Major bug fixes include:

• Security fixes for both JSPUI and XMLUI:

  • [HIGH SEVERITY] Basic (Traditional) Workflow approval process is vulnerable to unauthorized manipulations.(https://jira.duraspace.org/browse/DS-3647 - requires a JIRA account to access.) 
    • Discovered by Pascal Becker (The Library Code / TU Berlin).
  • [LOW SEVERITY] DSpace shipped with a version of Apache Commons Configuration that was vulnerable to COLLECTIONS-580 (Deserialization Vulnerability). (https://jira.duraspace.org/browse/DS-3520 - requires a JIRA account to access.)
    • Discovered by Alan Orth.
    [LOW SEVERITY] DSpace failed to check if policies had valid dates when checking access permissions.(https://jira.duraspace.org/browse/DS-3619 - requires a JIRA account to access
    • .
    ) 
    • Discovered by Pascal Becker (The Library Code / TU Berlin).
• Security fixes for REST API:
  • [HIGH SEVERITY] A user with submit permissions can bypass workflow approvals by depositing via REST API.(https://jira.duraspace.org/browse/DS-3281 - requires a JIRA account to access.) 
    • Discovered by Emilio Lorenzo.
• XMLUI bug fixes:
  • /handleresolver path was no longer working: DS-3366
  • Fix broken images when running Mirage 2 on Jetty: DS-3289
  • Improve error message when user attempts to update an e-mail address to an existing address: DS-3584
  • Fix error when uploading large files (>2GB) via a web browser: DS-2359
• JSPUI bug fixes
  • READ access rights not being respected on Collection homepage: DS-3441
• Solr Statistics fixes:
  
  • Sharding statistics corrupted some fields and was unstable: DS-3436, DS-3458
• AIP Backup and Restore fixes:
  • Failed AIP imports left files in assetstore: DS-2227