Page History
...
Info | ||
---|---|---|
| ||
This documentation was produced with Confluence software. A PDF version was generated directly from Confluence. An online, updated version of this 5.x Documentation is also available at: https://wiki.duraspace.org/display/DSDOC5x |
Warning |
---|
Support for DSpace 5 will be ending on January 1, 2023. See Support for DSpace 5 and 6 is ending in 2023 |
Welcome to Release 5.811, a bug-fix release for the DSpace 5.x platform. For information on upgrading to DSpace 5, please see Upgrading DSpaceon upgrading to DSpace 5, please see Upgrading DSpace.
Table of Contents |
---|
5.11 Release Notes
Note | ||
---|---|---|
| ||
DSpace 5.11 contains security and bug fixes for both the JSPUI and XMLUI. To ensure your 5.x site is secure, we highly recommend ALL DSpace 5.x users upgrade to DSpace 5.11. DSpace 5.11 upgrade instructions are available at: Upgrading DSpace |
Summary
DSpace 5.11 is a bug fix release to resolve several issues located in previous 5.x releases. As it only provides only security and bug fixes, DSpace 5.11 should constitute an easy upgrade from DSpace 5.x for most users. No database changes should be necessary when upgrading from DSpace 5.x to 5.11.
Security fixes include:
- [HIGH] CVE-2022-31195 (impacts XMLUI and JSPUI) : Path traversal vulnerability in Simple Archive Format package import (ItemImportService API). This means a malicious SAF (simple archive format) package could cause a file/directory to be created anywhere the Tomcat/DSpace user can write to on the server. This path traversal is only possible by a user with special privileges (Administrators or someone with command-line access to the server).
- Reported by Johannes Moritz of Ripstech
- [HIGH] CVE-2022-31194 (impacts JSPUI only) : The JSPUI resumable upload implementations in SubmissionController and FileUploadRequest are vulnerable to multiple path traversal attacks, allowing an attacker to create files/directories anywhere on the server writable by the Tomcat/DSpace user, just by modifying some request parameters during submission. This path traversal can only be executed by a user with submitter rights.
- Reported by Johannes Moritz of Ripstech
- [HIGH] CVE-2022-31193 (impacts JSPUI only) : The JSPUI controlled vocabulary servlet is vulnerable to an open redirect attack, where an attacker can craft a malicious URL that looks like a legitimate DSpace/repository URL. When that URL is clicked by the target, it redirects them to a site of the attacker's choice.
- Reported by Johannes Moritz of Ripstech
- [MODERATE] CVE-2022-31191 (impacts JSPUI only) : The JSPUI spellcheck "Did you mean" HTML escapes the data-spell attribute in the link, but not the actual displayed text. Similarly, the JSPUI autocomplete HTML does not properly escape text passed to it. Both are vulnerable to Cross Site Scripting (XSS).
- Reported by Hassan Bhuiyan, Brunel University London
- [MODERATE] CVE-2022-31192 (impacts JSPUI) : The JSPUI "Request a Copy" feature is vulnerable to Cross Site Scripting (XSS) attacks.
- Reported by Andrea Bollini of 4Science
Major bug fixes include:
- Fix Mirage 2 build broken by disappearance of JRuby gems torquebox.org mirror: https://github.com/DSpace/DSpace/commit/0428da8dab7a02c592ec96ab9cea545f5b6de42d
- Database fixes
- Migrate
update-sequences.sql
script todspace database
command: DS-4167 (#2361)
- Migrate
- XMLUI fixes
- Fix Discovery label for metadata values under authority control: DS-2852 (#1701)
- Fix missing date values while faceting: DS-3791 (#2679)
- Fix support for custom
sitemap.xmap
in Mirage 2: DS-3545 (#1691)
- JSPUI fixes
- Fix bug in JSPUI Shibboleth session renewal: DS-3444 (#2566)
- Update Sherpa Romeo layout:DS-4377 (#2565)
- Fix issue with duplicate headers when bitstream title has a comma: DS-4340 (#2514)
- REST API fixes:
- Fix Maven build issue due to blocking of plaintext HTTP repositories: #3247 (see #3274)
- Improve performance of collections endpoints: DS-4342 (#2517)
Minor improvements include:
- Fix Discovery index command when using the "-c" (clean) option: DS-4393 (#2605)
- Avoid crosswalking invalid publish dates for Google Scholar: DS-4104 (#2295)
View the full list of changes for DSpace 5.11 on GitHub.
