Versions Compared

Old Version 4

changes.mady.by.user Mark H. Wood

Saved on

compared with

New Version Current

changes.mady.by.user Tim Donohue

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Version 5.1

Warning

Support for DSpace 5 .1 is still in the planning stages and will be released sometime in February/March 2015.ended on January 1, 2023.  See Support for DSpace 5 and 6 is ending in 2023


Tip
titleDSpace 5.1 was officially released to the public on MM DDFebruary 25, 2015.

DSpace 5.1 can be downloaded immediately at either of the following locationsfrom:

More information on the 5.1

(Git tag "dspace-5.1")

In addition, you are welcome to try out DSpace on http://demo.dspace.org/ and continue to provide any feedback you may have.

release (and the 5.x platform in general) can be found in the 5.x Release Notes.


Noteinfo
titleWe highly recommend any users of DSpace 5.x users upgrade to 5.1

Generally we DSpace 5.1 contains security fixes for both the XMLUI and JSPUI. To ensure your 5.x site is secure, we highly recommend all DSpace 5.x users upgrade to DSpace 5.1 to receive several bug fixes. However, if you decide that none of the bug fixes are relevant for you then there is no urgent case for upgrading.

We also highly recommend removing any  "allowLinking=true" settings from your Tomcat's <Context> configuration. Previously our installation documentation erroneously listed examples which included "allowLinking=true", while the Tomcat documentation lists it as a possible security concern. The XMLUI Directory Traversal Vulnerability (see below) is also exacerbated by this setting.


Note
titleWe highly recommend DSpace 1.x.x users upgrade to DSpace 3.4, 4.3 or 5.1

If you are running an older, unsupported version of DSpace (1.x.x), we highly recommend upgrading to DSpace 3.4, DSpace 4.3 or DSpace 5.1 to ensure your site is secure. Several of these security vulnerabilities also affect sites which are running DSpace 1.x.x releases. Per our DSpace Software Support Policy, all DSpace 1.x.x versions are now End-Of-Life.

If you are considering an upgrade from DSpace 1.x.x, note that, as of DSpace 5, your existing data (i.e. database contents, search/browse indexes) will now be automatically upgraded from ANY prior version of DSpace. Therefore, you may wish to consider upgrading directly to DSpace 5.1, as the 5.x upgrade process is simplified.


Table of Contents
minLevel2
outlinetrue
stylenone

Summary

DSpace 5.1 provides bug-fixes and minor improvements to the 5.x platform. As is a security and bug fix release to resolve several issues located in DSpace 5.0. As it only provides only bug - fixes, DSpace 5.1 should constitute an easy upgrade from DSpace 5.x 0 for most users. No database changes or additional configuration changes should be necessary when upgrading from DSpace 5.x 0 to 5.1.

Issues which have been resolved in 5.1 include:

  • bug title (DS-xxxx)
  • ...
  • Other minor fixes. See Changes in 5.x section for a list of all fixes.

Upgrade Instructions

This release addresses the following security issues discovered in DSpace 5.x and below:

  • XMLUI Security Fixes

    • [HIGH SEVERITY] XMLUI Directory Traversal Vulnerabilities (DS-2445 - requires a JIRA account to access for two weeks, and then will be public): These vulnerabilities allow someone to potentially access any file on your local filesystem which is readable to the Tomcat user account. This includes files which are unrelated to DSpace or Tomcat, but are readable to all users on the filesystem (e.g. /etc/passwd, /etc/hosts, etc.). This also includes Tomcat configuration files (which may or may not contain passwords). These vulnerabilities have existed since DSpace 1.5.2.

      • Discovered by: Khalil Shreateh, with additional (related) vulnerabilities discovered by the DSpace Committer Team

    • In some configurations of Tomcat, simply removing any "allowLinking=true" settings from your Tomcat's <Context> configuration will limit the directory traversal vulnerability's severity to only allow access to files within the XMLUI web application directory. In addition, the Tomcat documentation details "allowLinking=true" as a possible security concern.  However, you still must upgrade or patch your DSpace in order to completely resolve this vulnerability.
  • JSPUI Security Fixes
    • [MEDIUM SEVERITY] JSPUI Directory Traversal Vulnerability (DS-2448 - requires a JIRA account to access for two weeks, and then will be public): This vulnerability allows someone to potentially access any file within the JSPUI web application directory (e.g. WEB-INF/web.xml). This vulnerability is believed to have existed in all prior versions of DSpace.
    • [LOW SEVERITY] Cross-site scripting (XSS injection) is possible in JSPUI Recent Submissions listings (DS-1702 - requires a JIRA account to access for two weeks, and then will be public): This vulnerability could allow a depositor/submitter to embed dangerous Javascript code into the metadata of a new submission, thus causing that code to be run across other user accounts. However, this vulnerability is only possible by someone with privileges to add content to your DSpace site. This vulnerability has existed since DSpace 1.5.x.
    • [LOW SEVERITY] Cross-site scripting (XSS injection) is possible in JSPUI Discovery search form (DS-2044 - requires a JIRA account to access for two weeks, and then will be public): This vulnerability could allow someone to embed dangerous Javascript code into links to search results. If a user was emailed such a link and clicked it, the javascript would be run in their local browser. This vulnerability has existed since DSpace 3.x

In addition, this release fixes a variety of minor bugs in the 5.0 release. For more information, see the Changes section below.


Upgrade Instructions

No new features in DSpace 5.1

Note

5.1 is a bug-fix / security-fix release. This means it includes no new features and only includes fixes for bugs which were found in the 5.0 release.the above listed security fixes

For a list of all new 5.x Features, please visit the DSpace the 5.0 x Release Notes.

...

Changes

The following unresolved tickets are currently scheduled for DSpace security fixes were released in 5.1. This does NOT guarantee that they will be fixed in this release, however, we hope to find volunteers to help accomplish as many of these tickets as possible:

Jira
serverDuraSpace JIRA
jqlQueryproject = DS AND fixVersion = 5.1 AND resolution = Unresolved ORDER BY due ASC, priority DESC, created ASC
serverIdc815ca92-fd23-34c2-8fe3-956808caf8c5

 

Changes

All of these tickets require a valid JIRA account to view the details:

  • DS-1702 - Cross-site scripting (XSS injection) is possible in JSPUI Recent Submissions listings
  • DS-2044 - Cross-site scripting (XSS injection) is possible in JSPUI Discovery search form
  • DS-2445 - XMLUI Directory Traversal Vulnerabilities
  • DS-2448 - JSPUI Directory Traversal Vulnerability

The following bug fixes The following improvements were released in 5.1.

Jira
serverDuraSpace JIRA
columnskey,summary,type,created,updated,due,assignee,reporter,priority,status,resolution
maximumIssues20
jqlQueryproject = DS AND issuetype in (Task, Improvement, "Code Task", Documentation, Sub-task) AND resolution = Fixed AND fixVersion = "45.1" ORDER BY key ASC
serverIdc815ca92-fd23-34c2-8fe3-956808caf8c5

Bugs

The following bugs were fixed in 5.1:

 

Jira
serverDuraSpace JIRA
columnskey,summary,type,created,updated,due,assignee,reporter,priority,status,resolution
maximumIssues20
jqlQueryproject = DS AND issuetype = Bug AND resolution = Fixed AND fixVersion = "5.1" ORDER BY key ASC
serverIdc815ca92-fd23-34c2-8fe3-956808caf8c5

...

  • Release Coordinator: Committers Team (shared coordination) led by TODO Tim Donohue

Timeline and Proceeding

Release Timeline:

  • Release Date: MM DD, 2015

 

...

  • February 25, 2015