Dear DSpace Community:
On behalf of the DSpace developers, I would like to formally announce
that DSpace 5.4 is now available.
DSpace 5.4 provides security fixes to the JSPUI, along with significant
bug fixes and memory usage enhancements to all DSpace 5.x users.
DSpace 5.4 can be downloaded immediately from:
https://github.com/DSpace/DSpace/releases/tag/dspace-5.4
5.4 Release notes are available at:
https://wiki.duraspace.org/display/DSDOC5x/Release+Notes
In addition, you are welcome to try out DSpace 5.4 on
http://demo.dspace.org/ and continue to provide any early feedback you
may have.
5.4 Bug Fixes
* JSPUI security fixes:
o /[MEDIUM SEVERITY]/ /Cross-site scripting (XSS injection) is
possible in JSPUI search interface (in Firefox web browser).
(DS-2736 <https://jira.duraspace.org/browse/DS-2736> - requires
a JIRA account to access for two weeks, and then will be
public): This vulnerability could allow someone to embed
dangerous Javascript code into links to search results. If a
user was emailed such a link and clicked it, the javascript
would be run in their local browser. This vulnerability has
existed since DSpace 3.x/
+ Discovered by Genaro Contreras
o /[LOW SEVERITY] Expression language injection (EL Injection) is
possible in JSPUI search interface. (DS-2737
<https://jira.duraspace.org/browse/DS-2737>/ /- requires a JIRA
account to access for two weeks, and then will be public): This
vulnerability could allow someone to obtain information from the
site/server using JSP syntax/. /This vulnerability has existed
since DSpace 3.x/
+ Discovered by Genaro Contreras
* Google Scholar fix:
o Google Scholar metadata did not guarantee proper ordering of
authors (DS-2679 <https://jira.duraspace.org/browse/DS-2679>)
* Search / Browse fixes (Discovery/Solr) for JSPUI and XMLUI:
o Resolved a significant memory leak when searching/browsing
(gradual leak) (DS-2869 <https://jira.duraspace.org/browse/DS-2869>)
o Resolved a significant memory spike when reindexing (only
triggered when running "index-discovery" with no arguments)
(DS-2832 <https://jira.duraspace.org/browse/DS-2832>)
o Fixes to allow fielded or boolean searches to work once again
(DS-2699 <https://jira.duraspace.org/browse/DS-2699>, DS-2803
<https://jira.duraspace.org/browse/DS-2803>)
o Solr logging was broken. It did not properly log to the
"|[dspace]/log/solr.log|" files (DS-2790
<https://jira.duraspace.org/browse/DS-2790>)
* OAI-PMH fixes:
o Upgraded the XOAI library to 3.2.10
<https://github.com/DSpace/xoai/issues?q=milestone%3A3.2.10> to
resolve several issues
o OAI did not support harvesting by date (YYYY-MM-DD) without a
time (DS-2524 <https://jira.duraspace.org/browse/DS-2524>,
DS-2542 <https://jira.duraspace.org/browse/DS-2542>)
o OAI getRecord was wrongly including all virtual sets (DS-2573
<https://jira.duraspace.org/browse/DS-2573>)
o OAI was ignoring the "dspace.oai.url" setting in "oai.cfg"
(DS-2744 <https://jira.duraspace.org/browse/DS-2744>)
* REST API fixes:
o |/handle| not reflecting updates (DS-2692
<https://jira.duraspace.org/browse/DS-2692>)
o |/collections/<id>/items| ignores offset parameter (DS-2719
<https://jira.duraspace.org/browse/DS-2719>)
o login/logout thread safety (DS-2830
<https://jira.duraspace.org/browse/DS-2830>)
* ||Deposit/Submission fixes:
o Fix issue where if PubMed server is down submission lookup fails
(DS-2813 <https://jira.duraspace.org/browse/DS-2813>)
o JSPUI: Allow reviewers to upload files (DS-2814
<https://jira.duraspace.org/browse/DS-2814>)
* Minor fixes to XMLUI Mirage2 theme
For much more information on each of these and other fixes, please visit
our 5.x Release Notes:
https://wiki.duraspace.org/display/DSDOC5x/Release+Notes
5.4 Documentation
The DSpace 5.x documentation is available online at:
https://wiki.duraspace.org/display/DSDOC5x/
A PDF copy of the documentation can also be downloaded from:
https://github.com/DSpace/DSpace/releases/download/dspace-5.4/DSpace-Manual.pdf
5.4 Acknowledgments
The DSpace application would not exist without the hard work and support
of the community. Thank you to the many developers who have worked very
hard to deliver all the new features and improvements. Also thanks to
the users who provided input and feedback on the development, as well
those who participated in the testathons.
The 5.4 release was led by Andrea Schweer (University of Waikato ITS),
Tim Donohue and the Committers.
The following individuals provided code or bug fixes to the 5.4 release:
Pascal-Nicolas Becker (pnbecker), Arnaud de Bossoreille (arnodb), Brad
Dewar (bdewar), Peter Dietz (peterdietz), Tim Donohue (tdonohue), Ondrej
Košarko (kosarko), Aleksander Kotynski-Buryla(akotynski), Ivan Masar
(helix84), Hardy Pottinger (hpottinger), Christian Scheible
(christian-scheible), Andrea Schweer (aschweer), Bill Tantzen (wilee53),
Jonas Van Goolen, Chris Wilper (cwilper), Mark H Wood (mwoodiupui), Jun
Won Jung (RomanticCat)
A detailed listing of all known people/institutions who contributed
directly to DSpace 5.x is available in the Release Notes. If you
contributed and were accidentally not listed, please let us know so that
we can correct it!
As always, we are happy to hear back from the community about DSpace.
Please let us know what you think of 5.3!
Tim Donohue, on behalf of the DSpace 5.4 Release Team, and all the
DSpace developers.
--
Tim Donohue
Technical Lead for DSpace & DSpaceDirect
DuraSpace.org | DSpace.org | DSpaceDirect.org
--
You received this message because you are subscribed to the Google Groups "DSpace
Technical Support" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To post to this group, send email to [email protected].
Visit this group at http://groups.google.com/group/dspace-tech.
For more options, visit https://groups.google.com/d/optout.
