Page History
...
This release addresses the following security issues discovered in DSpace 4.x and below:
...
- [MEDIUM SEVERITY] Any registered user can modify inprogress submission. (DS-2895 - requires a JIRA account to access)
- Reported by Andrea Bollini (4Science)
JSPUI, XMLUI, REST security fixfixes: - Reported by Andrea Bollini (4Science)
- JSPUI and XMLUI
- [
- MEDIUM SEVERITY] XML External Entity (XXE) vulnerability in pdfbox. (DS-3309 - requires a JIRA account to access)
- (NOTE: this
- ticket was actually fixed in an earlier, unannounced 4.6 release, but it is also included in 4.7)
- Reported by Seth Robbins
- JSPUI, XMLUI and REST
- [MEDIUM SEVERITY]
- Bitstreams of embargoed and/or withdrawn items can be accessed by
- anyone. (DS-3097 - requires a JIRA account to access)
- Reported by Franziska Ackermann
- Reported by Franziska Ackermann
- JSPUI security fix:
- [HIGH SEVERITY] Any registered user can modify inprogress submission. (DS-2895 - requires a JIRA account to access)
- Reported by Andrea Bollini
- [HIGH SEVERITY] Any registered user can modify inprogress submission. (DS-2895 - requires a JIRA account to access)
In addition, this release fixes minor bugs in the 4.x releases. For more information, see the Changes in 4.x page.
...
Overview
Content Tools