All,
In recent weeks, a two different security vulnerabilities where
discovered in the XMLUI and JSPUI.
WE RECOMMEND ALL SITES UPGRADE TO EITHER DSPACE 3.6, 4.5 OR 5.5 to
ensure your site is secure. (Please note that the DSpace 5.5 release
also includes bug fixes to the 5.x platform.)
* DSpace 5.5
o Release Notes:
https://wiki.duraspace.org/display/DSDOC5x/Release+Notes
<https://wiki.duraspace.org/display/DSDOC5x/Release+Notes>
o Download: https://github.com/DSpace/DSpace/releases/tag/dspace-5.5
* DSpace 4.5
o Release Notes:
https://wiki.duraspace.org/display/DSDOC4x/Release+Notes
<https://wiki.duraspace.org/display/DSDOC4x/Release+Notes>
o Download: https://github.com/DSpace/DSpace/releases/tag/dspace-4.5
* DSpace 3.6
o Release Notes:
https://wiki.duraspace.org/display/DSPACE/DSpace+Release+3.6+Notes
o Download: https://github.com/DSpace/DSpace/releases/tag/dspace-3.6
Summary of XMLUI Vulnerability (affects 1.5.x and above):
* /[HIGH SEVERITY] The XMLUI "themes" path is vulnerable to a full
directory traversal. (DS-3094
<https://jira.duraspace.org/browse/DS-3094> - requires a JIRA/Wiki
account to access.) This means that ANY files on your system which
are readable to the Tomcat user account may be publicly accessed via
your DSpace site./This XMLUI vulnerability has existed since DSpace
1.5.x, and was discovered by Virginia Tech.
o While we highly recommend upgrading, patches are also available
by visiting the ticket linked above (requires a JIRA/Wiki
account to access).
o As 1.5.x, 1.6.x, 1.7.x and 1.8.x sites are also affected, we
recommend 1.x.x. sites consider upgrading to 5.x or manually
applying a patch. Beginning with DSpace 5.x, we now provide an
easier upgrade process from any prior version of DSpace (1.x.x,
3.x or 4.x). See the 5.x release notes for more information:
https://wiki.duraspace.org/display/DSDOC5x/Release+Notes
<https://wiki.duraspace.org/display/DSDOC5x/Release+Notes>
Summary of JSPUI Vulnerability (affects 4.x and above):
* /[MEDIUM SEVERITY] The JSPUI "Edit News" feature (accessible to
Administrators) can be used to view/edit ANY files which are
readable to the Tomcat user account (DS-3063
<https://jira.duraspace.org/browse/DS-3063> - requires a JIRA/Wiki
account to access.) /This JSPUI vulnerability has existed since
DSpace 4.0, and was discovered byCINECA.
As these vulnerabilities are now considered "public", questions may be
asked on our DSpace Tech Support mailing list
(https://groups.google.com/forum/#!forum/dspace-tech
<https://groups.google.com/forum/#%21forum/dspace-tech>) or on the
tickets themselves.
We also welcome private security reports, concerns or questions via our
new security contact address ([email protected]).
Sincerely,
Tim Donohue (on behalf of the DSpace Committers)
--
Tim Donohue
Technical Lead for DSpace & DSpaceDirect
DuraSpace.org | DSpace.org | DSpaceDirect.org
--
You received this message because you are subscribed to the Google Groups "DSpace
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To post to this group, send email to [email protected].
Visit this group at https://groups.google.com/group/dspace-community.
For more options, visit https://groups.google.com/d/optout.
