Page History
...
DSpace 5.6 is a security & bug fix release to resolve several issues located in previous 5.x releases. As it only provides only bug/security fixes, DSpace 5.6 should constitute an easy upgrade from DSpace 5.x for most users. No database changes or additional configuration changes should be necessary when upgrading from DSpace 5.x to 5.6.
Major bug fixes include:
- JSPUI and XMLUI security fixes:
- [HIGH SEVERITY] The XMLUI "themes/" path is vulnerable to a full directory traversal XML External Entity (XXE) vulnerability in pdfbox. (DS-30943309 - requires a JIRA account to access.) This means that ANY files on your system which are readable to the Tomcat user account may be publicly accessed via your DSpace website.
- Reported by Virginia Tech
- Reported by Virginia Tech
- Seth Robbins
- [MEDIUM SEVERITY] The JSPUI "Edit News" feature (accessible to Administrators) can be used to view/edit ANY files which are readable to the Tomcat user account (DS-3063 HIGH SEVERITY] Bitstreams of embargoed and/or withdrawn items can be accessed by anyone. (DS-3097 - requires a JIRA account to access.)
- Reported by CINECA
- Reported by CINECA
- [HIGH SEVERITY] The XMLUI "themes/" path is vulnerable to a full directory traversal XML External Entity (XXE) vulnerability in pdfbox. (DS-30943309 - requires a JIRA account to access.) This means that ANY files on your system which are readable to the Tomcat user account may be publicly accessed via your DSpace website.
- REST fixes
- OAI fixes
- Configuration Fixes
- Franziska Ackermann
- Franziska Ackermann
- JSPUI security fix:
- [HIGH SEVERITY] Any registered user can modify inprogress submission. (DS-2895 - requires a JIRA account to access)
- Reported by Andrea Bollini (4Science)
- Reported by Andrea Bollini (4Science)
- [HIGH SEVERITY] Any registered user can modify inprogress submission. (DS-2895 - requires a JIRA account to access)
- REST security fix:
- [HIGH SEVERITY] SQL Injection Vulnerability in 5.x REST API (DS-3250)
- Reported by Bram Luyten (Atmire)
- [HIGH SEVERITY] SQL Injection Vulnerability in 5.x REST API (DS-3250)
- Other minor fixes and improvements
- JSPUI: Creative Commons license assignment silently fails (DS-2604) (improvements: use the Creative Commons REST API)
- JSPUI: Upload a file with a description text during the submission process (DS-2623
- JSPUI: Creative Commons license assignment silently fails (DS-2604) (improvements: use the Creative Commons REST API)
In addition, this release fixes a variety of minor bugs in the 5.x releases. For more information, see the Changes section below.
...
Overview
Content Tools