Versions Compared

Old Version 17

changes.mady.by.user Mark H. Wood

Saved on

compared with

New Version Current

changes.mady.by.user Tim Donohue

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Info
titleOnline Version of Documentation also available

This documentation was produced with Confluence software. A PDF version was generated directly from Confluence. An online, updated version of this 6.x Documentation is also available at: https://wiki.duraspace.org/display/DSDOC6x


Warning

Support for DSpace 6 ended on July 1, 2023.  See Support for DSpace 5 and 6 is ending in 2023

 Welcome to Release 6.24, a bug-fix release for the DSpace 6.x platform.   Any previous version of DSpace may be upgraded to DSpace 6 directly. For more information, please see Upgrading DSpace.

Table of Contents

6.

...

4 Release Notes

Note
titleWe highly recommend ALL users of DSpace 6.

...

x upgrade to 6.4

DSpace 6.4 contains security fixes for both the JSPUI and XMLUI. To ensure your 6.x  site is secure, we highly recommend ALL DSpace 6.x users upgrade to DSpace 6.4l.

DSpace 6.4 upgrade instructions are available at: Upgrading DSpace

DSpace 6.4 is a bug fix release to resolve several issues located in previous 6.x releases. As it only provides only bug fixes, DSpace 6.4 should constitute an easy upgrade from DSpace 6.x for most users. No database changes should be necessary when upgrading from DSpace 6.x to 6.4.

Security fixes include:

  • [HIGH] CVE-2022-31195 (impacts XMLUI and JSPUI): Path traversal vulnerability in Simple Archive Format package import (ItemImportService API). This means a malicious SAF (simple archive format) package could cause a file/directory to be created anywhere the Tomcat/DSpace user can write to on the server. This path traversal is only possible by a user with special privileges (Administrators or someone with command-line access to the server).
    • Reported by Johannes Moritz of Ripstech
  • [HIGH] CVE-2022-31194 (impacts JSPUI only) : The JSPUI resumable upload implementations in SubmissionController and FileUploadRequest are vulnerable to multiple path traversal attacks, allowing an attacker to create files/directories anywhere on the server writable by the Tomcat/DSpace user, just by modifying some request parameters during submission. This path traversal can only be executed by a user with submitter rights.
    • Reported by Johannes Moritz of Ripstech
  • [HIGH] CVE-2022-31193 (impacts JSPUI only) : The JSPUI controlled vocabulary servlet is vulnerable to an open redirect attack, where an attacker can craft a malicious URL that looks like a legitimate DSpace/repository URL. When that URL is clicked by the target, it redirects them to a site of the attacker's choice.
    • Reported by Johannes Moritz of Ripstech
  • [MODERATE] CVE-2022-31191 (impacts JSPUI only) : The JSPUI spellcheck "Did you mean" HTML escapes the data-spell attribute in the link, but not the actual displayed text. Similarly, the JSPUI autocomplete HTML does not properly escape text passed to it. Both are vulnerable to Cross Site Scripting (XSS).
    • Reported by Hassan Bhuiyan, Brunel University London
  • [MODERATE] CVE-2022-31192 (impacts JSPUI only)The JSPUI "Request a Copy" feature is vulnerable to Cross Site Scripting (XSS) attacks.
    • Reported by Andrea Bollini of 4Science
  • [LOW] CVE-2022-31189 (impacts JSPUI only) When an "Internal System Error" occurs in the JSPUI, then entire exception (including stack trace) is available. Information in this stacktrace may be useful to an attacker in launching a more sophisticated attack.
    • Reported by Johannes Moritz of Ripstech
  • [LOW] CVE-2022-31190 (impacts XMLUI only) Metadata of withdrawn Items is exposed to anonymous users in XMLUI.
    • Reported by David Cavrenne of Atmire

Major bug fixes include:

Minor improvements include:

