Is it possible to update jQuery in xmlui in dspace 5?
32 views
Skip to first unread message
cpgr...@gmail.com
Mar 20, 2023, 3:02:35 PM3/20/23
to DSpace Technical Support
We have been notified by campus network authorities that our dspace server is vulnerable because it is running outdated versions of jQuery. We are in the process of creating a new dspace 7 server to replace this server, but that will not happen in the short time that we have been given to fix this vulnerability.
How can we quickly upgrade jQuery on our server? Where can I find instructions on updating the jQuery software in our xmlui in our instance of dspace 5? Can our built process be modified to bring in more up to date jQuery packages?
EOL/Obsolete Software: jQuery 1.x and 2.x Detected
EOL Software:jQuery Version 1.x or 2.x Detected.
jquery/jquery-1.4.4.min.js
Mark H. Wood
Mar 21, 2023, 11:03:57 AM3/21/23
to dspac...@googlegroups.com
On Mon, Mar 20, 2023 at 12:02:35PM -0700, cpgr...@gmail.com wrote:
> We have been notified by campus network authorities that our dspace server
> is vulnerable because it is running outdated versions of jQuery. We are in
> the process of creating a new dspace 7 server to replace this server, but
> that will not happen in the short time that we have been given to fix this
> vulnerability.
>
> How can we quickly upgrade jQuery on our server? Where can I find
> instructions on updating the jQuery software in our xmlui in our instance
> of dspace 5? Can our built process be modified to bring in more up to date
> jQuery packages?
>
> EOL/Obsolete Software: jQuery 1.x and 2.x Detected
>
> -
> We have been notified by campus network authorities that our dspace server
> is vulnerable because it is running outdated versions of jQuery. We are in
> the process of creating a new dspace 7 server to replace this server, but
> that will not happen in the short time that we have been given to fix this
> vulnerability.
>
> How can we quickly upgrade jQuery on our server? Where can I find
> instructions on updating the jQuery software in our xmlui in our instance
> of dspace 5? Can our built process be modified to bring in more up to date
> jQuery packages?
>
> EOL/Obsolete Software: jQuery 1.x and 2.x Detected
>
>
> EOL Software:jQuery Version 1.x or 2.x Detected.
> jquery/jquery-1.4.4.min.js
I don't know how much work is required to update to jQuery v3.
> EOL Software:jQuery Version 1.x or 2.x Detected.
> jquery/jquery-1.4.4.min.js
Updating across two major releases might break a number of things.
You'll find jQuery (and jQuery UI, which might need updating too) in
various places. There is a copy of jQuery in
'dspace-xmlui/src/main/webapp/static/js' and another in
'dspace-oai/src/main/webapp/static/js'. Some XMLUI themes have their
own copies (of various versions) typically at
'dspace-xmlui/src/main/webapp/themes/THEMENAME/lib`. You will also
need to look for references to specific paths in the 'sitemap.xmap'
for your theme, and update them to the new version.
Replacing the '.js' file and updating the sitemap are the *minimum*
that this task will require. If the newer version(s) break any of
DSpace's usage, you'll need to fix those breakages. Reading the
release notes for jQuery* v2 and v3 may help to focus on possible
problems, but there will be a certain amount of "try updating the
files and see what breaks."
I can say that I've had very little trouble upgrading jQuery UI
*within* major release 1, which may or may not be representative.
I'm sorry that I don't have better news for you.
--
Mark H. Wood
Lead Technology Analyst
University Library
Indiana University - Purdue University Indianapolis
755 W. Michigan Street
Indianapolis, IN 46202
317-274-0749
www.ulib.iupui.edu
Michael Plate
Mar 21, 2023, 11:54:24 AM3/21/23
to dspac...@googlegroups.com
Hi,
Am 21.03.23 um 16:03 schrieb Mark H. Wood:
ist seems to be we have the same problem; ours ist jQuery 1.10.2 (by
package.json) , and a good place to start seems to be scripts.xml in the
theme folder.
Searched a bit and found this
https://www.cvedetails.com/vulnerability-list/vendor_id-6538/Jquery.html
and this
https://www.computerminds.co.uk/articles/upgrading-jquery-1x-version-3x
Presumably DSpace 6.x is affected to ?
I'll try inspecting on our test-version tomorrow…
Am 21.03.23 um 16:03 schrieb Mark H. Wood:
> On Mon, Mar 20, 2023 at 12:02:35PM -0700, cpgr...@gmail.com wrote:
>> We have been notified by campus network authorities that our dspace server
>> is vulnerable because it is running outdated versions of jQuery. We are in
>> the process of creating a new dspace 7 server to replace this server, but
>> that will not happen in the short time that we have been given to fix this
>> vulnerability.
>>
>> How can we quickly upgrade jQuery on our server? Where can I find
>> instructions on updating the jQuery software in our xmlui in our instance
>> of dspace 5? Can our built process be modified to bring in more up to date
>> jQuery packages?
>>
>> EOL/Obsolete Software: jQuery 1.x and 2.x Detected
>>
>> -
>>
>> EOL Software:jQuery Version 1.x or 2.x Detected.
>> jquery/jquery-1.4.4.min.js
>
> I don't know how much work is required to update to jQuery v3.
> Updating across two major releases might break a number of things.
[…]
>> We have been notified by campus network authorities that our dspace server
>> is vulnerable because it is running outdated versions of jQuery. We are in
>> the process of creating a new dspace 7 server to replace this server, but
>> that will not happen in the short time that we have been given to fix this
>> vulnerability.
>>
>> How can we quickly upgrade jQuery on our server? Where can I find
>> instructions on updating the jQuery software in our xmlui in our instance
>> of dspace 5? Can our built process be modified to bring in more up to date
>> jQuery packages?
>>
>> EOL/Obsolete Software: jQuery 1.x and 2.x Detected
>>
>> -
>>
>> EOL Software:jQuery Version 1.x or 2.x Detected.
>> jquery/jquery-1.4.4.min.js
>
> I don't know how much work is required to update to jQuery v3.
> Updating across two major releases might break a number of things.
ist seems to be we have the same problem; ours ist jQuery 1.10.2 (by
package.json) , and a good place to start seems to be scripts.xml in the
theme folder.
Searched a bit and found this
https://www.cvedetails.com/vulnerability-list/vendor_id-6538/Jquery.html
and this
https://www.computerminds.co.uk/articles/upgrading-jquery-1x-version-3x
Presumably DSpace 6.x is affected to ?
I'll try inspecting on our test-version tomorrow…
Tim Donohue
Mar 21, 2023, 3:09:11 PM3/21/23
to DSpace Technical Support
Hi all,
DSpace 6.4 included fixes to upgrade both the JSPUI and XMLUI to use jQuery 3, see https://github.com/DSpace/DSpace/pull/2918
DSpace 6.4 included fixes to upgrade both the JSPUI and XMLUI to use jQuery 3, see https://github.com/DSpace/DSpace/pull/2918
This work was never ported to DSpace 5.x (and 5.x is now end-of-life, so that port will never occur). That said, it might be possible to manually port this in your local 5.x instance simply by making the same changes as were made in that PR. While the PR looks massive, it is mostly replacing the old jQuery files with the new ones & making some relatively minor updates to the DSpace code.
Another option is to consider upgrading to 6.4, or even to 7.x in the near future.
Tim
Reply all
Reply to author
Forward
0 new messages