...
Info |
---|
title | Online Version of Documentation also available |
---|
|
This documentation was produced with Confluence software. A PDF version was generated directly from Confluence. An online, updated version of this 6.x Documentation is also available at: https://wiki.duraspace.org/display/DSDOC6x |
Warning |
---|
Support for DSpace 6 ended on July 1, 2023. See Support for DSpace 5 and 6 is ending in 2023 |
Welcome to Release 6.24, a bug-fix release for the DSpace 6.x platform. Any previous version of DSpace may be upgraded to DSpace 6 directly. For more information, please see Upgrading DSpace.
6.
...
4 Release Notes
Note |
---|
title | We highly recommend ALL users of DSpace 6. |
---|
|
...
|
DSpace 6.4 contains security fixes for both the JSPUI and XMLUI. To ensure your 6.x site is secure, we highly recommend ALL DSpace 6.x users upgrade to DSpace 6.4l. DSpace 6.4 upgrade instructions are available at: Upgrading DSpace |
DSpace 6.4 is a bug fix release to resolve several issues located in previous 6.x releases. As it only provides only bug fixes, DSpace 6.4 should constitute an easy upgrade from DSpace 6.x for most users. No database changes should be necessary when upgrading from DSpace 6.x to 6.4.
Security fixes include:
- [HIGH] CVE-2022-31195 (impacts XMLUI and JSPUI): Path traversal vulnerability in Simple Archive Format package import (ItemImportService API). This means a malicious SAF (simple archive format) package could cause a file/directory to be created anywhere the Tomcat/DSpace user can write to on the server. This path traversal is only possible by a user with special privileges (Administrators or someone with command-line access to the server).
- Reported by Johannes Moritz of Ripstech
- [HIGH] CVE-2022-31194 (impacts JSPUI only) : The JSPUI resumable upload implementations in SubmissionController and FileUploadRequest are vulnerable to multiple path traversal attacks, allowing an attacker to create files/directories anywhere on the server writable by the Tomcat/DSpace user, just by modifying some request parameters during submission. This path traversal can only be executed by a user with submitter rights.
- Reported by Johannes Moritz of Ripstech
- [HIGH] CVE-2022-31193 (impacts JSPUI only) : The JSPUI controlled vocabulary servlet is vulnerable to an open redirect attack, where an attacker can craft a malicious URL that looks like a legitimate DSpace/repository URL. When that URL is clicked by the target, it redirects them to a site of the attacker's choice.
- Reported by Johannes Moritz of Ripstech
- [MODERATE] CVE-2022-31191 (impacts JSPUI only) : The JSPUI spellcheck "Did you mean" HTML escapes the data-spell attribute in the link, but not the actual displayed text. Similarly, the JSPUI autocomplete HTML does not properly escape text passed to it. Both are vulnerable to Cross Site Scripting (XSS).
- Reported by Hassan Bhuiyan, Brunel University London
- [MODERATE] CVE-2022-31192 (impacts JSPUI only) : The JSPUI "Request a Copy" feature is vulnerable to Cross Site Scripting (XSS) attacks.
- Reported by Andrea Bollini of 4Science
- [LOW] CVE-2022-31189 (impacts JSPUI only) When an "Internal System Error" occurs in the JSPUI, then entire exception (including stack trace) is available. Information in this stacktrace may be useful to an attacker in launching a more sophisticated attack.
- Reported by Johannes Moritz of Ripstech
- [LOW] CVE-2022-31190 (impacts XMLUI only) Metadata of withdrawn Items is exposed to anonymous users in XMLUI.
- Reported by David Cavrenne of Atmire
Major bug fixes include:
- Fix Mirage 2 build broken by disappearance of JRuby gems torquebox.org mirror: #8292
- Requires some action on sites with heavily customized JavaScript or stylesheets, see Mirage 2's readme.md
- Replace log4j with reload4j: #8144
- Note: this may impact custom modules pulled into your poms if they pull in log4j v1. We recommend only using reload4j.
