highly recommend upgrading to DSpace 3.4, DSpace 4.3 or DSpace 5.1.

If you are considering an upgrade from DSpace 1.x.x, note that, as of DSpace 5, your existing data (i.e. database contents, search/browse indexes) will now be automatically upgraded from ANY prior version of DSpace. Therefore, you may wish to consider upgrading directly to DSpace 5.1, as the 5.x upgrade process is simplified.

DSpace 5.1 is a security and bug fix release to resolve several issues located in DSpace 5.0. As it only provides bug fixes, DSpace 5.1 should constitute an easy upgrade from DSpace 5.0 for most users. No database changes or additional configuration changes should be necessary when upgrading from DSpace 5.0 to 5.1.

This release addresses the following security issues discovered in DSpace 5.x and below:

  • XMLUI Security Fixes

    • [HIGH SEVERITY] XMLUI Directory Traversal Vulnerabilities (DS-2445

  • XMLUI Security Fixes

    • [HIGH SEVERITY] XMLUI Directory Traversal Vulnerabilities (DS-2445 - requires a JIRA account to access for two weeks, and then will be public): These vulnerabilities allow someone to potentially access any file on your local filesystem which is readable to the Tomcat user account. This includes files which are unrelated to DSpace or Tomcat, but are readable to all users on the filesystem (e.g. /etc/passwd, /etc/hosts, etc.). This also includes Tomcat configuration files (which may or may not contain passwords). These vulnerabilities have existed since DSpace 1.5.2.

      • Discovered by: Khalil Shreateh, with additional (related) vulnerabilities discovered by the DSpace Committer Team

    • In some configurations of Tomcat, simply removing any "allowLinking=true" settings from your Tomcat's <Context> configuration will limit the directory traversal vulnerability's severity to only allow access to files within the XMLUI web application directory. In addition, the Tomcat documentation details "allowLinking=true" as a possible security concern.  However, you still must upgrade or patch your DSpace in order to completely resolve this vulnerability.
  • JSPUI Security Fixes
    • [MEDIUM SEVERITY] JSPUI Directory Traversal Vulnerability (DS-2448 - requires a JIRA account to access for two weeks, and then will be public): This vulnerability allows someone to potentially access any file within the JSPUI web application directory (e.g. WEB-INF/web.xml). This vulnerability is believed to have existed in all prior versions of DSpace.
    • [LOW SEVERITY] Cross-site scripting (XSS injection) is possible in JSPUI Recent Submissions listings (DS-1702

      - requires a JIRA account to access for two weeks, and then will be public):

      This vulnerability could allow a depositor/submitter to embed dangerous Javascript code into the metadata of a new submission, thus causing that code to be run across other user accounts. However, this vulnerability is only possible by someone with privileges to add content to your DSpace site. This vulnerability has

      These vulnerabilities allow someone to potentially access any file on your local filesystem which is readable to the Tomcat user account. This includes files which are unrelated to DSpace or Tomcat, but are readable to all users on the filesystem (e.g. /etc/passwd, /etc/hosts, etc.). This also includes Tomcat configuration files (which may or may not contain passwords). These vulnerabilities have existed since DSpace 1.5.

      x

      2.

    • [LOW SEVERITY] Cross-site scripting (XSS injection) is possible in JSPUI Discovery search form (DS-2044 - requires a JIRA account to access for two weeks, and then will be public): This vulnerability could allow someone to embed dangerous Javascript code into links to search results. If a user was emailed such a link and clicked it, the javascript would be run in their local browser. This vulnerability has existed since DSpace 3.x

In addition, this release fixes a variety of minor bugs in the 5.0 release. For more information, see the Changes in 5.x page.

5.1 Acknowledgments 

      • Khalil Shreateh, with additional (related) vulnerabilities discovered by the DSpace Committer Team

    • In some configurations of Tomcat, simply removing any "allowLinking=true" settings from your Tomcat's <Context> configuration will limit the directory traversal vulnerability's severity to only allow access to files within the XMLUI web application directory. In addition, the Tomcat documentation details "allowLinking=true" as a possible security concern.  However, you still must upgrade or patch your DSpace in order to completely resolve this vulnerability.
  • JSPUI Security Fixes
    • [MEDIUM SEVERITY] JSPUI Directory Traversal Vulnerability (DS-2448 - requires a JIRA account to access for two weeks, and then will be public): This vulnerability allows someone to potentially access any file within the JSPUI web application directory (e.g. WEB-INF/web.xml). This vulnerability is believed to have existed in all prior versions of DSpace.
    • [LOW SEVERITY] Cross-site scripting (XSS injection) is possible in JSPUI Recent Submissions listings (DS-1702 - requires a JIRA account to access for two weeks, and then will be public): This vulnerability could allow a depositor/submitter to embed dangerous Javascript code into the metadata of a new submission, thus causing that code to be run across other user accounts. However, this vulnerability is only possible by someone with privileges to add content to your DSpace site. This vulnerability has existed since DSpace 1.5.x.
    • [LOW SEVERITY] Cross-site scripting (XSS injection) is possible in JSPUI Discovery search form (DS-2044 - requires a JIRA account to access for two weeks, and then will be public): This vulnerability could allow someone to embed dangerous Javascript code into links to search results. If a user was emailed such a link and clicked it, the javascript would be run in their local browser. This vulnerability has existed since DSpace 3.x

In addition, this release fixes a variety of minor bugs in the 5.0 release. For more information, see the Changes in 5.x page.

5.1 Acknowledgments 

The 5.1 release was led by Tim Donohue (DuraSpace) and the Committers.

The following individuals provided code or bug fixes to the 5.1 release: CTU Developers (ctu-developers), Tim Donohue (tdonohue), Ondřej Košarko (kosarko), Pascal-Nicolas Becker (pnbecker), Claudia Juergen (cjuergen), Ivan Masar (helix84), Andrea Pascarelli (lap82), Hardy Pottinger (hardyoyo), Christian Scheible (christian-scheible), William Tantzen (wilee53), Mark Wood (mwoodiupui),The 5.1 release was led by Tim Donohue (DuraSpace) and the Committers.

5.0 Release Notes

The following is a list of the new features included for the 5.x platform (not an exhaustive list):

...