Contribute to the DSpace Development Fund

The newly established DSpace Development Fund supports the development of new features prioritized by DSpace Governance. For a list of planned features see the fund wiki page.

DSpace Release 4.9 Status

Created by Tim Donohue, last modified on Jun 25, 2018

Version 4.9

DSpace 4.9 was officially released to the public on June 25, 2018.

DSpace 4.9 can be downloaded immediately from:

https://github.com/DSpace/DSpace/releases/tag/dspace-4.9

More information on the 4.9 release (and the 4.x platform in general) can be found in the 4.x Release Notes.

Upgrade instructions can be found at Upgrading DSpace

We highly recommend ALL JSPUI users of DSpace 4.x upgrade to 4.9

DSpace 4.9 contains security fixes for the JSPUI (only). To ensure your 4.x JSPUI site is secure, we highly recommend ALL JSPUI DSpace 4.x users upgrade to DSpace 4.9.

DSpace 4.9 upgrade instructions are available at: Upgrading DSpace

Summary

DSpace 4.9 is a security fix release to resolve several issues located in previous 4.x releases. As such, DSpace 4.9 should constitute an easy upgrade from DSpace 4.x for most users. No database changes or additional configuration changes should be necessary when upgrading from DSpace 4.x to 4.9.

This release addresses the following security issues discovered in DSpace 4.x and below:

DSpace JSPUI security fixes:

[HIGH SEVERITY] A user can inject malicious Javascript into the names of EPeople or Groups. This is most severe in sites which allow anyone to register for a new account. (https://jira.duraspace.org/browse/DS-3866 - requires a JIRA account to access.)
- Reported by Julio Brafman
[MEDIUM SEVERITY] Any user was able to export metadata to CSV format if they knew the correct JSPUI path/parameters. Additionally, the exported CSV included metadata fields which are flagged as hidden in configuration. (https://jira.duraspace.org/browse/DS-3840 - requires a JIRA account to access.)
- Reported by Eike Kleiner (ZHAW, Zurich University of Applied Sciences)

In addition, this release fixes a few minor bugs in the 4.x releases. For more information, see the Changes section below.

Upgrade Instructions

For upgrade instructions for 4.x to 4.9, please see Upgrading From 4.0 to 4.x.
If you are upgrading from 3.x to 4.9, please see Upgrading From 3.x to 4.x.
For general upgrade instructions, please see Upgrading DSpace.

No new features in DSpace 4.9

4.9 is a security fix release. This means it includes no new features and only includes the above listed security fixes.

For a list of all new 4.x Features, please visit the 4.x Release Notes.

Changes

The following bug fixes were released in 4.9.

key	summary	type	created	updated	due	assignee	reporter	priority	status	resolution
Unable to locate Jira server for this macro. It may be due to Application Link configuration.

Organizational Details

Release Coordination

Release Coordinator: Committers Team (shared coordination)

Timeline and Proceeding

Release Timeline:

Release Date: June 25, 2018

No labels

All content on the LYRASIS Wiki is licensed under the CC BY (Attribution) license, unless otherwise noted.

Page tree