Sorry to react so late on this thread. What Tim recommend is of course right, as dspace-cris is based on DSpace there is a high chance that the issue if any is applicable also to a plan dspace so my preferred way to deal with security report would be in according to the DSpace policy
https://wiki.lyrasis.org/display/DSPACE/DSpace+Software+Support+Policy If the incident is reported directly to us (4Science) we will do our best to investigate it as soon as possible and report back to the dspace dev team if it also apply here, but again as my experience is that there is a 99% overlap so it is better to get all informed sooner. BTW we got more details and the reported issue is a false positive. Andrea On Fri, 2020-10-23 at 11:49 +0100, Marc wrote: > Dear Sean, > We would be interested in the outcome of this, as we have a DSpace > CRIS system about to be released. > Kind regards > Marc > On 22 Oct 2020, at 7:18, Sean Carte wrote: > > Good points; thanks, Tim and Emilio. I wasn't about to report a > > vulnerability, I was really just asking for advice on how to > > address this. (I could have phrased my question better.) > > > > As you suggest, if IT or the auditors do supply anything concrete, > > I will take it up directly with 4Science. > > > > On Wed, 21 Oct 2020 at 16:15, Tim Donohue <tim.dono...@lyrasis.org> > > wrote: > > > All, > > > > > > Per our DSpace Software Support policy, we have a recommended way > > > to report security issues privately to the developer team: > > > https://wiki.lyrasis.org/display/DSPACE/DSpace+Software+Support+Policy > > > > > > To analyze a potential security issue, we require some sort of > > > proof or example way to exploit the vulnerability. At this time, > > > there are no known SQL injection vulnerabilities related to > > > DSpace. > > > > > > That said, the above support policy does NOT apply to DSpace- > > > CRIS, which is a third-party product built/supported/maintained > > > by 4Science. You'd need to contact 4Science directly regarding > > > any security issues/reports with DSpace-CRIS. > > > > > > Thanks, > > > > > > Tim > > > From: dspace-tech@googlegroups.com <dspace-tech@googlegroups.com> > > > on behalf of emilio lorenzo <elore...@arvo.es> > > > Sent: Wednesday, October 21, 2020 2:32 AM > > > To: dspace-tech@googlegroups.com <dspace-tech@googlegroups.com> > > > Subject: Re: [dspace-tech] SQL Injection Vulnerability > > > > > > in any case, I think that information about vulnerabilities must > > > be keep off the public lists,... the "group" has mechanisms to > > > deal with these issues. > > > it is only an idea... > > > BEST > > > > > > Emilio > > > > > > > > > On 20/10/2020 10:10, Sean Carte wrote: > > > > I'm running DSpace-CRIS 5.10 and have received a message from > > > > our IT dept alerting me to an SQL injection vulnerability on > > > > our repository. > > > > > > > > It seems the auditors were using HighBond, but they haven't > > > > given me any details as to how they assessed this > > > > vulnerability. > > > > > > > > I'm supposed to do something about it, but I don't know what. > > > > > > > > Is there a known vulnerability in DSpace-CRIS 5.10? > > > > > > > > /dspacecris-dut/bin/dspace version > > > > DSpace version: CRIS-5.10.0-SNAPSHOT > > > > SCM revision: 8390fec2945050541427ef1249dbbbd56b1ccdc4 > > > > SCM branch: fix-sword > > > > OS: Linux(amd64) version 4.4.0-190-generic > > > > Discovery: enabled. > > > > JRE: Private Build version 1.8.0_265 > > > > Ant version: Apache Ant(TM) version 1.9.6 compiled on July > > > > 20 2018 > > > > Maven version: 3.3.9 > > > > DSpace home: /dspacecris-dut > > > > -- > > > > All messages to this mailing list should adhere to the > > > > DuraSpace Code of Conduct: > > > > https://duraspace.org/about/policies/code-of-conduct/ > > > > --- > > > > You received this message because you are subscribed to the > > > > Google Groups "DSpace Technical Support" group. > > > > To unsubscribe from this group and stop receiving emails from > > > > it, send an email to dspace-tech+unsubscr...@googlegroups.com. > > > > To view this discussion on the web visit > > > > https://groups.google.com/d/msgid/dspace-tech/CA%2BxAuhPWr8AO5xqkkTE1SbzXK%3D6xuswSS%2BmmfBPoj9OH3s0w4g%40mail.gmail.com > > > > . > > > > > > -- > > > All messages to this mailing list should adhere to the DuraSpace > > > Code of Conduct: > > > https://duraspace.org/about/policies/code-of-conduct/ > > > --- > > > You received this message because you are subscribed to the > > > Google Groups "DSpace Technical Support" group. > > > To unsubscribe from this group and stop receiving emails from it, > > > send an email to dspace-tech+unsubscr...@googlegroups.com. > > > To view this discussion on the web visit > > > https://groups.google.com/d/msgid/dspace-tech/81bc6792-7978-a3b2-1bf2-82a239fc245c%40arvo.es > > > . > > > -- > > > All messages to this mailing list should adhere to the DuraSpace > > > Code of Conduct: > > > https://duraspace.org/about/policies/code-of-conduct/ > > > --- > > > You received this message because you are subscribed to the > > > Google Groups "DSpace Technical Support" group. > > > To unsubscribe from this group and stop receiving emails from it, > > > send an email to dspace-tech+unsubscr...@googlegroups.com. > > > To view this discussion on the web visit > > > https://groups.google.com/d/msgid/dspace-tech/DM5PR2201MB1148B556D17188670CF03876ED1C0%40DM5PR2201MB1148.namprd22.prod.outlook.com > > > . > > > > -- > > All messages to this mailing list should adhere to the DuraSpace > > Code of Conduct: > > https://duraspace.org/about/policies/code-of-conduct/ > > --- > > You received this message because you are subscribed to the Google > > Groups "DSpace Technical Support" group. > > To unsubscribe from this group and stop receiving emails from it, > > send an email to dspace-tech+unsubscr...@googlegroups.com. > > To view this discussion on the web visit > > https://groups.google.com/d/msgid/dspace-tech/CA%2BxAuhNt4-3_HUofq6Ahn_AMS9O81Ddv5h0DB6dgObhSvw0rnA%40mail.gmail.com > > . > > -- > Questo messaggio e' stato analizzato con Libra ESVA ed e' risultato > non infetto. > Clicca qui per segnalarlo come spam. -- Questo messaggio e' stato analizzato da Libra ESVA ed e' risultato non infetto. This message was scanned by Libra ESVA and is believed to be clean. -- All messages to this mailing list should adhere to the DuraSpace Code of Conduct: https://duraspace.org/about/policies/code-of-conduct/ --- You received this message because you are subscribed to the Google Groups "DSpace Technical Support" group. To unsubscribe from this group and stop receiving emails from it, send an email to dspace-tech+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/dspace-tech/8f00e24d3560b648c41c16ada3c842c236cb9489.camel%404science.it.
