Now Available: DSpace 5.11 release, providing bug/security fixes to 5.x

58 views

Skip to first unread message

Tim Donohue

unread,

Jul 29, 2022, 9:40:54 AM7/29/22

to DSpace Community, DSpace Technical Support, DSpace Developers

Dear DSpace Community,

On behalf of the DSpace developers, I would like to formally announce that DSpace 5.11 is now available. DSpace 5.11 provides security fixes, bug fixes and improvements to the DSpace 5.x platform.

We highly recommend all DSpace 5.x users upgrade to 5.11, or manually patch the security issues listed below.

DSpace 5.11 can be downloaded immediately from: https://github.com/DSpace/DSpace/releases/tag/dspace-5.11

5.11 Release notes are available at: https://wiki.lyrasis.org/display/DSDOC5x/Release+Notes

Security fixes include:

[HIGH] CVE-2022-31195 (impacts XMLUI and JSPUI): Path traversal vulnerability in Simple Archive Format package import (ItemImportService API).
- Reported by Johannes Moritz of Ripstech
[HIGH] CVE-2022-31194 (impacts JSPUI only) : The JSPUI resumable upload implementations in SubmissionController and FileUploadRequest are vulnerable to multiple path traversal attacks.
- Reported by Johannes Moritz of Ripstech
[HIGH] CVE-2022-31193 (impacts JSPUI only) : The JSPUI controlled vocabulary servlet is vulnerable to an open redirect attack.
- Reported by Johannes Moritz of Ripstech
[MODERATE] CVE-2022-31191 (impacts JSPUI only) : The JSPUI spellcheck "Did you mean" HTML and autocomplete HTML are vulnerable to Cross Site Scripting (XSS).
- Reported by Hassan Bhuiyan, Brunel University London
[MODERATE] CVE-2022-31192 (impacts JSPUI only) : The JSPUI "Request a Copy" feature is vulnerable to Cross Site Scripting (XSS) attacks.
- Reported by Andrea Bollini of 4Science

Major bug fixes include:

Fix Mirage 2 build broken by disappearance of JRuby gems torquebox.org mirror: https://github.com/DSpace/DSpace/commit/0428da8dab7a02c592ec96ab9cea545f5b6de42d
Database fixes
- Migrate update-sequences.sql script to dspace database command: DS-4167 (#2361)
XMLUI fixes
- Fix Discovery label for metadata values under authority control: DS-2852 (#1701)
- Fix missing date values while faceting: DS-3791 (#2679)
- Fix support for custom sitemap.xmap in Mirage 2: DS-3545 (#1691)
JSPUI fixes
- Fix bug in JSPUI Shibboleth session renewal: DS-3444 (#2566)
- Update Sherpa Romeo layout: DS-4377 (#2565)
- Fix issue with duplicate headers when bitstream title has a comma: DS-4340 (#2514)
REST API fixes:
- Fix Maven build issue due to blocking of plaintext HTTP repositories: #3247 (see #3274)
- Improve performance of collections endpoints: DS-4342 (#2517)

Additional bug fixes and improvements can be found in the release notes at https://wiki.lyrasis.org/display/DSDOC5x/Release+Notes

5.11 Acknowledgments

The 5.11 release was led by Alan Orth, Kim Shepherd, Nicholas Woodward and Hrafn Malmquist (of Cottage Labs)

The following individuals provided tests, code or bug fixes or review to the 5.11 release (in alphabetical order by given name): Andrea Bollini, Andrea Jenis Saroni, Andrew Bennet, Bram Luyten, Hrafn Malmquist, Iordanis Kostelidis, Jonas Van Goolen, Kim Shepherd, Kristof De Langhe, Lotte Hofstede, Luigi Andrea Pascarelli, Mark H. Wood, Pascal-Nicolas Becker, Philip Vissenaekens, samuel, Terry Brady, Tim Donohue.

A detailed listing of all known people/institutions who contributed directly to DSpace 5.x is available in the Release Notes. If you contributed and were not listed, please let us know so that we can correct it!

As always, we are happy to hear back from the community about DSpace. Please let us know what you think of 5.11!

Sincerely,

Tim Donohue (on behalf of the DSpace Committers)

Tim Donohue (he/him)

Technical Lead, DSpace

tim.d...@lyrasis.org

Lyrasis.org | DSpace.org

Reply all

Reply to author

Forward

0 new messages