Now Available: DSpace 6.4 release, providing bug/security fixes to 6.x

[Tim Donohue]

Dear DSpace Community,

On behalf of the DSpace developers, I would like to formally announce that DSpace 6.4 is now available. DSpace 6.4 provides security fixes,  bug fixes and improvements to the DSpace 6.x platform. 

We highly recommend all DSpace 6.x users upgrade to 6.4, or manually patch the security issues listed below.

DSpace 6.4 can be downloaded immediately from: https://github.com/DSpace/DSpace/releases/tag/dspace-6.4

6.4 Release notes are available at: https://wiki.duraspace.org/display/DSDOC6x/Release+Notes

Security fixes include:

• [HIGH] CVE-2022-31195 (impacts XMLUI and JSPUI): Path traversal vulnerability in Simple Archive Format package import (ItemImportService API). 
  • Reported by Johannes Moritz of Ripstech
• [HIGH] CVE-2022-31194 (impacts JSPUI only) : The JSPUI resumable upload implementations in SubmissionController and FileUploadRequest are vulnerable to multiple path traversal attacks.
  • Reported by Johannes Moritz of Ripstech
• [HIGH] CVE-2022-31193 (impacts JSPUI only) : The JSPUI controlled vocabulary servlet is vulnerable to an open redirect attack.
  • Reported by Johannes Moritz of Ripstech
• [MODERATE] CVE-2022-31191 (impacts JSPUI only) : The JSPUI spellcheck "Did you mean" HTML and autocomplete HTML are vulnerable to Cross Site Scripting (XSS).
  • Reported by Hassan Bhuiyan, Brunel University London
    
• [MODERATE] CVE-2022-31192 (impacts JSPUI only) : The JSPUI "Request a Copy" feature is vulnerable to Cross Site Scripting (XSS) attacks.
  • Reported by Andrea Bollini of 4Science
• [LOW] CVE-2022-31189 (impacts JSPUI only) When an "Internal System Error" occurs in the JSPUI, then entire exception (including stack trace) is available. Information in this stacktrace may be useful to an attacker in launching a more sophisticated attack.
  • Reported by Johannes Moritz of Ripstech
• [LOW] CVE-2022-31190 (impacts XMLUI only) Metadata of withdrawn Items is exposed to anonymous users in XMLUI.
  • Reported by David Cavrenne of Atmire

Major bug fixes include:

• Fix Mirage 2 build broken by disappearance of JRuby gems torquebox.org mirror: #8292
  
  • Requires some action on sites with heavily customized JavaScript or stylesheets, see Mirage 2's readme.md
• Replace log4j with reload4j: #8144
  • NOTE: This may impact custom modules pulled into your poms if they pull in log4j v1. We recommend only using reload4j.
• Implement GDPR-compliant statistics anonymization for Solr: DS-4440 (#2693)
• Update Sherpa Romeo integration for API v2: DS-3940 (#2739), DS-4377 (#2567)
• Add utility to migrate legacy pre-6.x Solr statistics IDs to UUIDs: DS-4075 (#2260)

• Database fixes:
  • Change maxwait default to 10 seconds: DS-4562 (#7895)
  • Upgrade DBCP2 dependencies: DS-4574 (#3162)
  • Fix OAI-PMH Identify verb when using Oracle RDBMS: DS-3453 (#2112)
  • Migrate update-sequences.sql script to dspace database command: DS-4167 (#2362)
• XMLUI fixes:
  
