Old Release
This documentation relates to an old version of DSpace, version 5.x. Looking for another version? See all documentation.
Support for DSpace 5 ended on January 1, 2023. See Support for DSpace 5 and 6 is ending in 2023
Online Version of Documentation also available
This documentation was produced with Confluence software. A PDF version was generated directly from Confluence. An online, updated version of this 5.x Documentation is also available at: https://wiki.duraspace.org/display/DSDOC5x
Welcome to Release 5.3, a bug-fix release for the DSpace 5.x platform. For information on upgrading to DSpace 5, please see Upgrading DSpace.
5.3 Release Notes
DSpace 5.3 is a bug fix release to resolve several issues found in DSpace 5.2. As it only provides only bug fixes, DSpace 5.2 should constitute an easy upgrade from DSpace 5.0, 5.1 or 5.2 for most users. Beginning with DSpace 5.x, we also provide an easier upgrade process from any prior version of DSpace (1.x.x, 3.x or 4.x).
Major bug fixes include:
- Search and browse fixes:
- OAI fixes:
- Performing a full OAI import now also cleans the OAI cache (DS-2543)
- Harvested items are now properly imported in OAI (DS-2554)
- Tombstones (deleted item status) are now properly applied for withdrawn items (DS-2593)
(note: this requires 'import' to be run, the OAI event consumer will not create tombstones automatically) - dc.date.available is now properly exposed when using the mets metadata format (DS-2598)
- Authorization policy fixes:
- Custom policies for items in workspace or workflow (eg. embargo lifts) are now ignored by AuthorizeManager (DS-2614)
- NULL Resource Policy types (commonly found when upgrading from DSpace < 3.0) are now handled correctly by AuthorizeManager (DS-2587)
- Item-level versioning now carries across all custom policies in new item versions (eg. embargos) (DS-2358)
- Other notable fixes:
- Optimized "Select Collection" query is now disabled by default as a workaround to ensure special group lookups (LDAP, Shibboleth) work out-of-the-box (DS-2673)
- Resolved issue where citation_pdf_url metadata was NULL for items with multiple bitstreams but no primary bitstream (DS-2603)
- dc.rights metadata is now properly exposed in embedded XHTML head DC (DS-2568)
In addition, this release fixes a variety of minor bugs in the 5.x releases. For more information, see the Changes in 5.x page.
5.2 Release Notes
DSpace 5.2 is a bug fix release to resolve several issues found in DSpace 5.1. As it only provides only bug fixes, DSpace 5.2 should constitute an easy upgrade from DSpace 5.0 or 5.1 for most users. Beginning with DSpace 5.x, we also provide an easier upgrade process from any prior version of DSpace (1.x.x, 3.x or 4.x).
Major bug fixes include:
- Solr statistics upgrade fixes:
- OAI fixes:
- Handle dates correctly in resumption tokens, so that harvesting captures the full specified range. (DS-2546, DS-2582)
- List all authors in METS formatted metadata. (DS-2474)
- Change the declared OAI deletion mode to "transient", which corresponds to what DSpace actually does. (DS-2491)
- Restore the ability to create additional Filters for OAI-PMH interface. (DS-2423)
- REST API fixes:
- Other notable fixes:
- "
dspace update-handle-prefix
" failed when using Oracle DB. (DS-2218) - Do not index items that are still in a submitter's workspace. (DS-2403)
- Remember the context (community, collection) during browsing. (DS-2482)
- Better handle upload of file with a semicolon in its name. (DS-2513)
- EZID DOI minting properly sets the URI of the identified item. (DS-2518)
- "
- Update of the list of robots recognized by DSpace. (DS-2531)
- Update of the list of robots recognized by DSpace. (DS-2531)
In addition, this release fixes a variety of minor bugs in the 5.x releases. For more information, see the Changes in 5.x page.
5.1 Release Notes
We highly recommend any users of DSpace 5.x upgrade to 5.1
DSpace 5.1 contains security fixes for both the XMLUI and JSPUI. To ensure your 5.x site is secure, we highly recommend all DSpace 5.x users upgrade to DSpace 5.1.
We also highly recommend removing any "allowLinking=true" settings from your Tomcat's <Context> configuration. Previously our installation documentation erroneously listed examples which included "allowLinking=true", while the Tomcat documentation lists it as a possible security concern. The XMLUI Directory Traversal Vulnerability (see below) is also exacerbated by this setting.
