Versions Compared

Old Version 42

changes.mady.by.user Tim Donohue

Saved on

compared with

New Version 43

changes.mady.by.user Tim Donohue

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Info
titleOnline Version of Documentation also available

This documentation was produced with Confluence software. A PDF version was generated directly from Confluence. An online, updated version of this 5.x Documentation is also available at: https://wiki.duraspace.org/display/DSDOC5x

 
Welcome to Release 5.45, a bug-fix release for the DSpace 5.x platform. For information on upgrading to DSpace 5, please see Upgrading DSpace. 

 

5.5 Release Notes

 

Note
titleWe highly recommend ALL users of DSpace 5.x upgrade to 5.5

DSpace 5.5 contains security fixes for the XMLUI and JSPUI. To ensure your 5.x site is secure, we highly recommend ALL DSpace 5.x users upgrade to DSpace 5.5.

 

DSpace 5.5 is a security & bug fix release to resolve several issues located in previous 5.x releases. As it only provides only bug/security fixes, DSpace 5.5 should constitute an easy upgrade from DSpace 5.x for most users. No database changes or additional configuration changes should be necessary when upgrading from DSpace 5.x to 5.5.

Major bug fixes include:

  • XMLUI security fixes:
    • [HIGH SEVERITY] The XMLUI "themes/" path is vulnerable to a full directory traversal. (DS-3094 - requires a JIRA account to access.) This means that ANY files on your system which are readable to the Tomcat user account may be publicly accessed via your DSpace website.
      • Reported by Virginia Tech
  • JSPUI security fixes: 
    • [MEDIUM SEVERITY] The JSPUI "Edit News" feature (accessible to Administrators) can be used to view/edit ANY files which are readable to the Tomcat user account (DS-3063 - requires a JIRA account to access.)
      • Reported by CINECA
  • REST fixes
    • Fixed the "/handle" endpoint (DS-2936)
    • REST webapp wasn't registering itself on startup (DS-2946)
  • OAI fixes
    • Fixed a few incorrect URL encoding issue (DS-3050)
    • Fixed the broken "NOT" filter (DS-2820)
  • Configuration Fixes
    • Fixed misspelling in dcterms registry (conformsTo) (DS-2998) 
    • Updated our default DataCite configurations to point at the updated DataCite test server (DS-2923)
  • Other minor fixes
    • Broken SQL query in Item.findByMetadataFieldAuthority API method (DS-2517)
    • Mirage2: Ensured printing the item page from doesn't include bitstream URLs (DS-2893)

In addition, this release fixes minor bugs in the 5.x releases. For more information, see the Changes in 5.x page.

5.4 Release Notes

Note
titleWe highly recommend any JSPUI users of DSpace 5.x upgrade to 5.4

DSpace 5.4 contains security fixes for the JSPUI only. To ensure your 5.x site is secure, we highly recommend JSPUI DSpace 5.x users upgrade to DSpace 5.4.

...