- Implement GDPR-compliant statistics anonymization for Solr: DS-4440 (#2693)
- Update Sherpa Romeo integration for API v2: DS-3940 (#2739), DS-4377 (#2567)
- Add utility to migrate legacy pre-6.x Solr statistics IDs to UUIDs: DS-4075 (#2260)
- Various improvements to Docker configuration and deployment: DS-4356 (#2542), DS-4355 (#2540), DS-4349 (#2534), DS-4346 (#2523), DS-4321 (#2476), DS-4336 (#2510), DS-4126 (#2307), DS-4142 (#2322), DS-4012 (#2218)
- Updated JSPUI and XMLUI to use jQuery v3: DS-4508 (#2918)
- Database fixes:
- XMLUI fixes:
- Add
noindex
HTML meta tag to prevent robots from indexing private items: DS-1980 (#5346) - Update Mirage2 build to support Node.js 14 LTS: #8331
- Update confidence when manually editing authority controlled metadata values: DS-4580 (#7913)
- Fix breaking of feedback link on sites without a sub-domain: DS-4362 (#7701)
- Improve performance of item counter (aka "strengths"): DS-3976 (#7323)
- Fix jumping to a specific year in search results when site is not using the default sort order: DS-4208 (#7548)
- Fix word-break CSS class: DS-4190 (#2374)
- Improvements and bug fixes to
starts_with
parameter on browse pages: DS-4201, DS-3945 (#2113) - Re-enable HTTP Ranges support: DS-4579 (#3228)
- Fix Known/Supported labels in UploadStep/UploadWithEmbargoStep: DS-4293 (#2465)
- Fix Discovery label for metadata values under authority control: DS-2852 (#1800)
- Fix incorrect escaping of
citation_
meta tags: DS-4135 (#2317) - Fail gracefully if the Creative Commons API is down: DS-2569 (#2977)
- Respect primary bitstreams with text/html mime types in Mirage2 item view: DS-3888 #(2021)
- Use null for empty language when editing item metadata: DS-4169 (#2350)
- Properly show results for 0-9 link in Browse: DS-4291 (#2463)
- Fix missing date values while faceting: DS-3791 (#1901)
- Fix support for custom
sitemap.xmap
in Mirage 2: DS-3545 (#1690) - Fix broken "reset" button in Discovery advanced search filters: #8330
- Fix incorrect totals on Discovery "view more" page: DS-3881 (#2371)
- JSPUI fixes:
- Other API-level fixes (affecting all UIs):
- Improve Solr search results for Discovery contains queries by using double quotes instead of brackets: DS-4271 (#7611)
- Add a check to make sure the source and target collections are not the same when moving an item: #8055
- Avoid exporting metadata of mapped Item more than once: #7988
- Make sure "Save and Exit" in workflow actually saves changes to the database: DS-4157 (#7499)
- Fix NullPointerException in ORCIDv2 API responses with missing data: DS-3998 (#7345)
- Fix NullPointerException when selecting items published today in initial questions step: DS-4238 (#7668)
- Fix NullPointerException on empty sub-communities in metadata-export: DS-4211 (#2396)
- Fix "homepage" Discovery configuration not being used due to missing IDs: DS-3725 (#7072)
- Fix ingesting items without a license not using the default license: DS-3643 (#6992)
- Prevent empty string assignment for language when importing a SAF bundle: DS-4493 (#2753)
- Fix searching for text values containing diacritics: DS-4034 (#2276)
- Fix for view permissions when Anonymous is a sub-group: DS-4534 (#2832)
- FindByValue should pass in value, not qualifier: DS-4073 (#2699)
- Fix exception when harvesting by UUID: DS-4353 (#2537)
- Fix NullPointerException in "request a copy" function: DS-4032 (#2452)
- REST API fixes:
- Fix Maven build issue due to blocking of plaintext HTTP repositories: #3247
- Return items in deterministic order: DS-3849 (#2501)