  • Limit the usage of PDFBoxThumbnail media filter to PDFs: DS-3873 (#2124)
  • Update PDFBox version: #2742
  • Update spider user agent file for more accurate Solr usage statistics: DS-4587 (#3333)
  • Update JavaScript dependencies: DS-4508 (#2918)
  • Remove non-existent command from OAI's CLI help: DS-4260 (#2439)
  • Fix Discovery index command when using the "-c" (clean) option: DS-4393 (#2606)
  • Fix issue with bulkedit.ignore-on-export parameter on DSpaceCSV: #2661
  • Improve dspace structure-builder  error messages: DS-4087 (#2681)
  • Remove GeoIP download Ant target, reconfigure for external provision: DS-4409 (#2652)
  • Restores getSize() in Bitstream for replication task suite: DS-3895 (#2683)
  • Remove unnecessary second Context in RDFConsumer: #8152
  • Fix minor security issue with HTML links using target="_blank": DS-3891 (#7238)
  • Correctly remove Handle server lock file: DS-3946 (#2114)
  • Make automatic Discovery re-indexing configurable: DS-3658 (#2184)
  • Allow configuring max results per page in search: DS-4120 (#2306)
  • Improve OAI performance for large installs: DS-4136 (#2320)
  • Avoid crosswalking invalid publish dates for Google Scholar: DS-4104 (#2294)
  • Bitstreams should keep their formats when being versioned: DS-4078 (#2261)
  • Only execute ImageMagick identify on the first page of PDF: DS-3664 (#2201)
  • Allow OAI Harvester to continue if it encounters an Item missing a handle: DS-3939 (#2106)
    • Note:the OAI Harvester Consumer has been completely removed from the DSpace codebase and should be removed from any configuration files referencing it: DS-4129 (#2314).

View the full list of changes for DSpace 6.4 on GitHub.

6.4 Acknowledgments

The 6.4 release was led by Alan Orth, Kim Shepherd, Nicholas Woodward and Hrafn Malmquist (of Cottage Labs).

The following individuals provided tests, code, bug fixes, or review to the 6.4 release (in alphabetical order by given name): Alan Orth, Alexander Sulfrian, Andrea Bollini, Andrea Jenis Saroni, Andrew Wood, Anis, Bram Luyten, Chris Herron, Chris Wilper, Cornelius Matějka, Francesco Pio Scognamiglio, Giuseppe Digilio, Hrafn Malmquist, Huma Zafar, Iordanis Kostelidis, Istvan Vig, Jonas Van Goolen, Kim Shepherd, Kristof De Langhe, Leonardo Guerrero, Lotte Hofstede, Luigi Andrea Pascarelli, Mark H. Wood, Martin Walk, Nicholas Woodward, Pascal-Nicolas Becker, Paulo Graça, Philip Vissenaekens, PTrottier, Saiful Amin, Samuel, santit96, ssolim, Terry Brady, Tim Donohue, Toni Prieto.

6.3 Release Notes

Note
titleWe highly recommend ALL JSPUI users of DSpace 6.x upgrade to 6.3

DSpace 6.3 contains security fixes for the JSPUI (only). To ensure your 6.x JSPUI site is secure, we highly recommend ALL JSPUI DSpace 6.x users upgrade to DSpace 6.3

DSpace 6.x XMLUI users may also wish to upgrade as several major bugs have been fixed in the XMLUI as well.

DSpace 6.3 upgrade instructions are available at: Upgrading DSpace

DSpace 6.3 is a bug fix release to resolve several issues located in previous 6.x releases. As it only provides only bug fixes, DSpace 6.3 should constitute an easy upgrade from DSpace 6.x for most users. No database changes should be necessary when upgrading from DSpace 6.x to 6.3. One configuration addition (orcid.api.url property) has been made to the default dspace.cfg to support the new ORCID API v2, for ORCID Authority Control users.


JSPUI security fixes include

  • [HIGH SEVERITY] A user can inject malicious Javascript into the names of EPeople or Groups. This is most severe in sites which allow anyone to register for a new account. (https://jira.duraspace.org/browse/DS-3866 - requires a JIRA account to access.) 

    • Reported by Julio Brafman

  • [MEDIUM SEVERITY] Any user was able to export metadata to CSV format if they knew the correct JSPUI path/parameters. Additionally, the exported CSV included metadata fields which are flagged as hidden in configuration. (https://jira.duraspace.org/browse/DS-3840 - requires a JIRA account to access.) 

