Contribute to the DSpace Development Fund

The newly established DSpace Development Fund supports the development of new features prioritized by DSpace Governance. For a list of planned features see the fund wiki page.

Version 5.6

Support for DSpace 5 ended on January 1, 2023.  See Support for DSpace 5 and 6 is ending in 2023

DSpace 5.6 was officially released to the public on September 29, 2016.

DSpace 5.6 can be downloaded immediately from:

More information on the 5.6 release (and the 5.x platform in general) can be found in the 5.x Release Notes

Upgrade instructions can be found at Upgrading DSpace.

We highly recommend ALL users of DSpace 5.x (or below) upgrade to 5.6

DSpace 5.6 contains security fixes for both the XMLUI and JSPUI. To ensure your 5.x site is secure, we highly recommend ALL DSpace 5.x users upgrade to DSpace 5.6.

Summary

DSpace 5.6 is a security & bug fix release to resolve several issues located in previous 5.x releases. As it only provides only bug/security fixes, DSpace 5.6 should constitute an easy upgrade from DSpace 5.x for most users. No database changes or additional configuration changes should be necessary when upgrading from DSpace 5.x to 5.6.
 

Major bug fixes include:

  • JSPUI, XMLUI, REST security fixes:
    • JSPUI and XMLUI
      •  [MEDIUM SEVERITY]  XML External Entity (XXE) vulnerability in pdfbox. (DS-3309 - requires a JIRA account to access)
        • Reported by Seth Robbins  
    • JSPUI, XMLUI and REST
      • [MEDIUM SEVERITY]  Bitstreams of embargoed and/or withdrawn items can be accessed by anyone. (DS-3097 - requires a JIRA account to access)
        • Reported by Franziska Ackermann
  • JSPUI security fix:
  • REST security fix:
    • [HIGH SEVERITY]  SQL Injection Vulnerability in 5.x REST API (DS-3250 - requires a JIRA account to access)
  • JSPUI bug fixes:
    • JSPUI: Creative Commons license fails with fetch directy the url (instead use the Creative Commons REST API) (DS-2604)
    • JSPUI: Upload a file, multifile, with a description text during the submission process (DS-2623)
    • JSPUI: Bug fix to EPerson popup (DS-2968)
  • XMLUI bug fixes:
    • XMLUI: Recyclable Cocoon components should clear local variables (DS-3246)
    • XMLUI: "Request a copy" feature was not working when the property request.item-type was set to all ( DS-3294)
    • XMLUI: Bug fix to policy search form (DS-3206)
  • Other minor fixes and improvements

    • METSRightsCrosswalk NPE During AIP Restore - No Anonymous Read (DS-3140)

    • AIP Restore is not respecting access restrictions (on Items) (DS-3266)

    • Error when missing Context Description in xoai.xml (DS-2874)
    • Bug fix to REST API 'find-by-metadata-field' (DS-3248)

In addition, this release fixes a variety of minor bugs in the 5.x releases. For more information, see the Changes section below.

Upgrade Instructions

  • For upgrade instructions from ANY PRIOR VERSION to 5.6, please see Upgrading DSpace
  • When upgrading from any 5.x version, if you're reusing your 5.x configuration, make sure to change all instances of Filter attribute "red" to "ref" (e.g. <Filter red="exampleFilter" /> to <Filter ref="exampleFilter" />) in [dspace]/config/crosswalks/oai/oai.xml. "red" was a temporary workaround for a bug (xoai issue #32), which was fixed in DSpace 5.4.

No new features in DSpace 5.6

5.6 is a bug-fix release. This means it includes no new features and only includes the above listed fixes.

For a list of all new 5.x Features, please visit the 5.x Release Notes.

Changes

The following bug fixes were released in 5.6.

 

key summary type created updated due assignee reporter priority status resolution

Unable to locate Jira server for this macro. It may be due to Application Link configuration.

Organizational Details

Release Coordination

  • Release Coordinator: Committers Team (shared coordination)

Timeline and Proceeding

Release Timeline:

  • Release Date: September 29, 2016
  • No labels

All content on the LYRASIS Wiki is licensed under the CC BY (Attribution) license, unless otherwise noted.