5.11 Acknowledgments
The 5.11 release was led by Alan Orth, Kim Shepherd, Nicholas Woodward and Hrafn Malmquist (of Cottage Labs)
The following individuals provided tests, code or bug fixes or review to the 5.11 release (in alphabetical order by given name): Andrea Bollini, Andrea Jenis Saroni, Andrew Bennet, Bram Luyten, Hrafn Malmquist, Iordanis Kostelidis, Jonas Van Goolen, Kim Shepherd, Kristof De Langhe, Lotte Hofstede, Luigi Andrea Pascarelli, Mark H. Wood, Pascal-Nicolas Becker, Philip Vissenaekens, samuel, Terry Brady, Tim Donohue.
5.10 Release Notes
Note | ||
---|---|---|
| ||
Unfortunately, bug fixes in the DSpace 5.9 release resulted in issues running DSpace 5.9 on Java 7, and with running the REST API and RDF interfaces. These issues are being resolved in an upcoming 5.10 release (see below for more details). Sites which are dependent on one of these features should consider upgrading directly from DSpace 5.8 to 5.10. |
Summary
DSpace 5.10 is a bug fix release to resolve JAR dependency issues found in DSpace 5.9 for users running Java 7 (regardless of Tomcat version).
This release also addresses a bug in the DSpace 5.9 release that prevented VIEW statistics from being logged by DSpace.
Other minor bug fixes have been included in the release.
Major bug fixes include
- DS-4000: DSpace 5.9 - REST Service Does Not Run
- DS-3938: After upgrading PostgreSQL JDBC driver, DSpace does not run on JDK 7
- DS-4020: DSpace 5.9 is not saving VIEW events to statistics repo (SEARCH and WORKFLOW are saved)
Other fixes include
- DS-4007: PDF Text Extractor can cause strings like "content-type" to show up in search snippets
To fully realize the benefit of this fix, a full discover reindex is recommended.
- If you don't reindex, newly added bitstreams would no longer display the file metadata in their index. (But, old bitstreams would still continue to display file metadata until you do a full reindex).
- Institutions unaffected/unconcerned by this bug do not need to reindex. If you do choose to reindex, then the bug would be fully fixed
- DS-2948: Filter-media-> file metadata indexed in full text
- DS-3664: Color Profile Detection Method in ImageMagick filter is prohibitively slow
In addition, this release fixes a variety of minor bugs in the 5.x releases. For more information, see the Changes section below.
Upgrade Instructions
For upgrade instructions from ANY PRIOR VERSION to 5.10, please see Upgrading DSpace
- When upgrading from any 5.x version, if you're reusing your 5.x configuration, make sure to change all instances of Filter attribute "red" to "ref" (e.g. <Filter red="exampleFilter" /> to <Filter ref="exampleFilter" />) in [dspace]/config/crosswalks/oai/xoai.xml. "red" was a temporary workaround for a bug (xoai issue #32), which was first fixed in DSpace 5.4.
No new features in DSpace 5.10
Note |
---|
5.10 is a bug-fix release. This means it includes no new features and only includes the above listed fixes. For a list of all new 5.x Features, please visit the 5.x Release Notes. |
5.10 Acknowledgments
The 5.10 release was led by Terrence W Brady.
The following individuals provided code or bug fixes to the 5.10 release: Terrence W Brady , Alexander Sulfrian , Philip Vissenaekens (Atmire) , Jozsef Marton.
5.9 Release Notes
Note | ||
---|---|---|
| ||
DSpace 5.9 contains security fixes for the JSPUI (only). To ensure your 5.x JSPUI site is secure, we highly recommend ALL JSPUI DSpace 4.x users upgrade to DSpace 5.9. DSpace 5.x XMLUI users may also wish to upgrade as several major bugs have been fixed in the XMLUI as well. DSpace 5.9 upgrade instructions are available at: Upgrading DSpace |
DSpace 5.9 is a security & bug fix release to resolve several issues located in previous 5.x releases. As it only provides bug/security fixes, DSpace 5.9 should constitute an easy upgrade from DSpace 5.x for most users. No database changes or additional configuration changes should be necessary when upgrading from DSpace 5.x to 5.9.
