Dear DSpace Community:
On behalf of the DSpace developers, I would like to formally announce
that DSpace 5.6 is now available. DSpace 5.6 provides security fixes to
the XMLUI, JSPUI and REST API, along with bug fixes to the DSpace 5.x
platform.
* DSpace 5.5 can be downloaded immediately from:
https://github.com/DSpace/DSpace/releases/tag/dspace-5.6
* 5.5 Release notes are available at:
https://wiki.duraspace.org/display/DSDOC5x/Release+Notes
5.6 Security / Bug Fixes
* General security fixes
o /[MEDIUM SEVERITY] XML External Entity (XXE) vulnerability in
pdfbox. /(DS-3309 <https://jira.duraspace.org/browse/DS-3309> -
requires a JIRA account to access.) This vulnerability was
discovered in the 'pdfbox' software and more details can be
found at https://www.cvedetails.com/cve/CVE-2016-2175/. Prior
versions of DSpace can easily patch this issue by updating the
version of 'pdfbox' used by your DSpace (see ticket for
details). This vulnerability affects all versions of DSpace
that use pdfbox. It was discovered by Seth Robbins
o /[MEDIUM SEVERITY] Bitstreams of embargoed and/or withdrawn
items can be accessed by anyone (via JSPUI, XMLUI or REST).
(DS-3097 <https://jira.duraspace.org/browse/DS-3097> - requires
a JIRA account to access). /This vulnerability could allow
anonymous users to read embargoed or withdrawn files, via direct
URL access when "request-a-copy" is disabled (which is not the
default). This vulnerability affects DSpace 4.x and 5.x, and was
discovered by Franziska Ackermann
* Additional JSPUI security fixes
o /[HIGH SEVERITY] Any registered user can modify in progress
submission. (DS-2895 <https://jira.duraspace.org/browse/DS-2895>
- requires a JIRA account to access.) /This vulnerability could
allow registered users to edit others in-progress submissions,
provided//that they could guess the internal ID of the
submission. This vulnerability affects DSpace 1.5.x up to (and
including) 5.x and was discovered by Andrea Bollini of 4Science.
* Additional REST security fixes
o /[HIGH SEVERITY] //SQL Injection Vulnerability in 5.x REST
API (DS-3250 <https://jira.duraspace.org/browse/DS-3250> /-
requires a JIRA account to access.) //This vulnerability affects
DSpace 5.x only and was discovered by Bram Luyten of Atmire.
* JSPUI bug fixes
o JSPUI: Creative Commons license fails with fetch directy the url
(instead use the Creative Commons REST API) (DS-2604
<https://jira.duraspace.org/browse/DS-2604>)
o JSPUI: Upload a file, multifile, with a description text during
the submission process (DS-2623
<https://jira.duraspace.org/browse/DS-2623>)
o JSPUI: Bug fix to EPerson popup (DS-2968
<https://jira.duraspace.org/browse/DS-2968>)
* XMLUI bug fixes
o XMLUI: Recyclable Cocoon components should clear local variables
(DS-3246 <https://jira.duraspace.org/browse/DS-3246>)
o XMLUI: "Request a copy" feature was not working when the
property request.item-type was set to all (DS-3294
<https://jira.duraspace.org/browse/DS-3294>)
o XMLUI: Bug fix to policy search form (DS-3206
<https://jira.duraspace.org/browse/DS-3206>)
* Other minor fixes and improvements
o METSRightsCrosswalk NPE During AIP Restore - No Anonymous Read
(DS-3140 <https://jira.duraspace.org/browse/DS-3140>)
o AIP Restore is not respecting access restrictions (on Items)
(DS-3266 <https://jira.duraspace.org/browse/DS-3266>)
o Error when missing Context Description in xoai.xml (DS-2874
<https://jira.duraspace.org/browse/DS-2874>)
o Bug fix to REST API 'find-by-metadata-field' (DS-3248
<https://jira.duraspace.org/browse/DS-3248>)
For much more information on each of these and other fixes, please visit
our 5.x Release Notes:
https://wiki.duraspace.org/display/DSDOC5x/Release+Notes
<https://wiki.duraspace.org/>
5.6 Documentation
The DSpace 5.x documentation is available online at:
https://wiki.duraspace.org/display/DSDOC5x/
A PDF copy of the documentation can also be downloaded from:
https://github.com/DSpace/DSpace/releases/download/dspace-5.6/DSpace-Manual.pdf
5.6 Acknowledgments
The DSpace application would not exist without the hard work and support
of the community. Thank you to the many developers who have worked very
hard to deliver all the new features and improvements. Also thanks to
the users who provided input and feedback on the development.
The 5.6 release was led by the Committers.
The following individuals provided code or bug fixes to the 5.6 release:
Andrea Bollini (abollini), Tim Donohue (tdonohue), Ivan Masar (helix84),
Oriol Olive (oooriii), Luigi Andrea Pascarelli (lap82), Hardy Pottinger
(hardyoyo), Andrea Schweer (aschweer), William Tantzen (wilee53), Mark
Wood (mwoodiupui), Bruno Nocera Zanette
A detailed listing of all known people/institutions who contributed
directly to DSpace 5.x is available in the Release Notes. If you
contributed and were accidentally not listed, please let us know so that
we can correct it!
As always, we are happy to hear back from the community about DSpace.
Please let us know what you think of 5.6!
Sincerely,
Tim Donohue (on behalf of the DSpace Committers)
--
Tim Donohue
Technical Lead for DSpace & DSpaceDirect
DuraSpace.org | DSpace.org | DSpaceDirect.org
--
You received this message because you are subscribed to the Google Groups "DSpace
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to dspace-community+unsubscr...@googlegroups.com.
To post to this group, send email to dspace-community@googlegroups.com.
Visit this group at https://groups.google.com/group/dspace-community.
For more options, visit https://groups.google.com/d/optout.
