Page History
...
This release addresses the following security issues discovered in DSpace 4.x and below:
- JSPUI security fix:
- [MEDIUM SEVERITY] Any registered user can modify inprogress submission. (DS-2895 - requires a JIRA account to access)
- Reported by Andrea Bollini (4Science)
- Reported by Andrea Bollini (4Science)
- JSPUI and XMLUI
- [
- MEDIUM SEVERITY] XML External Entity (XXE) vulnerability in pdfbox. (DS-3309 - requires a JIRA account to access)
- (NOTE: this ticket was actually fixed in an earlier, unannounced 4.6 release, but it is also included in 4.7)
- Reported by Seth Robbins
- JSPUI, XMLUI and REST
- [MEDIUM SEVERITY]
- Bitstreams of embargoed and/or withdrawn items can be accessed by
- anyone. (DS-3097 - requires a JIRA account to access)
- Reported by Franziska Ackermann
- Reported by Franziska Ackermann
- [MEDIUM SEVERITY] Any registered user can modify inprogress submission. (DS-2895 - requires a JIRA account to access)
- JSPUI security fix:
- [HIGH SEVERITY] Any registered user can modify inprogress submission. (DS-2895 - requires a JIRA account to access)
- Reported by Andrea Bollini
- [HIGH SEVERITY] Any registered user can modify inprogress submission. (DS-2895 - requires a JIRA account to access)
Upgrade Instructions
- For upgrade instructions for 4.x to 4.7, please see Upgrading From 4.0 to 4.x.
- If you are upgrading from 3.x to 4.7, please see Upgrading From 3.x to 4.x.
- For general upgrade instructions, please see Upgrading DSpace.
...
Overview
Content Tools