JSPUI security fixes include
[HIGH SEVERITY] A user can inject malicious Javascript into the names of EPeople or Groups. This is most severe in sites which allow anyone to register for a new account. (https://jira.duraspace.org/browse/DS-3866 - requires a JIRA account to access.)
Reported by Julio Brafman
[MEDIUM SEVERITY] Any user was able to export metadata to CSV format if they knew the correct JSPUI path/parameters. Additionally, the exported CSV included metadata fields which are flagged as hidden in configuration. (https://jira.duraspace.org/browse/DS-3840 - requires a JIRA account to access.)
Reported by Eike Kleiner (ZHAW, Zurich University of Applied Sciences)
Major bug fixes include
- Update DSpace ORCID Integration to use ORCID API v2 (instead of now obsolete ORCID v1): DS-3447
- Update DSpace Statistics to use GeoIP API v2 (instead of now discontinued GeoIP API v1): DS-3832
- Other API-level fixes (affecting all UIs)
- PostgreSQL JDBC driver upgraded to latest version (to allow for full compatibility with PostgreSQL v10): DS-3854
- Ensure ImageMagick thumbnails respect the orientation of original file: DS-3839
- OAI-PMH Fixes
- XMLUI Fixes
- Fixed Mirage v2 build issues caused by Bower Registry URL change: DS-3936
- Fixed performance issues for Items with 100+ bitstreams: DS-3883
- Fix issue where search results lose Community/Collection context when sorting: DS-3835
- Update Mirage to use recommended MathJax inline delimiters (DS-3087) and to use new CDN location (DS-3560)
In addition, this release fixes minor bugs in the 5.x releases. For more information, see the Changes in 5.x page.
5.9 Acknowledgments
The 5.9 release was led by the DSpace Committers.
The following individuals provided code or bug fixes to the 5.9 release: Pascal-Nicolas Becker, Ben Bosman, Terry Brady, Tim Donohue, Alex Magaz Graça, Lotte Hofstede, Ivan Masár, Hardy Pottinger, Kim Shepherd, Jonas Van Goolen and Mark H. Wood.
5.8 Release Notes
Note | ||
---|---|---|
| ||
DSpace 5.8 contains a fix to the ImageMagick thumbnail creation process. We highly recommend ALL DSpace 5.x users upgrade to DSpace 5.8. DSpace 5.8 upgrade instructions are available at: Upgrading DSpace |
DSpace 5.8 contains a fix for a bug introduced in DSpace 5.7. As it only provides bug /security fixes, DSpace 5.8 should constitute an easy upgrade from DSpace 5.x for most users. No database changes or additional configuration changes should be necessary when upgrading from DSpace 5.x to 5.8.
...
- Resolve a performance issue in the ImageMagick Thumbnail Creation process for PDF files .
Jira server DuraSpace JIRA serverId c815ca92-fd23-34c2-8fe3-956808caf8c5 key (DS-3661)
Other fixes
- Update automated testing resources (DS-3674)
- Set a particular version for CSS processing in Mirage2
...
The following individuals provided code or bug fixes to the 5.7 8 release: Terry Brady (terrywbrady), Tim Donohue (tdonohue), Hardy Pottinger (hardyoyo). Release support provided by Mark Wood (mwood).
...
- Solr statistics upgrade fixes:
- OAI fixes:
- Handle dates correctly in resumption tokens, so that harvesting captures the full specified range. (DS-2546, DS-2582)
- List all authors in METS formatted metadata. (DS-2474)
- Change the declared OAI deletion mode to "transient", which corresponds to what DSpace actually does. (DS-2491)
- Restore the ability to create additional Filters for OAI-PMH interface. (DS-2423)
- REST API fixes:
- Other notable fixes:
- "
dspace update-handle-prefix
" failed when using Oracle DB. (DS-2218) - Do not index items that are still in a submitter's workspace. (DS-2403)
- Remember the context (community, collection) during browsing. (DS-2482)
- Better handle upload of file with a semicolon in its name. (DS-2513)
- EZID DOI minting properly sets the URI of the identified item. (DS-2518)
- Update of the list of robots recognized by DSpace. (DS-2531)
- "
In addition, this release fixes a variety of minor bugs in the 5.x releases. For more information, see the Changes in 5.x page.
...