Dear DSpace Community:

On behalf of the DSpace developers, I would like to formally announce that DSpace 5.6 is now available. DSpace 5.6 provides security fixes to the XMLUI, JSPUI and REST API, along with bug fixes to the DSpace 5.x platform.

 * DSpace 5.5 can be downloaded immediately from:
 * 5.5 Release notes are available at:

     5.6 Security / Bug Fixes

 * General security fixes
     o /[MEDIUM SEVERITY] XML External Entity (XXE) vulnerability in
       pdfbox. /(DS-3309 <> -
       requires a JIRA account to access.) This vulnerability was
       discovered in the 'pdfbox' software and more details can be
       found at Prior
       versions of DSpace can easily patch this issue by updating the
       version of 'pdfbox' used by your DSpace (see ticket for
       details).  This vulnerability affects all versions of DSpace
       that use pdfbox. It was discovered by Seth Robbins
     o /[MEDIUM SEVERITY] Bitstreams of embargoed and/or withdrawn
       items can be accessed by anyone (via JSPUI, XMLUI or REST).
       (DS-3097 <> - requires
       a JIRA account to access). /This vulnerability could allow
       anonymous users to read embargoed or withdrawn files, via direct
       URL access when "request-a-copy" is disabled (which is not the
       default). This vulnerability affects DSpace 4.x and 5.x, and was
       discovered by Franziska Ackermann
 * Additional JSPUI security fixes
     o /[HIGH SEVERITY]  Any registered user can modify in progress
       submission. (DS-2895 <>
       - requires a JIRA account to access.) /This vulnerability could
       allow registered users to edit others in-progress submissions,
       provided//that they could guess the internal ID of the
       submission. This vulnerability affects DSpace 1.5.x up to (and
       including) 5.x and was discovered by Andrea Bollini of 4Science.
 * Additional REST security fixes
     o /[HIGH SEVERITY] //SQL Injection Vulnerability in 5.x REST
       API (DS-3250 <> /-
       requires a JIRA account to access.) //This vulnerability affects
       DSpace 5.x only and was discovered by Bram Luyten of Atmire.
 * JSPUI bug fixes
     o JSPUI: Creative Commons license fails with fetch directy the url
       (instead use the Creative Commons REST API) (DS-2604
     o JSPUI: Upload a file, multifile, with a description text during
       the submission process (DS-2623
     o JSPUI: Bug fix to EPerson popup (DS-2968
 * XMLUI bug fixes
     o XMLUI: Recyclable Cocoon components should clear local variables
       (DS-3246 <>)
     o XMLUI: "Request a copy" feature was not working when the
       property request.item-type was set to all (DS-3294
     o XMLUI: Bug fix to policy search form (DS-3206
 * Other minor fixes and improvements
     o METSRightsCrosswalk NPE During AIP Restore - No Anonymous Read
       (DS-3140 <>)
     o AIP Restore is not respecting access restrictions (on Items)
       (DS-3266 <>)
     o Error when missing Context Description in xoai.xml (DS-2874
     o Bug fix to REST API 'find-by-metadata-field' (DS-3248

For much more information on each of these and other fixes, please visit our 5.x Release Notes: <>

     5.6 Documentation

The DSpace 5.x documentation is available online at:

A PDF copy of the documentation can also be downloaded from:

     5.6 Acknowledgments

The DSpace application would not exist without the hard work and support of the community. Thank you to the many developers who have worked very hard to deliver all the new features and improvements. Also thanks to the users who provided input and feedback on the development.

The 5.6 release was led by the Committers.

The following individuals provided code or bug fixes to the 5.6 release: Andrea Bollini (abollini), Tim Donohue (tdonohue), Ivan Masar (helix84), Oriol Olive (oooriii), Luigi Andrea Pascarelli (lap82), Hardy Pottinger (hardyoyo), Andrea Schweer (aschweer), William Tantzen (wilee53), Mark Wood (mwoodiupui), Bruno Nocera Zanette

A detailed listing of all known people/institutions who contributed directly to DSpace 5.x is available in the Release Notes. If you contributed and were accidentally not listed, please let us know so that we can correct it!

As always, we are happy to hear back from the community about DSpace. Please let us know what you think of 5.6!


Tim Donohue (on behalf of the DSpace Committers)

Tim Donohue
Technical Lead for DSpace & DSpaceDirect | |

You received this message because you are subscribed to the Google Groups "DSpace 
Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
To post to this group, send email to
Visit this group at
For more options, visit

Reply via email to