...
Major bug fixes include:
- JSPUI, XMLUI, REST security fixes:
- JSPUI and XMLUI
- [HIGH SEVERITY] XML External Entity (XXE) vulnerability in pdfbox. (DS-3309 - requires a JIRA account to access)
- JSPUI, XMLUI and REST
- [HIGH SEVERITY] Bitstreams of embargoed and/or withdrawn items can be accessed by anyone. (DS-3097 - requires a JIRA account to access)
- Reported by Franziska Ackermann
- JSPUI security fix:
- [HIGH SEVERITY] Any registered user can modify inprogress submission. (DS-2895 - requires a JIRA account to access)
- REST security fix:
- [HIGH SEVERITY] SQL Injection Vulnerability in 5.x REST API (DS-3250 - requires a JIRA account to access)
- JSPUI bug fixes:Other minor fixes and improvements
- JSPUI: Creative Commons license fails with fetch directy the url (instead use the Creative Commons REST API) (DS-2604)
- JSPUI: Upload a file, multifile, with a description text during the submission process (DS-2623)
- JSPUI: Bug fix to EPerson popup (DS-2968)
- XMLUI bug fixes:
- XMLUI: Recyclable Cocoon components should clear local variables (DS-3246)
- XMLUI: "Request a copy" feature was not working when the property request.item-type was set to all ( DS-3294)
- XMLUI: Bug fix to policy search form (DS-3206)
- Other minor fixes and improvements
...
- Bug fix to REST API 'find-by-metadata-field' (DS-3248)
In addition, this release fixes minor bugs in the 5.x releases. For more information, see the Changes in 5.x page.
...