Page History
Info | ||
---|---|---|
| ||
This documentation was produced with Confluence software. A PDF version was generated directly from Confluence. An online, updated version of this 5.x Documentation is also available at: https://wiki.duraspace.org/display/DSDOC5x |
Welcome to Release 5.56, a bug-fix release for the DSpace 5.x platform. For information on upgrading to DSpace 5, please see Upgrading DSpace.
5.6 Release Notes
Note | ||
---|---|---|
| ||
DSpace 5.6 contains security fixes for the XMLUI and JSPUI and REST. To ensure your 5.x site is secure, we highly recommend ALL DSpace 5.x users upgrade to DSpace 5.6. DSpace 5.6 upgrade instructions are available at: Upgrading DSpace |
DSpace 5.6 is a security & bug fix release to resolve several issues located in previous 5.x releases. As it only provides only bug/security fixes, DSpace 5.6 should constitute an easy upgrade from DSpace 5.x for most users. No database changes or additional configuration changes should be necessary when upgrading from DSpace 5.x to 5.6.
Major bug fixes include:
- JSPUI, XMLUI, REST security fixes:
- JSPUI and XMLUI
- [HIGH SEVERITY] XML External Entity (XXE) vulnerability in pdfbox. (DS-3309 - requires a JIRA account to access)
- Reported by Seth Robbins
- [HIGH SEVERITY] XML External Entity (XXE) vulnerability in pdfbox. (DS-3309 - requires a JIRA account to access)
- JSPUI, XMLUI and REST
- [HIGH SEVERITY] Bitstreams of embargoed and/or withdrawn items can be accessed by anyone. (DS-3097 - requires a JIRA account to access)
- Reported by Franziska Ackermann
- Reported by Franziska Ackermann
- [HIGH SEVERITY] Bitstreams of embargoed and/or withdrawn items can be accessed by anyone. (DS-3097 - requires a JIRA account to access)
- JSPUI and XMLUI
- JSPUI security fix:
- [HIGH SEVERITY] Any registered user can modify inprogress submission. (DS-2895 - requires a JIRA account to access)
- Reported by Andrea Bollini (4Science)
- Reported by Andrea Bollini (4Science)
- [HIGH SEVERITY] Any registered user can modify inprogress submission. (DS-2895 - requires a JIRA account to access)
- REST security fix:
- [HIGH SEVERITY] SQL Injection Vulnerability in 5.x REST API (DS-3250 - requires a JIRA account to access)
- Reported by Bram Luyten (Atmire)
- [HIGH SEVERITY] SQL Injection Vulnerability in 5.x REST API (DS-3250 - requires a JIRA account to access)
- Other minor fixes and improvements
- JSPUI: Creative Commons license fails with fetch directy the url (instead use the Creative Commons REST API) (DS-2604)
- JSPUI: Upload a file, multifile, with a description text during the submission process (DS-2623)
- XMLUI: Recyclable Cocoon components should clear local variables (DS-3246)
METSRightsCrosswalk NPE During AIP Restore - No Anonymous Read (DS-3140)
AIP Restore is not respecting access restrictions (on Items) (DS-3266)
- JSPUI: Creative Commons license fails with fetch directy the url (instead use the Creative Commons REST API) (DS-2604)
In addition, this release fixes minor bugs in the 5.x releases. For more information, see the Changes in 5.x page.
5.5 Release Notes
Note | ||
---|---|---|
| ||
DSpace 5.5 contains security fixes for the XMLUI and JSPUI. To ensure your 5.x site is secure, we highly recommend ALL DSpace 5.x users upgrade to DSpace 5.5. DSpace 5.5 upgrade instructions are available at: Upgrading DSpace |
...