Page History
...
Table of Contents | ||||||
---|---|---|---|---|---|---|
|
Warning |
---|
Support for DSpace 5 ended on January 1, 2023. See Support for DSpace 5 and 6 is ending in 2023 |
Tip | ||
---|---|---|
| ||
DSpace 5.6 can be downloaded immediately from: More information on the 5.6 release (and the 5.x platform in general) can be found in the 5.x Release Notes Upgrade instructions can be found at Upgrading DSpace. |
...
DSpace 5.6 is a security & bug fix release to resolve several issues located in previous 5.x releases. As it only provides only bug/security fixes, DSpace 5.6 should constitute an easy upgrade from DSpace 5.x for most users. No database changes or additional configuration changes should be necessary when upgrading from DSpace 5.x to 5.6.
Major bug fixes include:
- JSPUI, XMLUI, REST security fixes:
- JSPUI and XMLUI
- [
- MEDIUM SEVERITY] XML External Entity (XXE) vulnerability in pdfbox. (DS-
- 3309 - requires a JIRA account to access
- Reported by Virginia Tech
- )
- Reported by Seth Robbins
- JSPUI, XMLUI and REST
- [MEDIUM SEVERITY] Bitstreams of embargoed and/or withdrawn items can be accessed by anyone. (DS-3097 - requires a JIRA account to access)
- Reported by Franziska Ackermann
- Reported by Franziska Ackermann
- [MEDIUM SEVERITY] Bitstreams of embargoed and/or withdrawn items can be accessed by anyone. (DS-3097 - requires a JIRA account to access)
- JSPUI and XMLUI
- JSPUI security fix:
- [HIGH SEVERITY] Any registered user can modify inprogress submission. (DS-2895
- [MEDIUM SEVERITY] The JSPUI "Edit News" feature (accessible to Administrators) can be used to view/edit ANY files which are readable to the Tomcat user account (DS-3063 - requires a JIRA account to access.)
- Reported by CINECA Andrea Bollini (4Science)
- Reported by CINECA Andrea Bollini (4Science)
- REST fixes
- OAI fixes
- Configuration Fixes
- security fix:
- [HIGH SEVERITY] SQL Injection Vulnerability in 5.x REST API (DS-3250 - requires a JIRA account to access)
- Reported by Bram Luyten (Atmire)
- [HIGH SEVERITY] SQL Injection Vulnerability in 5.x REST API (DS-3250 - requires a JIRA account to access)
- JSPUI bug fixes:
- XMLUI bug fixes:
- Other minor fixes and improvements
METSRightsCrosswalk NPE During AIP Restore - No Anonymous Read (DS-3140)
AIP Restore is not respecting access restrictions (on Items) (DS-3266)
- Error when missing Context Description in xoai.xml (DS-2874)
- Bug fix to REST API 'find-by-metadata-field' (DS-3248
In addition, this release fixes a variety of minor bugs in the 5.x releases. For more information, see the Changes section below.
...
Release Timeline:
- Release Date: September 2729, 2016