- Improve performance of collections endpoints: DS-4342 (#2516)
- Fix schema registry lookup with null qualifier: #7993
Minor improvements include:
- Limit the usage of PDFBoxThumbnail media filter to PDFs: DS-3873 (#2124)
- Update PDFBox version: #2742
- Update spider user agent file for more accurate Solr usage statistics: DS-4587 (#3333)
- Update JavaScript dependencies: DS-4508 (#2918)
- Remove non-existent command from OAI's CLI help: DS-4260 (#2439)
- Fix Discovery index command when using the "-c" (clean) option: DS-4393 (#2606)
- Fix issue with bulkedit.ignore-on-export parameter on DSpaceCSV: #2661
- Improve
dspace structure-builder
error messages: DS-4087 (#2681) - Remove GeoIP download Ant target, reconfigure for external provision: DS-4409 (#2652)
- Restores
getSize()
in Bitstream for replication task suite: DS-3895 (#2683) - Remove unnecessary second Context in RDFConsumer: #8152
- Fix minor security issue with HTML links using
target="_blank"
: DS-3891 (#7238) - Correctly remove Handle server lock file: DS-3946 (#2114)
- Make automatic Discovery re-indexing configurable: DS-3658 (#2184)
- Allow configuring max results per page in search: DS-4120 (#2306)
- Improve OAI performance for large installs: DS-4136 (#2320)
- Avoid crosswalking invalid publish dates for Google Scholar: DS-4104 (#2294)
- Bitstreams should keep their formats when being versioned: DS-4078 (#2261)
- Only execute ImageMagick
identify
on the first page of PDF: DS-3664 (#2201) - Allow OAI Harvester to continue if it encounters an Item missing a handle: DS-3939 (#2106)
- Note:the OAI Harvester Consumer has been completely removed from the DSpace codebase and should be removed from any configuration files referencing it: DS-4129 (#2314).
View the full list of changes for DSpace 6.4 on GitHub.
6.4 Acknowledgments
The 6.4 release was led by Alan Orth, Kim Shepherd, Nicholas Woodward and Hrafn Malmquist (of Cottage Labs).
The following individuals provided tests, code, bug fixes, or review to the 6.4 release (in alphabetical order by given name): Alan Orth, Alexander Sulfrian, Andrea Bollini, Andrea Jenis Saroni, Andrew Wood, Anis, Bram Luyten, Chris Herron, Chris Wilper, Cornelius Matějka, Francesco Pio Scognamiglio, Giuseppe Digilio, Hrafn Malmquist, Huma Zafar, Iordanis Kostelidis, Istvan Vig, Jonas Van Goolen, Kim Shepherd, Kristof De Langhe, Leonardo Guerrero, Lotte Hofstede, Luigi Andrea Pascarelli, Mark H. Wood, Martin Walk, Nicholas Woodward, Pascal-Nicolas Becker, Paulo Graça, Philip Vissenaekens, PTrottier, Saiful Amin, Samuel, santit96, ssolim, Terry Brady, Tim Donohue, Toni Prieto.
6.3 Release Notes
Note |
---|
title | We highly recommend ALL JSPUI users of DSpace 6.x upgrade to 6.3 |
---|
|
DSpace 6.3 contains security fixes for the JSPUI (only). To ensure your 6.x JSPUI site is secure, we highly recommend ALL JSPUI DSpace 6.x users upgrade to DSpace 6.3 DSpace 6.x XMLUI users may also wish to upgrade as several major bugs have been fixed in the XMLUI as well. DSpace 6.3 upgrade instructions are available at: Upgrading DSpace |
DSpace 6.3 is a bug fix release to resolve several issues located in previous 6.x releases. As it only provides only bug fixes, DSpace 6.3 should constitute an easy upgrade from DSpace 6.x for most users. No database changes should be necessary when upgrading from DSpace 6.x to 6.3. One configuration addition (orcid.api.url
property) has been made to the default dspace.cfg to support the new ORCID API v2, for ORCID Authority Control users.
