Contribute to the DSpace Development Fund
The newly established DSpace Development Fund supports the development of new features prioritized by DSpace Governance. For a list of planned features see the fund wiki page.
Version 4.9
DSpace 4.9 was officially released to the public on June 25, 2018.
DSpace 4.9 can be downloaded immediately from:
More information on the 4.9 release (and the 4.x platform in general) can be found in the 4.x Release Notes.
Upgrade instructions can be found at Upgrading DSpace
We highly recommend ALL JSPUI users of DSpace 4.x upgrade to 4.9
DSpace 4.9 contains security fixes for the JSPUI (only). To ensure your 4.x JSPUI site is secure, we highly recommend ALL JSPUI DSpace 4.x users upgrade to DSpace 4.9.
DSpace 4.9 upgrade instructions are available at: Upgrading DSpace
Summary
DSpace 4.9 is a security fix release to resolve several issues located in previous 4.x releases. As such, DSpace 4.9 should constitute an easy upgrade from DSpace 4.x for most users. No database changes or additional configuration changes should be necessary when upgrading from DSpace 4.x to 4.9.
This release addresses the following security issues discovered in DSpace 4.x and below:
DSpace JSPUI security fixes:
[HIGH SEVERITY] A user can inject malicious Javascript into the names of EPeople or Groups. This is most severe in sites which allow anyone to register for a new account. (https://jira.duraspace.org/browse/DS-3866 - requires a JIRA account to access.)
Reported by Julio Brafman
[MEDIUM SEVERITY] Any user was able to export metadata to CSV format if they knew the correct JSPUI path/parameters. Additionally, the exported CSV included metadata fields which are flagged as hidden in configuration. (https://jira.duraspace.org/browse/DS-3840 - requires a JIRA account to access.)
Reported by Eike Kleiner (ZHAW, Zurich University of Applied Sciences)
In addition, this release fixes a few minor bugs in the 4.x releases. For more information, see the Changes section below.
Upgrade Instructions
- For upgrade instructions for 4.x to 4.9, please see Upgrading From 4.0 to 4.x.
- If you are upgrading from 3.x to 4.9, please see Upgrading From 3.x to 4.x.
- For general upgrade instructions, please see Upgrading DSpace.
No new features in DSpace 4.9
4.9 is a security fix release. This means it includes no new features and only includes the above listed security fixes.
For a list of all new 4.x Features, please visit the 4.x Release Notes.
Changes
The following bug fixes were released in 4.9.
Organizational Details
Release Coordination
- Release Coordinator: Committers Team (shared coordination)
Timeline and Proceeding
Release Timeline:
- Release Date: June 25, 2018