    • Reported by Eike Kleiner (ZHAW, Zurich University of Applied Sciences)

Major bug fixes include:

  • Update DSpace ORCID Integration to use ORCID API v2 (instead of now obsolete ORCID v1): DS-3447
  • Update DSpace Statistics to use GeoIP API v2 (instead of now discontinued GeoIP API v1): DS-3832
  • Database specific fixes
    • Oracle database migration fix. Configurable Workflow migration threw errors: DS-3788
    • PostgreSQL JDBC driver upgraded to latest version (to allow for full compatibility with PostgreSQL v10): DS-3854
    • Fix issue where DSpace wasn't starting if it used a database connection pool supplied through JNDI: DS-3434
  • Bitstream deletion issues ("dspace cleanup" command)
    • Fixed issues where Bitstreams were not being flagged for deletion when an Item was deleted: DS-3729
    • Fixed issues where Bitstreams were not being removed from assetstore even when flagged as deleted: DS-3627 and DS-3461
      • Note: This issue was limited to 6.0, 6.1 or 6.2, and specifically occurred when Item Level Versioning was NOT enabled (which is the default setting) or when Item Level Versioning was first enabled on DSpace version 6.0, 6.1 or 6.2
    • Fixed issues where Bitstreams were removed from all versions of an Item (resulting in inaccurate versioning) when deleted from the latest version of an Item: DS-3627
      • Note: This issue was limited to 6.0, 6.1 or 6.2, and specifically ONLY occurred when Item Level Versioning was first enabled on DSpace version 4.x or 5.x (and that old versioning data had since been migrated to 6.x).
  • Other API-level fixes (affecting all UIs)
    • Fixed issues where Item Level Versioning accidentally duplicated both metadata (DS-3703) and bitstreams (DS-3702)
    • Fixed issue where Shibboleth authentication plugin appeared to login when no password provided: DS-3662
    • Fixed issues with Solr Search Query escaping in both UIs: DS-3507
    • Update last modified timestamp (on Item) when a new bitstream is added: DS-3734
    • Ensure ImageMagick thumbnails respect the orientation of original file: DS-3839
    • Fix MediaFilter "too many open files" issues (where it forgot to close an input stream): DS-3700
    • Fix PubMed Import submission step (StartSubmissionLookupStep) to use updated URL of PubMed API:  DS-3933
    • Cleanup EHCache configuration: DS-3694 and DS-3710
  • JSPUI fixes
    • Fixed issues with authority control popup: DS-3404
    • Fixed issues with pausing HTML5 uploads: DS-3865
  • XMLUI fixes
    • Fixed Mirage v2 build issues caused by Bower Registry URL change: DS-3936
    • Fixed performance issues for Items with 100+ bitstreams: DS-3883
    • Fixed occasional Hibernate LazyInitializationException when completing submissions: DS-3775
    • Fixed Unicode character issues in metadata: DS-3733
    • Fix issue where search results lose Community/Collection context when sorting: DS-3835
    • Fixed bitstream download issues which could leave AWS connections open when using S3 storage backendDS-3870
    • Update Mirage to use recommended MathJax inline delimiters (DS-3087) and to use new CDN location (DS-3560)
  • OAI-PMH Fixes
    • Ensure OAI-PMH updates harvestable items when an item is made private (DS-3707) or an embargo expires (DS-3715)
    • Fixed Unicode character issues in metadata: DS-3733 and DS-3556
    • Fix content type of OAI-PMH response: DS-3889
    • Enhanced "oai import" command to report on items that cause indexing issues: DS-3852
  • REST API fixes and minor improvements
    • Fixed issue where REST API was no longer able to return JSON responses: DS-3903
    • Fixed update bitstream data returning 500 response: DS-3511
    • Improvements to REST Based Quality Control Reports:
      • Enable login via Shibboleth: DS-3811
      • Add bitstream field data to item listing: DS-3704
      • Fix bug filtering for bitstream permissions: DS-3713
      • Improve ability to find withdrawn items: DS-3714

For more information, see the Changes section in the DuraSpace Wiki.