DSpace 1.x.x, 3.x or 4.x users may wish to consider upgrading directly to DSpace 5.1
Several of the security vulnerabilities patched in DSpace 5.1 (and backported to 4.3 and 3.4) also affect sites running unsupported DSpace 1.x.x releases. In order to ensure your site is patched, we highly recommend upgrading to DSpace 3.4, DSpace 4.3 or DSpace 5.1.
If you are considering an upgrade from DSpace 1.x.x, note that, as of DSpace 5, your existing data (i.e. database contents, search/browse indexes) will now be automatically upgraded from ANY prior version of DSpace. Therefore, you may wish to consider upgrading directly to DSpace 5.1, as the 5.x upgrade process is simplified.
DSpace 5.1 is a security and bug fix release to resolve several issues located in DSpace 5.0. As it only provides only bug fixes, DSpace 5.1 should constitute an easy upgrade from DSpace 5.0 for most users. No database changes or additional configuration changes should be necessary when upgrading from DSpace 5.0 to 5.1.
This release addresses the following security issues discovered in DSpace 5.x and below:
- XMLUI Security Fixes
[HIGH SEVERITY] XMLUI Directory Traversal Vulnerabilities (DS-2445 - requires a JIRA account to access for two weeks, and then will be public): These vulnerabilities allow someone to potentially access any file on your local filesystem which is readable to the Tomcat user account. This includes files which are unrelated to DSpace or Tomcat, but are readable to all users on the filesystem (e.g. /etc/passwd, /etc/hosts, etc.). This also includes Tomcat configuration files (which may or may not contain passwords). These vulnerabilities have existed since DSpace 1.5.2.
Discovered by: Khalil Shreateh, with additional (related) vulnerabilities discovered by the DSpace Committer Team
- In some configurations of Tomcat, simply removing any "allowLinking=true" settings from your Tomcat's <Context> configuration will limit the directory traversal vulnerability's severity to only allow access to files within the XMLUI web application directory. In addition, the Tomcat documentation details "allowLinking=true" as a possible security concern. However, you still must upgrade or patch your DSpace in order to completely resolve this vulnerability.
- JSPUI Security Fixes
- [MEDIUM SEVERITY] JSPUI Directory Traversal Vulnerability (DS-2448 - requires a JIRA account to access for two weeks, and then will be public): This vulnerability allows someone to potentially access any file within the JSPUI web application directory (e.g. WEB-INF/web.xml). This vulnerability is believed to have existed in all prior versions of DSpace.
- Discovered by Khalil Shreateh
- Discovered by Khalil Shreateh
- [LOW SEVERITY] Cross-site scripting (XSS injection) is possible in JSPUI Recent Submissions listings (DS-1702 - requires a JIRA account to access for two weeks, and then will be public): This vulnerability could allow a depositor/submitter to embed dangerous Javascript code into the metadata of a new submission, thus causing that code to be run across other user accounts. However, this vulnerability is only possible by someone with privileges to add content to your DSpace site. This vulnerability has existed since DSpace 1.5.x.
- Discovered by: Jean-Paul Zhao of University of Toronto
- Discovered by: Jean-Paul Zhao of University of Toronto
- [LOW SEVERITY] Cross-site scripting (XSS injection) is possible in JSPUI Discovery search form (DS-2044 - requires a JIRA account to access for two weeks, and then will be public): This vulnerability could allow someone to embed dangerous Javascript code into links to search results. If a user was emailed such a link and clicked it, the javascript would be run in their local browser. This vulnerability has existed since DSpace 3.x
- 4.x / 5.x vulnerability discovered by Gabriela Mircea of McMaster University and Khalil Shreateh
- 3.x vulnerability discovered by İlyas Orak of Biznet Bilisim A.S.
- [MEDIUM SEVERITY] JSPUI Directory Traversal Vulnerability (DS-2448 - requires a JIRA account to access for two weeks, and then will be public): This vulnerability allows someone to potentially access any file within the JSPUI web application directory (e.g. WEB-INF/web.xml). This vulnerability is believed to have existed in all prior versions of DSpace.
In addition, this release fixes a variety of minor bugs in the 5.0 release. For more information, see the Changes in 5.x page.
