Now available: DSpace 5.5 release, providing security fixes and bug fixes to 5.x
Tim Donohue
On behalf of the DSpace developers, I would like to formally announce that DSpace 5.5 is now available.
DSpace 5.5 provides security fixes to both the XMLUI and JSPUI, along with bug fixes to the DSpace 5.x platform.
DSpace 5.5 can be downloaded immediately from: https://github.com/DSpace/DSpace/releases/tag/dspace-5.5
5.5 Release notes are available at: https://wiki.duraspace.org/display/DSDOC5x/Release+Notes
In addition, you are welcome to try out DSpace 5.5 on http://demo.dspace.org/
5.5 Bug Fixes
- XMLUI security fixes
- [HIGH SEVERITY] The XMLUI "themes" path is vulnerable to a full directory traversal. (DS-3094 - requires a JIRA/Wiki account to access.) This means that ANY files on your system which are readable to the Tomcat user account may be publicly accessed via your DSpace site. This XMLUI vulnerability has existed since DSpace 1.5.x, and was discovered by Virginia Tech.
- JSPUI security fixes
- [MEDIUM SEVERITY] The JSPUI "Edit News" feature (accessible to Administrators) can be used to view/edit ANY files which are readable to the Tomcat user account (DS-3063 - requires a JIRA/Wiki account to access.) This JSPUI vulnerability has existed since DSpace 4.0, and was discovered by CINECA.
- REST fixes
- OAI fixes
- Configuration fixes
- Other minor fixes
For much more information on each of these and other fixes,
please visit our 5.x Release Notes: https://wiki.duraspace.org/display/DSDOC5x/Release+Notes
5.5 Documentation
The DSpace 5.x documentation is available online at: https://wiki.duraspace.org/display/DSDOC5x/
A PDF copy of the documentation can also be downloaded from:
https://github.com/DSpace/DSpace/releases/download/dspace-5.5/DSpace-Manual.pdf
5.5 Acknowledgments
The DSpace application would not exist without the hard work and
support of the community. Thank you to the many developers who
have worked very hard to deliver all the new features and
improvements. Also thanks to the users who provided input and
feedback on the development.
The 5.5 release was led by the Committers.
The following individuals provided code or bug fixes to the 5.5
release: Pascal-Nicolas Becker (pnbecker), Andrea Bollini
(abollini), Tim Donohue (tdonohue), Claudia Juergen (cjuergen),
Bram Luyten (bram-atmire), Ivan Masar (helix84), Dylan Meeus
(DylanMeeus), AmberPoo1, Christian Scheible (christian-scheible),
Tim Van de Langenbergh (tim-atmire), Mark Wood (mwoodiupui)
A detailed listing of all known people/institutions who
contributed directly to DSpace 5.x is available in the Release
Notes. If you contributed and were accidentally not listed, please
let us know so that we can correct it!
Sincerely,
Tim Donohue (on behalf of the DSpace Committers)
-- Tim Donohue Technical Lead for DSpace & DSpaceDirect DuraSpace.org | DSpace.org | DSpaceDirect.org
Andrea Bollini
you miss to update the dspace-api.jar inside your jspui, oai, rest webapps.
Andrea
Il 06/04/2016 14:02, Francis Brouns ha scritto:
--Dear Tim,
should it be possible to only install the patch for DS3063? When I try to do that I get error messages warning that the bean can't be created.
Currently running DSpace 5.4, JSPui, Oracle, java 7, tomcat 7. Replaced the 4 files from the patch in dspace-54-src-release, ran mvn -U clean package, copied config file and new lib file to dspace installation directory (manually or via ant update).
best wishes, Francis
You received this message because you are subscribed to the Google Groups "DSpace Technical Support" group.
To unsubscribe from this group and stop receiving emails from it, send an email to dspace-tech...@googlegroups.com.
To post to this group, send email to dspac...@googlegroups.com.
Visit this group at https://groups.google.com/group/dspace-tech.
For more options, visit https://groups.google.com/d/optout.
-- Andrea Bollini International Business Development, Deputy Leader Open Source & Open Standards Strategy, Head Cineca Via dei Tizii, 6 00185 Roma, Italy tel. +39 06 44 486 087 - mob. +39 348 82 77 525 http://www.cineca.it