6.3 Acknowledgments

The 6.3 release was led by Kim Shepherd

The following individuals provided tests, code or bug fixes or review to the 6.3 release: Saiful Amin, Pascal-Nicolas Becker, Ben Bosman, Terry Brady, Per Broman, Jacob Brown, James Creel, Tom Desair, Tim Donohue, Stefan Fritzsche, Hendrik Geßner, Werner Greßhoff, Marsa Haoua, Iris Hausmann, Chris Herron, Lotte Hofstede, Eike Kleiner, Ivan Masár, Dinesh Mendhe, Philip Münch, Sébastien Nadeau, Miika Nurminen, Alan Orth, Hardy Pottinger, Jakub Řihák, J. Savell, Christian Scheible, Kim Shepherd, Ilja Sidoroff, S. Solim, Eduardo Speroni, Alexander Sulfrian, Jonas Van Goolen, Philip Vissenaekens, Martin Walk, Andrew Wood, Mark Wood

6.2 Release Notes

DSpace 6.2 is a bug fix release to resolve several issues located in previous 6.x releases. As it only provides only bug fixes, DSpace 6.2 should constitute an easy upgrade from DSpace 6.x for most users. No database changes or additional configuration changes should be necessary when upgrading from DSpace 6.x to 6.2.
 

Major bug fixes include:

...

Major bug fixes include:

  • Bitstream statistics are not shown after a migration to 6.x: DS-3602
  • Database changes of consumers aren't persisted anymore: DS-3680
  • Database migrate fails to create the initial groups: DS-3659
  • Items fail to be reindexed on metadata change when 'authority' consumer is enabled: DS-3660
  • Important bug fixes to DSpace database connection/caching management
    • Indexing: Items failed to be reindexed after metadata changes were made: DS-3660
    • Batch processing:  XMLUI Batch Import Failure: DS-3648
    • Group creation: Database migrations sometimes failed to create initial groups (Administrator and Anonymous) in fresh_installs: DS-3659
    • Cache management: DOIOrganiser CLI does not change the database anymore: DS-3656
    • Cache Management: Database changes of consumers aren't persisted anymore: DS-3680
    • Cache Management:
    • Slow batch operations due to Hibernate caching: DS-3286
  • General bug fixes (to all UIs):
    • Pre-6.x Bitstream statistics were not being displayed: DS-3602
    • ImageMagick PDF thumbnail should always create sRGB JPEG files: DS-3517
  • XMLUI Batch Import Failure: DS-3648
  • DOIOrganiser CLI does not change the database anymore: DS-3656
    • ImageMagick PDF Processing Degraded with Changes in 5.7 release: DS-3661

6.2

...

Acknowledgments

The 6.2 release was led by the DSpace Committers.

...

A full list of all changes / bug fixes in 6.x is available in the Changes in 6.x section.

Anchor
Contrib
Contrib

6.0 Acknowledgments

The following individuals have contributed directly to this release of DSpace:  Tim Donohue, Mark H. Wood, Pascal-Nicolas Becker, Kevin Van de Velde, Ivan Masár, Hardy Pottinger, Terry Brady, Andrea Schweer, Philip Vissenaekens, Peter Dietz, Jonas Van Goolen, Tom Desair, Dylan MEEUS, Luigi Andrea Pascarelli, William Welling, Christian Scheible, Andrea Bollini, Aleksander Kotyński-Buryła, Ondřej Košarko, Jozef Mišutka, Chris Wilper, Ilja Sidoroff, Roeland Dillen, Bram Luyten, Marsa Haoua, Claudia Jürgen, Kim Shepherd, Art Lowel, Ivo Prajer, Petr Karel, Mini Pillai, Facundo Gabriel Adorno, Luiz Claudio Santos, Robin Taylor, Tim Van den Langenbergh, Arnaud de Bossoreille, Bill Tantzen, Tiago Guimarães, Oriol Olivé Comadira, Àlex Magaz Graça, Anne Lawrence, Brad Dewar, Bruno Nocera Zanette, David Baker, Ed Goulet, Mateusz Neumann, Monika Mevenkamp, Pablo Buenaposada, Patricio Marrone, Petya Kohts, Eike Kleiner, Antoine Snyers, Bjorn Jaspers, Chris Herron, Dan Scott, David Cook, Davor Cubranic, José Carvalho, Jozsef Marton, Juan Manuel Catá, Panagiotis Koutsourakis, Pantelis Karamolegkos, Pedro Príncipe, Philippe Gray, Rodrigo Prado de Jesus, RomanticCat, Saiful Amin, junwei1229, Keith Gilbertson, Nicolas Schwab, Pablo Buenaposada, Michael Marttila, samuel, tmtvl , and others who reviewed and commented on their work.  Many of these could not do this work without the support (release time and financial) of their associated institutions. We offer thanks to those institutions for supporting their staff to take time to contribute to the DSpace project.

...