5.0 Release Notes
The following is a list of the new features included for the 5.x platform (not an exhaustive list):
Easier Upgrading to 5.x from ANY previous DSpace version (1.x.x, 3.x or 4.x). Perform Batch Imports from the User Interface (in both XMLUI and JSPUI) XMLUI new features JSPUI new features REST API new features RDF Interface to support Linked (Open) Data (NEW) OAI-PMH interface enhancements / bug fixes See DS-1649 by João Melo Enhanced Thumbnail Quality (disabled by default) See DS-2105 by Terry Brady with the support of Georgetown University Bug fixes / improvements to Biblio-Transformation-Engine (BTE) Kindly contributed by the Greek National Documentation Centre/EKT Enhancements to DOI Support (disabled by default) Apache Solr libraries were upgraded for all interfaces (JSPUI, XMLUI, and OAI) Add a place for third-party JARs / plugins to be "found" by DSpace (disabled by default) See DS-2107 by Mark H. Wood with the support of IUPUI University Library All objects now have metadata support See DS-1582 by Mark H. Wood with the support of IUPUI University Library and Kevin Van de Velde with the support of @mireDSpace 5.0 ships with a number of new features. Certain features are automatically enabled by default while others require deliberate activation.
The following non-exhaustive list contains the major new features in 5.0
A full list of all changes / bug fixes in 5.x is available in the Changes in 5.x section.
The following individuals have contributed directly to this release of DSpace: Adan Roman, Àlex Magaz Graça , Andrea Bollini, Andrea Schweer, Antoine Snyers, Art Lowel, Artur Konczak, Bavo Van Geit, Bram Luyten, Christian Scheible, Christian Völker, Christos Rhodosthenous, Claudia Jürgen , CTU Developers, Denis Fdz, Ed Goulet, Eliana de Mattos Pinto Coelho, Elvi S. Nemiz, Emilio Lorenzo, George Simeonov, Graham Triggs , Hardy Pottinger, Ivan Masár, James Halliday, João Melo, Jon Gibson , Jordan Piščanc, Jozef M. , Keiji Suzuki, Kevin Van de Velde, Kostas Stamatis, Luigi Andrea Pascarelli, Marina Muilwijk, Mark Diggory, Mark H. Wood, Mohamed Mohideen Abdul Rasheed, Monika Mevenkamp, Ondřej Košarko, Panagiotis Koutsourakis , Pascal-Nicolas Becker, Pauline Ward, Paulo Graça , Peter Dietz, Petya Kohts, Philip Vissenaekens, Robert Faling, Robin Taylor, Roeland Dillen, Royopa, Sonmez CELIK, Terry Brady, Thanos Kyritsis, Thomas Misilo, Tiago Murakami, Tim Donohue, and others who reviewed and commented on their work. Many of these could not do this work without the support (release time and financial) of their associated institutions. We offer thanks to those institutions for supporting their staff to take time to contribute to the DSpace project.
A big thank you also goes out to the DSpace Community Advisory Team (DCAT), who helped the developers to prioritize and plan out several of the new features that made it into this release. The current DCAT members include: Augustine Gitonga, Bram Luyten, Bharat Chaudhari, Claire Bundy, Dibyendra Hyoju, Elin Stangeland, Felicity A Dykas, Iryna Kuchma, James Evans, Jim Ottaviani, Kate Dohe, Kathleen Schweitzberger, Leonie Hayes, Lilly Li, Maureen Walsh, Pauline Ward, Roger Weaver, Sarah Molloy, Sarah Potvin, Sarah Shreeves, Steve Van Tuyl, Terry Brady, Valorie Hollister and Yan Han.
We apologize to any contributor accidentally left off this list. DSpace has such a large, active development community that we sometimes lose track of all our contributors. Our ongoing list of all known people/institutions that have contributed to DSpace software can be found on our DSpace Contributors page. Acknowledgments to those left off will be made in future releases.
Want to see your name appear in our list of contributors? All you have to do is report an issue, fix a bug, improve our documentation or help us determine the necessary requirements for a new feature! Visit our Issue Tracker to report a bug, or join dspace-devel mailing list to take part in development work. If you'd like to help improve our current documentation, please get in touch with one of our Committers with your ideas. You don't even need to be a developer! Repository managers can also get involved by volunteering to join the DSpace Community Advisory Team and helping our developers to plan new features.
The Release Team consisted of:
- Peter Dietz (Longsight)
- Hardy Pottinger (U of Missouri)
- Ivan Masár
- Mark H. Wood (Indiana University)
- Robin Taylor (University of Edinburgh)
- Pascal-Nicolas Becker (Technische Universität Berlin)
- Andrea Schweer (Library Consortium of New Zealand)
Additional thanks to Tim Donohue from DuraSpace for keeping all of us focused on the work at hand, for calming us when we got excited, and for the general support for the DSpace project.