Page History
Info | ||
---|---|---|
| ||
This documentation was produced with Confluence software. A PDF version was generated directly from Confluence. An online, updated version of this 5.x Documentation is also available at: https://wiki.duraspace.org/display/DSDOC5x |
Welcome to Release 5.45, a bug-fix release for the DSpace 5.x platform. For information on upgrading to DSpace 5, please see Upgrading DSpace.
5.5 Release Notes
Note | ||
---|---|---|
| ||
DSpace 5.5 contains security fixes for the XMLUI and JSPUI. To ensure your 5.x site is secure, we highly recommend ALL DSpace 5.x users upgrade to DSpace 5.5. |
DSpace 5.5 is a security & bug fix release to resolve several issues located in previous 5.x releases. As it only provides only bug/security fixes, DSpace 5.5 should constitute an easy upgrade from DSpace 5.x for most users. No database changes or additional configuration changes should be necessary when upgrading from DSpace 5.x to 5.5.
Major bug fixes include:
- XMLUI security fixes:
- [HIGH SEVERITY] The XMLUI "themes/" path is vulnerable to a full directory traversal. (DS-3094 - requires a JIRA account to access.) This means that ANY files on your system which are readable to the Tomcat user account may be publicly accessed via your DSpace website.
- Reported by Virginia Tech
- Reported by Virginia Tech
- [HIGH SEVERITY] The XMLUI "themes/" path is vulnerable to a full directory traversal. (DS-3094 - requires a JIRA account to access.) This means that ANY files on your system which are readable to the Tomcat user account may be publicly accessed via your DSpace website.
- JSPUI security fixes:
- [MEDIUM SEVERITY] The JSPUI "Edit News" feature (accessible to Administrators) can be used to view/edit ANY files which are readable to the Tomcat user account (DS-3063 - requires a JIRA account to access.)
- Reported by CINECA
- Reported by CINECA
- [MEDIUM SEVERITY] The JSPUI "Edit News" feature (accessible to Administrators) can be used to view/edit ANY files which are readable to the Tomcat user account (DS-3063 - requires a JIRA account to access.)
- REST fixes
- OAI fixes
- Configuration Fixes
- Other minor fixes
In addition, this release fixes minor bugs in the 5.x releases. For more information, see the Changes in 5.x page.
5.4 Release Notes
Note | ||
---|---|---|
| ||
DSpace 5.4 contains security fixes for the JSPUI only. To ensure your 5.x site is secure, we highly recommend JSPUI DSpace 5.x users upgrade to DSpace 5.4. |
...