Thanks, Tim! I'll keep an eye out for the announcement. Priscilla
On Wed, Jul 3, 2024 at 3:41 PM DSpace Community < [email protected]> wrote: > Hi Priscilla, > > DSpace 7.6.2 is nearly finished and is likely to arrive in about one > week's time (assuming all goes as planned). Keep an eye out for the > release announcement on or around July 10th. > > Tim > > On Wednesday, July 3, 2024 at 12:14:23 PM UTC-5 [email protected] > wrote: > >> Hi Tim, >> >> Is there a timeline for the release of 7.6.2? My institution is looking >> to upgrade to 7.6, but we would prefer to migrate to a secure version of >> DSpace. >> >> Kind regards, >> >> Priscilla >> >> On Tuesday, June 25, 2024 at 9:41:20 AM UTC-4 Tim Donohue wrote: >> >>> All, >>> >>> A new DSpace 7 security advisory has been released. >>> >>> *CVE-2024-38364 : Cross Site Scripting (XSS) possible via a deposited >>> HTML/XML document with embedded JavaScript* >>> https://github.com/DSpace/DSpace/security/advisories/GHSA-94cc-xjxr-pwvf >>> >>> >>> - *Severity: Low* >>> - *Impacts versions 7.0 through 7.6.1* only (1.x - 6.x are not >>> affected) >>> - *Fixed in 8.0 and 7.6.2* *(coming soon)* >>> - Workarounds / patches are available for all 7.x releases (see >>> linked advisory above for all the details) >>> >>> >>> *We recommend that all DSpace 7.x sites immediately apply patches or >>> upgrade. * Sites which allow for unmonitored submissions (i.e. >>> allowing items to go public * without* any workflow approval) are more >>> likely to be vulnerable. The attacker *must already have submitter >>> privileges *in your DSpace repository. CORS and CSRF protections built >>> into DSpace 7 help limit the impact of the attack. >>> >>> If you have any questions about this security advisory, please email >>> [email protected]. This email address sends a private email to all >>> DSpace Committers. >>> >>> Sincerely, >>> >>> Tim Donohue, on behalf of the DSpace Committers >>> >>> *--* >>> >>> *Tim Donohue* (he/him) >>> >>> Technical Lead, DSpace >>> >>> [email protected] >>> >>> Lyrasis.org <https://www.lyrasis.org/> | DSpace.org <http://dspace.org> >>> >>> [image: Lyrasis logo] >>> >> -- > All messages to this mailing list should adhere to the Code of Conduct: > https://www.lyrasis.org/about/Pages/Code-of-Conduct.aspx > --- > You received this message because you are subscribed to the Google Groups > "DSpace Community" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > To view this discussion on the web visit > https://groups.google.com/d/msgid/dspace-community/671730e3-7a0f-45ff-943a-2b3006c3cf4fn%40googlegroups.com > <https://groups.google.com/d/msgid/dspace-community/671730e3-7a0f-45ff-943a-2b3006c3cf4fn%40googlegroups.com?utm_medium=email&utm_source=footer> > . > -- All messages to this mailing list should adhere to the Code of Conduct: https://www.lyrasis.org/about/Pages/Code-of-Conduct.aspx --- You received this message because you are subscribed to the Google Groups "DSpace Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/dspace-community/CA%2BNFff%3DX3D8kmjqyV05z5smFjCLr%3D3Js3QqpiSz7hsnJp2AHJw%40mail.gmail.com.