JSPUI security fixes include
[HIGH SEVERITY] A user can inject malicious Javascript into the names of EPeople or Groups. This is most severe in sites which allow anyone to register for a new account. (https://jira.duraspace.org/browse/DS-3866 - requires a JIRA account to access.)
[MEDIUM SEVERITY] Any user was able to export metadata to CSV format if they knew the correct JSPUI path/parameters. Additionally, the exported CSV included metadata fields which are flagged as hidden in configuration. (https://jira.duraspace.org/browse/DS-3840 - requires a JIRA account to access.)
Major bug fixes include:
- Update DSpace ORCID Integration to use ORCID API v2 (instead of now obsolete ORCID v1): DS-3447
- Update DSpace Statistics to use GeoIP API v2 (instead of now discontinued GeoIP API v1): DS-3832
- Database specific fixes
- Oracle database migration fix. Configurable Workflow migration threw errors: DS-3788
- PostgreSQL JDBC driver upgraded to latest version (to allow for full compatibility with PostgreSQL v10): DS-3854
- Fix issue where DSpace wasn't starting if it used a database connection pool supplied through JNDI: DS-3434
- Bitstream deletion issues ("dspace cleanup" command)
- Fixed issues where Bitstreams were not being flagged for deletion when an Item was deleted: DS-3729
- Fixed issues where Bitstreams were not being removed from assetstore even when flagged as deleted: DS-3627 and DS-3461
- Note: This issue was limited to 6.0, 6.1 or 6.2, and specifically occurred when Item Level Versioning was NOT enabled (which is the default setting) or when Item Level Versioning was first enabled on DSpace version 6.0, 6.1 or 6.2
- Fixed issues where Bitstreams were removed from all versions of an Item (resulting in inaccurate versioning) when deleted from the latest version of an Item: DS-3627
- Note: This issue was limited to 6.0, 6.1 or 6.2, and specifically ONLY occurred when Item Level Versioning was first enabled on DSpace version 4.x or 5.x (and that old versioning data had since been migrated to 6.x).
- Other API-level fixes (affecting all UIs)
- JSPUI fixes
- Fixed issues with authority control popup: DS-3404
- Fixed issues with pausing HTML5 uploads: DS-3865
- XMLUI fixes
- Fixed Mirage v2 build issues caused by Bower Registry URL change: DS-3936
- Fixed performance issues for Items with 100+ bitstreams: DS-3883
- Fixed occasional Hibernate LazyInitializationException when completing submissions: DS-3775
- Fixed Unicode character issues in metadata: DS-3733
- Fix issue where search results lose Community/Collection context when sorting: DS-3835
- Fixed bitstream download issues which could leave AWS connections open when using S3 storage backend: DS-3870
- Update Mirage to use recommended MathJax inline delimiters (DS-3087) and to use new CDN location (DS-3560)
- OAI-PMH Fixes
- Ensure OAI-PMH updates harvestable items when an item is made private (DS-3707) or an embargo expires (DS-3715)
- Fixed Unicode character issues in metadata: DS-3733 and DS-3556
- Fix content type of OAI-PMH response: DS-3889
- Enhanced "oai import" command to report on items that cause indexing issues: DS-3852
- REST API fixes and minor improvements
For more information, see the Changes section in the DuraSpace Wiki.
6.3 Acknowledgments
The 6.3 release was led by Kim Shepherd
The following individuals provided tests, code or bug fixes or review to the 6.3 release: Saiful Amin, Pascal-Nicolas Becker, Ben Bosman, Terry Brady, Per Broman, Jacob Brown, James Creel, Tom Desair, Tim Donohue, Stefan Fritzsche, Hendrik Geßner, Werner Greßhoff, Marsa Haoua, Iris Hausmann, Chris Herron, Lotte Hofstede, Eike Kleiner, Ivan Masár, Dinesh Mendhe, Philip Münch, Sébastien Nadeau, Miika Nurminen, Alan Orth, Hardy Pottinger, Jakub Řihák, J. Savell, Christian Scheible, Kim Shepherd, Ilja Sidoroff, S. Solim, Eduardo Speroni, Alexander Sulfrian, Jonas Van Goolen, Philip Vissenaekens, Martin Walk, Andrew Wood, Mark Wood
6.2 Release Notes
DSpace 6.2 is a bug fix release to resolve several issues located in previous 6.x releases. As it only provides only bug fixes, DSpace 6.2 should constitute an easy upgrade from DSpace 6.x for most users. No database changes or additional configuration changes should be necessary when upgrading from DSpace 6.x to 6.2.
