Versions Compared

Old Version 1

changes.mady.by.user Luigi Andrea Pascarelli (4Science)

Saved on

compared with

New Version Current

changes.mady.by.user Tim Donohue

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Table of Contents
minLevel2
outlinetrue
stylenone

Warning

Support for DSpace 5 ended on January 1, 2023.  See Support for DSpace 5 and 6 is ending in 2023


Tip
titleDSpace 5.6 was officially released to the public on September 2729, 2016.

DSpace 5.6 can be downloaded immediately from:

More information on the 5.6 release (and the 5.x platform in general) can be found in the 5.x Release Notes

Upgrade instructions can be found at Upgrading DSpace.

...

DSpace 5.6 is a security & bug fix release to resolve several issues located in previous 5.x releases. As it only provides only bug/security fixes, DSpace 5.6 should constitute an easy upgrade from DSpace 5.x for most users. No database changes or additional configuration changes should be necessary when upgrading from DSpace 5.x to 5.6.
 

Major bug fixes include:

  • JSPUI, XMLUI, REST security fixes:
    • JSPUI and XMLUI
      •  [
      HIGH SEVERITY] The XMLUI "themes/" path is vulnerable to a full directory traversal
      • MEDIUM SEVERITY]  XML External Entity (XXE) vulnerability in pdfbox. (DS-
      3094
      • 3309 - requires a JIRA account to access
      .) This means that ANY files on your system which are readable to the Tomcat user account may be publicly accessed via your DSpace website.
      • Reported by Virginia Tech
      • )
        • Reported by Seth Robbins  
    • JSPUI, XMLUI and REST
      • [MEDIUM SEVERITY]  Bitstreams of embargoed and/or withdrawn items can be accessed by anyone. (DS-3097 - requires a JIRA account to access)
        • Reported by Franziska Ackermann
  • JSPUI security fix:
    • [HIGH SEVERITY]  Any registered user can modify inprogress submission. (DS-2895
    JSPUI security fixes: 
    • [MEDIUM SEVERITY] The JSPUI "Edit News" feature (accessible to Administrators) can be used to view/edit ANY files which are readable to the Tomcat user account (DS-3063 - requires a JIRA account to access.) 
  • REST fixes
    • Fixed the "/handle" endpoint (DS-2936)
    • REST webapp wasn't registering itself on startup (DS-2946)
  • OAI fixes
    • Fixed a few incorrect URL encoding issue (DS-3050)
    • Fixed the broken "NOT" filter (DS-2820)
  • Configuration Fixes
    • Fixed misspelling in dcterms registry (conformsTo) (DS-2998) 
    • Updated our default DataCite configurations to point at the updated DataCite test server (DS-2923)
  • security fix:
    • [HIGH SEVERITY]  SQL Injection Vulnerability in 5.x REST API (DS-3250 - requires a JIRA account to access)
  • JSPUI bug fixes:
    • JSPUI: Creative Commons license fails with fetch directy the url (instead use the Creative Commons REST API) (DS-2604)
    • JSPUI: Upload a file, multifile, with a description text during the submission process (DS-2623)
    • JSPUI: Bug fix to EPerson popup (DS-2968)
  • XMLUI bug fixes:
    • XMLUI: Recyclable Cocoon components should clear local variables (DS-3246)
    • XMLUI: "Request a copy" feature was not working when the property request.item-type was set to all ( DS-3294)
    • XMLUI: Bug fix to policy search form (DS-3206)
  • Other minor fixes and improvements

    • METSRightsCrosswalk NPE During AIP Restore - No Anonymous Read (DS-3140)

    • AIP Restore is not respecting access restrictions (on Items) (DS-3266)

    • Error when missing Context Description in xoai.xml (DS-2874)
    • Bug fix to REST API 'find-by-metadata-field' (DS-3248
    Other minor fixes
    • Broken SQL query in Item.findByMetadataFieldAuthority API method (DS-2517)
    • Mirage2: Ensured printing the item page from doesn't include bitstream URLs (DS-2893)

In addition, this release fixes a variety of minor bugs in the 5.x releases. For more information, see the Changes section below.

...

Release Timeline:

  • Release Date: September 2729, 2016