Hi, The Spring vulnerability you are likely mentioning is this one: https://spring.io/security/cve-2024-22243
While this is a security issue in Spring, at this time, we do not believe it impacts DSpace directly because DSpace doesn't use the UriComponentsBuilder in the way that is described by the vulnerability. Nonetheless, we have already applied this Spring upgrade to our "dspace-7_x" branch in our backend's codebase: https://github.com/DSpace/DSpace/tree/dspace-7_x That way the upgrade will be included in the 7.6.2 release. If you wish to apply these same changes locally, the necessary changes to 7.x are all found in this PR: https://github.com/DSpace/DSpace/pull/9376 As a sidenote, there was also a later follow-up security issue from Spring in https://spring.io/security/cve-2024-22259 which reports that they failed to fully fix that issue in Spring 5.3.32. The secondary fix was to simply update to Spring 5.3.33, which we did in this PR: https://github.com/DSpace/DSpace/pull/9422 Again, neither of these Spring updates seem like they are required for DSpace sites at this time. Both will be include in the DSpace 7.6.2 release (date is to be announced). That said, if you feel safer applying them early, then you are welcome to do so via the two PRs above (or via the `dspace-7_x` maintenance branch). Tim On Thursday, March 28, 2024 at 7:26:17 AM UTC-5 [email protected] wrote: > > Hello All, > > As per my understanding I updated the spring version from 5.3.27 to 5.3.32 > in pom.xml file > > After doing that I rebuild the backend code using mvn clean package and > ant fresh install command > > While rebuilding I was getting error "Dependency convergence error for > org.springframework:spring-context-support". > > I resolved that error and build done successfully. > > I want to know that only these steps are needed to upgrade spring in > DSpace or I am missing some steps > > How should I check that Now Server is using upgraded Spring version > > Any suggestion or help is highly appreciated > On Wednesday, March 27, 2024 at 6:40:30 PM UTC+5:30 Salony Permanand wrote: > >> Hello All, >> >> I am using DSpace 7.6 version . >> >> I have an vulnerability issue with Spring version in my Dspace >> >> It throws warning as "Applications that use 'UriComponentsBuilder' to >> parse an externally provided URL (e.g. through a query parameter) AND >> perform validation checks on >> the host of the parsed URL may be vulnerable to a open redirect attack" >> >> The only solution available is upgrade from 5.3.27 to 5.3.32(which is >> secure version). >> >> But when I am trying to upgrade it create lots of issues with DSpace >> version and not supported. >> >> Can anyone help regarding that and suggest what to do >> >> Any help is highly appreciated >> > -- All messages to this mailing list should adhere to the Code of Conduct: https://www.lyrasis.org/about/Pages/Code-of-Conduct.aspx --- You received this message because you are subscribed to the Google Groups "DSpace Technical Support" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/dspace-tech/d5896a63-6060-4c66-ac88-23e01d69be15n%40googlegroups.com.