Major bug fixes include:
...
Major bug fixes include:
- Bitstream statistics are not shown after a migration to 6.x: DS-3602
- Database changes of consumers aren't persisted anymore: DS-3680
- Database migrate fails to create the initial groups: DS-3659
- Items fail to be reindexed on metadata change when 'authority' consumer is enabled: DS-3660
- Important bug fixes to DSpace database connection/caching management
- Indexing: Items failed to be reindexed after metadata changes were made: DS-3660
- Batch processing: XMLUI Batch Import Failure: DS-3648
- Group creation: Database migrations sometimes failed to create initial groups (Administrator and Anonymous) in fresh_installs: DS-3659
- Cache management: DOIOrganiser CLI does not change the database anymore: DS-3656
- Cache Management: Database changes of consumers aren't persisted anymore: DS-3680
- Cache Management:
- Slow batch operations due to Hibernate caching: DS-3286
- General bug fixes (to all UIs):
- Pre-6.x Bitstream statistics were not being displayed: DS-3602
- ImageMagick PDF thumbnail should always create sRGB JPEG files: DS-3517
- XMLUI Batch Import Failure: DS-3648
- DOIOrganiser CLI does not change the database anymore: DS-3656
- ImageMagick PDF Processing Degraded with Changes in 5.7 release: DS-3661
6.2
...
Acknowledgments
The 6.2 release was led by the DSpace Committers.
...
A full list of all changes / bug fixes in 6.x is available in the Changes in 6.x section.
6.0 Acknowledgments
The following individuals have contributed directly to this release of DSpace: Tim Donohue, Mark H. Wood, Pascal-Nicolas Becker, Kevin Van de Velde, Ivan Masár, Hardy Pottinger, Terry Brady, Andrea Schweer, Philip Vissenaekens, Peter Dietz, Jonas Van Goolen, Tom Desair, Dylan MEEUS, Luigi Andrea Pascarelli, William Welling, Christian Scheible, Andrea Bollini, Aleksander Kotyński-Buryła, Ondřej Košarko, Jozef Mišutka, Chris Wilper, Ilja Sidoroff, Roeland Dillen, Bram Luyten, Marsa Haoua, Claudia Jürgen, Kim Shepherd, Art Lowel, Ivo Prajer, Petr Karel, Mini Pillai, Facundo Gabriel Adorno, Luiz Claudio Santos, Robin Taylor, Tim Van den Langenbergh, Arnaud de Bossoreille, Bill Tantzen, Tiago Guimarães, Oriol Olivé Comadira, Àlex Magaz Graça, Anne Lawrence, Brad Dewar, Bruno Nocera Zanette, David Baker, Ed Goulet, Mateusz Neumann, Monika Mevenkamp, Pablo Buenaposada, Patricio Marrone, Petya Kohts, Eike Kleiner, Antoine Snyers, Bjorn Jaspers, Chris Herron, Dan Scott, David Cook, Davor Cubranic, José Carvalho, Jozsef Marton, Juan Manuel Catá, Panagiotis Koutsourakis, Pantelis Karamolegkos, Pedro Príncipe, Philippe Gray, Rodrigo Prado de Jesus, RomanticCat, Saiful Amin, junwei1229, Keith Gilbertson, Nicolas Schwab, Pablo Buenaposada, Michael Marttila, samuel, tmtvl , and others who reviewed and commented on their work. Many of these could not do this work without the support (release time and financial) of their associated institutions. We offer thanks to those institutions for supporting their staff to take time to contribute to the DSpace project.
...