Versions Compared

Old Version 7

changes.mady.by.user Kim Shepherd

Saved on

compared with

New Version Current

changes.mady.by.user Tim Donohue

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: Update page to match release notes


Warning

Support for DSpace 6 will be ending on July 1, 2023.  See Support for DSpace 5 and 6 is ending in 2023


Tip
titleDSpace 6.4 was officially released to the public on July 28, 2022

DSpace 6.4 can be downloaded immediately from:

More information on the 6.3 release (and the 6.x platform in general) can be found in the 6.x Release Notes.

Upgrade instructions can be found at Upgrading DSpace


Note
titleWe highly recommend ALL users of DSpace 6.x upgrade to 6.4

DSpace 6.4 contains security fixes for both the JSPUI and XMLUI. To ensure your 6.x  site is secure, we highly recommend ALL DSpace 6.x users upgrade to DSpace 6.4l.

DSpace 6.4 upgrade instructions are available at: Upgrading DSpace

Security fixes include:

  • [HIGH] CVE-2022-31195 (impacts XMLUI and JSPUI): Path traversal vulnerability in Simple Archive Format package import (ItemImportService API). This means a malicious SAF (simple archive format) package could cause a file/directory to be created anywhere the Tomcat/DSpace user can write to on the server. This path traversal is only possible by a user with special privileges (Administrators or someone with command-line access to the server).
    • Reported by Johannes Moritz of Ripstech
  • [HIGH] CVE-2022-31194 (impacts JSPUI only) : The JSPUI resumable upload implementations in SubmissionController and FileUploadRequest are vulnerable to multiple path traversal attacks, allowing an attacker to create files/directories anywhere on the server writable by the Tomcat/DSpace user, just by modifying some request parameters during submission. This path traversal can only be executed by a user with submitter rights.
    • Reported by Johannes Moritz of Ripstech
  • [HIGH] CVE-2022-31193 (impacts JSPUI only) : The JSPUI controlled vocabulary servlet is vulnerable to an open redirect attack, where an attacker can craft a malicious URL that looks like a legitimate DSpace/repository URL. When that URL is clicked by the target, it redirects them to a site of the attacker's choice.
    • Reported by Johannes Moritz of Ripstech
  • [MODERATE] CVE-2022-31191 (impacts JSPUI only) : The JSPUI spellcheck "Did you mean" HTML escapes the data-spell attribute in the link, but not the actual displayed text. Similarly, the JSPUI autocomplete HTML does not properly escape text passed to it. Both are vulnerable to Cross Site Scripting (XSS).
    • Reported by Hassan Bhuiyan, Brunel University London
  • [MODERATE] CVE-2022-31192 (impacts JSPUI only)The JSPUI "Request a Copy" feature is vulnerable to Cross Site Scripting (XSS) attacks.
    • Reported by Andrea Bollini of 4Science
  • [LOW] CVE-2022-31189 (impacts JSPUI only) When an "Internal System Error" occurs in the JSPUI, then entire exception (including stack trace) is available. Information in this stacktrace may be useful to an attacker in launching a more sophisticated attack.
    • Reported by Johannes Moritz of Ripstech
  • [LOW] CVE-2022-31190 (impacts XMLUI only) Metadata of withdrawn Items is exposed to anonymous users in XMLUI.
    • Reported by David Cavrenne of Atmire

Major bug fixes include:

Minor improvements include:

  • Limit the usage of PDFBoxThumbnail media filter to PDFs: DS-3873
  • Update PDFBox version: #2742
  • Update spider user agent file for more accurate Solr usage statistics: DS-4587 (#3333)
  • Update JavaScript dependencies: DS-4508 (#2918)
  • Remove non-existent command from OAI's CLI help: DS-4260 (#2439)
  • Fix Discovery index command when using the "-c" (clean) option: DS-4393 (#2606)
  • Fix issue with bulkedit.ignore-on-export parameter on DSpaceCSV: #2661
  • Improve dspace structure-builder  error messages: DS-4087 (#2681)
  • Remove GeoIP download Ant target, reconfigure for external provision: DS-4409 (#2652)
  • Restores getSize() in Bitstream for replication task suite: DS-3895 (#2683)
  • Remove unnecessary second Context in RDFConsumer: #8152
  • Fix minor security issue with HTML links using target="_blank": DS-3891 (#7238)
  • Correctly remove Handle server lock file: DS-3946 (#2114)
  • Make automatic Discovery re-indexing configurable: DS-3658 (#2184)
  • Allow configuring max results per page in search: DS-4120 (#2306)
  • Improve OAI performance for large installs: DS-4136 (#2320)
  • Avoid crosswalking invalid publish dates for Google Scholar: DS-4104 (#2294)
  • Bitstreams should keep their formats when being versioned: DS-4078 (#2261)
  • Only execute ImageMagick identify on the first page of PDF: DS-3664 (#2201)
  • Allow OAI Harvester to continue if it encounters an Item missing a handle: DS-3939 (#2106)
    • Note:the OAI Harvester Consumer has been completely removed from the DSpace codebase and should be removed from any configuration files referencing it: DS-4129 (#2314).

