Versions Compared

Old Version 27

changes.mady.by.user Tim Donohue

Saved on

compared with

New Version 28

changes.mady.by.user Tim Donohue

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...


Welcome to Release 4.3, a security release for the DSpace 4.x platform. For information on upgrading to DSpace 4, please see Upgrading DSpace.  

4.4 Release Notes

 

Note
titleWe highly recommend any JSPUI users of DSpace 4.x upgrade to 4.4

DSpace 4.4 contains security fixes for the JSPUI only. To ensure your 4.x site is secure, we highly recommend JSPUI DSpace 4.x users upgrade to DSpace 4.4.

DSpace 4.4 is a security fix release to resolve several issues located in DSpace 4.x JSPUI. As it only provides security-fixes, DSpace 4.4 should constitute an easy upgrade from DSpace 4.x for most users. No database changes or additional configuration changes should be necessary when upgrading from DSpace 4.x to 4.4.

This release addresses the following security issues discovered in DSpace 4.x and below:

  • JSPUI security fixes: 
    • [MEDIUM SEVERITY] Cross-site scripting (XSS injection) is possible in JSPUI search interface (in Firefox web browser). (DS-2736 - requires a JIRA account to access for two weeks, and then will be public): This vulnerability could allow someone to embed dangerous Javascript code into links to search results. If a user was emailed such a link and clicked it, the javascript would be run in their local browser. This vulnerability has existed since DSpace 3.x 
      • Discovered by Genaro Contreras
    • [LOW SEVERITY] Expression language injection (EL Injection) is possible in JSPUI search interface. (DS-2737 - requires a JIRA account to access for two weeks, and then will be public): This vulnerability could allow someone to obtain information from the site/server using JSP syntax. This vulnerability has existed since DSpace 3.x
      • Discovered by Genaro Contreras

4.3 Release Notes

Note
titleWe highly recommend any users of DSpace 4.x upgrade to 4.3

DSpace 4.3 contains security fixes for both the XMLUI and JSPUI. To ensure your 4.x site is secure, we highly recommend all DSpace 4.x users upgrade to DSpace 4.3.

We also highly recommend removing any  "allowLinking=true" settings from your Tomcat's <Context> configuration. Previously our installation documentation erroneously listed examples which included "allowLinking=true", while the Tomcat documentation lists it as a possible security concern. The XMLUI Directory Traversal Vulnerability (see below) is also exacerbated by this setting.

...