Page History
...
This release addresses the following security issues discovered in DSpace 4.x and below:
- JSPUI, XMLUI, REST security fixfixes:
- JSPUI and XMLUI
- [MEDIUM SEVERITY]
- XML External Entity (XXE) vulnerability in pdfbox. (DS-
- 3309 - requires a JIRA account to access) (NOTE: this ticket was actually fixed in an earlier, unannounced 4.6 release, but it is also included in 4.7)
- Reported by
- Seth Robbins
- JSPUI, XMLUI
- and REST
- [MEDIUM SEVERITY]
- Bitstreams of embargoed and/or withdrawn items can be accessed by
- anyone. (DS-3097 - requires a JIRA account to access)
- Reported by Franziska Ackermann
- Reported by Franziska Ackermann
- JSPUI and XMLUI
- JSPUI security fix:
- [HIGH SEVERITY] Any registered user can modify inprogress submission. (DS-2895 - requires a JIRA account to access)
- Reported by Andrea Bollini
- [HIGH SEVERITY] Any registered user can modify inprogress submission. (DS-2895 - requires a JIRA account to access)
Upgrade Instructions
- For upgrade instructions for 4.x to 4.7, please see Upgrading From 4.0 to 4.x.
- If you are upgrading from 3.x to 4.7, please see Upgrading From 3.x to 4.x.
- For general upgrade instructions, please see Upgrading DSpace.
...
| Note |
|---|
4.7 is a security-fix release. This means it includes no new features and only includes the above listed security fixes. For a list of all new 4.x Features, please visit the 4.x Release Notes. |
...
Overview
Content Tools