View the full list of changes for DSpace 6.4 on GitHub.

6.4 Acknowledgments

The 6.4 release was led by Alan Orth, Kim Shepherd, Nicholas Woodward and Hrafn Malmquist (of Cottage Labs).

The following individuals provided tests, code, bug fixes, or review to the 6.4 release (in alphabetical order by given name): Alan Orth, Alexander Sulfrian, Andrea Bollini, Andrea Jenis Saroni, Andrew Wood, Anis, Bram Luyten, Chris Herron, Chris Wilper, Cornelius Matějka, Francesco Pio Scognamiglio, Giuseppe Digilio, Hrafn Malmquist, Huma Zafar, Iordanis Kostelidis, Istvan Vig, Jonas Van Goolen, Kim Shepherd, Kristof De Langhe, Leonardo Guerrero, Lotte Hofstede, Luigi Andrea Pascarelli, Mark H. Wood, Martin Walk, Nicholas Woodward, Pascal-Nicolas Becker, Paulo Graça, Philip Vissenaekens, PTrottier, Saiful Amin, Samuel, santit96, ssolim, Terry Brady, Tim Donohue, Toni Prieto.

This page tracks the scope and progress of the upcoming DSpace 6.4 release.

If you know of an open JIRA issue or contribution that you really want to see make it into 6.4 that isn't listed on this page, you can give it some attention by posting a message to the DSpace Developer mailing list, and/or giving it a shout-out in the #dev channel in the DSpace Slack

If you're able to volunteer time to code up a solution related to a JIRA issue that needs a volunteer, send in that Pull Request against the dspace-6_x branch!

If you're able to review and test an open Pull Request to help get it approved and merged, please do try out some PRs currently waiting for reviews and give your comments / results to help us keep things moving.

Note
titlePlease remember to forward port accepted PRs to 7.0 (master), where applicable

Any non-JSPUI and non-XMLUI bug fixes should be ported to the "master" branch to ensure they remain fixed in 7.0.  This includes any fixes to the Java API, OAI-PMH, REST API (as it's deprecated but still included in 7.0), SWORD (v1 or v2) or RDF.  Any forward-port PRs can merged quickly, provided that the original PR was accepted/merged for 6.4, one reviewer approves & all tests pass in Travis CI.  If there are any questions, or you need a quick review on a forward-port PR, contact Tim Donohue.

Scope and plan

DSpace 6.3 was released on June 2018. A new minor release for 6.x (and 5.x, 4.x) is really needed to help keep the community up to date with bug fixes and improvements.

Though there are many open PRs and issues against 6.x or flagged for 6.4, it is likely that only a critical subsection of these PRs will be included in 6.4 by <deadline> to ensure timely release. Many Dspace developers and committers are busy with the DSpace 7.0 release and can't divert too much energy to 6.4, so the release process will have to be fairly lean.

Release team volunteers (put a hand up if you want to help!):

Kim Shepherd

Hrafn Malmquist

Nicholas Woodward

Luigi Andrea Pascarelli (4Science) - (high interest in having DS-4149 OpenAIRE literature v4 and DS-2715 ORCID support for JSPUI included in the release)

Tentative cut-off for PR merging:

April 14 2020

Suggested pre-release application (usability, functional) tests for DSpace 6.4

The below cover most of the fixes and improvements in DSpace 6.4. If we can get volunteers pooled / assigned so that a couple of people are thoroughly testing each of the below functional areas, that'll help confidence in release stability and in catching any last minute problems:

  •  (TODO, complete this list after review of PRs)

Approved PRs that just need merging

These PRs are flagged for 6.4 and already have approval. They should be reviewed again and either merged (& ported to master branch where applicable) or rescheduled (if for some reason the approval is not enough to get them into 6.4).

TODO

Do we need the full "first review, second review, test, merge, port" checklist here? Depends how our workload looks. Certainly if there are PRs people are lobbying for, a list might help. (see 6.3 equiv checklist DSpace Release 6.3 Status)

Open PRs flagged for 6.4 milestone (Github):

https://github.com/DSpace/DSpace/pulls?q=is%3Aopen+is%3Apr+milestone%3A6.4

Non-closed JIRA Issues with 6.4 milestones:

Jira
serverDuraSpace JIRA
columnskey,summary,type,created,updated,due,assignee,reporter,priority,status,resolution
maximumIssues20
jqlQueryfilter= "Open 6.4 Issues"
serverIdc815ca92-fd23-34c2-8fe3-956808caf8c5

Fixed for 6.4:

JiraserverDuraSpace JIRAcolumnskey,summary,type,created,updated,due,assignee,reporter,priority,status,resolutionmaximumIssues20jqlQueryfilter = "Closed 6.4 issues" serverIdc815ca92-fd23-34c2-8fe3-956808caf8c5