Page History
...
Table of Contents | ||
---|---|---|
|
7.2.1 Release Notes (Backend Only)
Warning | ||
---|---|---|
| ||
DSpace 7.0, 7.1 and 7.2 all used a bundled version of the Apache Spring Libraries which are vulnerable to RCE (remote command execution). The CVE-2022-22965 vulnerability is described in more detail at https://spring.io/blog/2022/03/31/spring-framework-rce-early-announcement |
DSpace 7.2.1 only contains an update to the Apache Spring Libraries to ensure DSpace is not vulnerable to CVE-2022-22965. As such, it was only a Backend / REST API release. The DSpace 7.2 Frontend (UI) can be used with the DSpace 7.2.1 Backend.
To ensure your 7.x site is completely secure, perform the following:
- Upgrade your DSpace backend (REST API) to version 7.2.1 immediately. This backend is compatible with the DSpace Frontend version 7.2 (only)
- If you are unable to perform this upgrade, you may patch your 7.0 or 7.1 site by applying the changes in PR #8231. Instructions can be found in that PR.
- Optionally, upgrade your Apache Tomcat to version 9.0.62 (which also has extra guards against this vulnerability).
- Make sure to restart Tomcat after updates have been applied.
At this time, DSpace 6.x and below appear unaffected by CVE-2022-22965, as they all used Java/JDK 8 (or below) which is documented as not impacted. The vulnerability is only possible when using Java/JDK 9 or above.
7.2 Release Notes
Info | ||
---|---|---|
| ||
To try out DSpace 7.2 immediately, see Try out DSpace 7. This includes instructions for a quick-install via Docker, as well as information on our sandbox/demo site for DSpace 7. To upgrade to DSpace 7.2 from 7.x or any prior version, see Upgrading DSpace. To install DSpace 7.2 for the first time, see Installing DSpace.
|
...