  • Add noindex HTML meta tag to prevent robots from indexing private items: DS-1980 (#5346)
  • Update Mirage2 build to support Node.js 14 LTS: #8331
  • Update confidence when manually editing authority controlled metadata values: DS-4580 (#7913)
  • Fix breaking of feedback link on sites without a sub-domain: DS-4362 (#7701)
  • Improve performance of item counter (aka "strengths"): DS-3976 (#7323)
  • Fix jumping to a specific year in search results when site is not using the default sort order: DS-4208 (#7548)
  • Fix word-break CSS class: DS-4190 (#2374)
  • Improvements and bug fixes to starts_with parameter on browse pages: DS-4201, DS-3945 (#2113)
  • Re-enable HTTP Ranges support: DS-4579 (#3228)
  • Fix Known/Supported labels in UploadStep/UploadWithEmbargoStep: DS-4293 (#2465)
  • Fix Discovery label for metadata values under authority control: DS-2852 (#1800)
  • Fix incorrect escaping of citation_ meta tags: DS-4135 (#2317)
  • Fail gracefully if the Creative Commons API is down: DS-2569 (#2977)
  • Respect primary bitstreams with text/html mime types in Mirage2 item view: DS-3888 #(2021)
  • Use null for empty language when editing item metadata: DS-4169 (#2350)
  • Properly show results for 0-9 link in Browse: DS-4291 (#2463)
  • Fix missing date values while faceting: DS-3791 (#1901)
  • Fix support for custom sitemap.xmap in Mirage 2: DS-3545 (#1690)
  • Fix broken "reset" button in Discovery advanced search filters: #8330
  • Fix incorrect totals on Discovery "view more" page: DS-3881 (#2371)
• JSPUI fixes:
  • Improve results in item mapper: #2649
  • Make sure that transactions are committed in curation tasks: DS-4564 (#3087)
  • Performance enhancement for large uploads: DS-4551 (#2964)
  • Port ORCID author lookup integration to JSPUI: DS-2715, DS-4439 (#2710)
  • Fix bug in JSPUI Shibboleth session renewal: DS-3444 (#2358)
  • Add missing keys for search filters in Messages.properties : DS-4029 (#2556)
  • Fix issue with duplicate headers when bitstream title has a comma: DS-4340 (#2513)
• Other API-level fixes (affecting all UIs):
  • Improve Solr search results for Discovery contains queries by using double quotes instead of brackets: DS-4271 (#7611)
  • Add a check to make sure the source and target collections are not the same when moving an item: #8055
  • Avoid exporting metadata of mapped Item more than once: #7988
  • Make sure "Save and Exit" in workflow actually saves changes to the database: DS-4157 (#7499)
  • Fix NullPointerException in ORCIDv2 API responses with missing data: DS-3998 (#7345)
  • Fix NullPointerException when selecting items published today in initial questions step: DS-4238 (#7668)
  • Fix NullPointerException on empty sub-communities in metadata-export: DS-4211 (#2396)
  • Fix "homepage" Discovery configuration not being used due to missing IDs: DS-3725 (#7072)
  • Fix ingesting items without a license not using the default license: DS-3643 (#6992)
  • Prevent empty string assignment for language when importing a SAF bundle: DS-4493 (#2753)
  • Fix searching for text values containing diacritics: DS-4034 (#2276)
  • Fix for view permissions when Anonymous is a sub-group: DS-4534 (#2832)
  • FindByValue should pass in value, not qualifier: DS-4073 (#2699)
  • Fix exception when harvesting by UUID: DS-4353 (#2537)
  • Fix NullPointerException in "request a copy" function: DS-4032 (#2452)
• REST API fixes:
  • Fix Maven build issue due to blocking of plaintext HTTP repositories: #3247
  • Return items in deterministic order: DS-3849 (#2501)
  • Improve performance of collections endpoints: DS-4342 (#2516)
  • Fix schema registry lookup with null qualifier: #7993

Additional bug fixes and improvements can be found in the release notes at https://wiki.lyrasis.org/display/DSDOC6x/Release+Notes

6.4 Acknowledgments

The 6.4 release was led by Alan Orth, Kim Shepherd, Nicholas Woodward and Hrafn Malmquist (of Cottage Labs).

The following individuals provided tests, code, bug fixes, or review to the 6.4 release (in alphabetical order by given name): Alan Orth, Alexander Sulfrian, Andrea Bollini, Andrea Jenis Saroni, Andrew Wood, Anis, Bram Luyten, Chris Herron, Chris Wilper, Cornelius Matějka, Francesco Pio Scognamiglio, Giuseppe Digilio, Hrafn Malmquist, Huma Zafar, Iordanis Kostelidis, Istvan Vig, Jonas Van Goolen, Kim Shepherd, Kristof De Langhe, Leonardo Guerrero, Lotte Hofstede, Luigi Andrea Pascarelli, Mark H. Wood, Martin Walk, Nicholas Woodward, Pascal-Nicolas Becker, Paulo Graça, Philip Vissenaekens, PTrottier, Saiful Amin, Samuel, santit96, ssolim, Terry Brady, Tim Donohue, Toni Prieto.

A detailed listing of all known people/institutions who contributed directly to DSpace 6.x is available in the Release Notes. If you contributed and were not listed, please let us know so that we can correct it!

As always, we are happy to hear back from the community about DSpace. Please let us know what you think of 6.4!

Sincerely,

Tim Donohue (on behalf of the DSpace Committers)

--

Tim Donohue (he/him)

Technical Lead, DSpace

tim.d...@lyrasis.org

Lyrasis.org | DSpace.org