All Versions


DSpace Documentation


Page tree

Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: Updating security fixes list. Accidentally included a security ticket that only affected 6.x

...

  • Security fixes for both JSPUI and XMLUI:

    • [HIGH SEVERITY] Basic (Traditional) Workflow approval process is vulnerable to unauthorized manipulations.(https://jira.duraspace.org/browse/DS-3647 - requires a JIRA account to access.) 
      • Discovered by Pascal Becker (The Library Code / TU Berlin).
    • [LOW SEVERITY] DSpace shipped with a version of Apache Commons Configuration that was vulnerable to COLLECTIONS-580 (Deserialization Vulnerability). (https://jira.duraspace.org/browse/DS-3520 - requires a JIRA account to access.)
      • Discovered by Alan Orth.
    • [LOW SEVERITY] DSpace failed to check if policies had valid dates when checking access permissions.(https://jira.duraspace.org/browse/DS-3619 - requires a JIRA account to access.) 
      • Discovered by Pascal Becker (The Library Code / TU Berlin).
  • Security fixes for REST API:
    • [HIGH SEVERITY] A user with submit permissions can bypass workflow approvals by depositing via REST API.(https://jira.duraspace.org/browse/DS-3281 - requires a JIRA account to access.) 
      • Discovered by Emilio Lorenzo.
  • XMLUI bug fixes:
    • /handleresolver path was no longer working: DS-3366
    • Fix broken images when running Mirage 2 on Jetty: DS-3289
    • Improve error message when user attempts to update an e-mail address to an existing address: DS-3584
    • Fix error when uploading large files (>2GB) via a web browser: DS-2359
  • JSPUI bug fixes
    • READ access rights not being respected on Collection homepage: DS-3441
  • Solr Statistics fixes:
    • Sharding statistics corrupted some fields and was unstable: DS-3436DS-3458
  • AIP Backup and Restore fixes:
    • Failed AIP imports left files in assetstore: DS-2227

...