We are pleased to announce the release of DSpace 9.3! This release provides security fixes and bug fixes to the 9.x platform. No new features are provided. As such, this release should be an easier upgrade for sites already running 9.x.
Download DSpace 9.3 <https://wiki.lyrasis.org/spaces/DSDOC9x/pages/379125829/Release+Notes#ReleaseNotes-9.3ReleaseNotes> Security Fixes - Fix for GHSA-9x82-rm84-c6x7 <https://github.com/DSpace/DSpace/security/advisories/GHSA-9x82-rm84-c6x7> (high severity). Remote Code Execution (RCE) possible in Velocity templates used by LDN (Linked Data Notifications) when COAR Notify is enabled. (NOTE: A CVE ID has been requested but not yet assigned) - Fix for GHSA-9qm4-rh6w-pq5x <https://github.com/DSpace/DSpace/security/advisories/GHSA-9qm4-rh6w-pq5x> (moderate severity). Path traversal vulnerability possible in LDN (Linked Data Notifications) message generation when COAR Notify is enabled. (NOTE: A CVE ID has been requested but not yet assigned) - Fix for GHSA-v66x-68f2-pxf5 <https://github.com/DSpace/DSpace/security/advisories/GHSA-v66x-68f2-pxf5> (moderate severity). Path Traversal Vulnerability is possible in Curation Task Reporter output path. (NOTE: A CVE ID has been requested but not yet assigned) - Fix for GHSA-c827-pw3m-67w7 <https://github.com/DSpace/DSpace/security/advisories/GHSA-c827-pw3m-67w7> (moderate severity). ORE resource URI does not validate scheme for non-web resources when harvesting OAI content. (NOTE: A CVE ID has been requested but not yet assigned) - Patch for CVE-2026-27739 <https://github.com/angular/angular-cli/security/advisories/GHSA-x288-3778-4hhx> in Angular SSR (critical severity). All versions of Angular SSR (Server Side Rendering) contain a critical SSRF (Server-Side Request Forgery) vulnerability, which may be possible to exploit in DSpace sites that are not running DSpace behind a well-configured proxy (see mailing list announcement <https://groups.google.com/g/dspace-community/c/MAXmwc-sUSI/m/oxaGF7hxCQAJ> ). Breaking Changes We include a “Breaking Changes” section to the Release Notes to notify you of major changes which may impact your upgrade. Please visit the Release Notes <https://wiki.lyrasis.org/spaces/DSDOC9x/pages/379125829/Release+Notes#ReleaseNotes-9.3ReleaseNotes> for the full details. A few key breaking changes to be aware of in DSpace 8.4: - Frontend's new "ui > baseUrl" setting is now required for Server Side Rendering (SSR) and helps to patch against the Angular SSR vulnerability CVE-2026-27739 <https://github.com/advisories/GHSA-x288-3778-4hhx>. - Replaced "webui.content_disposition_format" with "webui.content_disposition_inline" (in dspace.cfg). This improves security of unknown or custom formats by only displaying trusted formats inline. Major Bug fixes / improvements include: - General user enhancements and fixes - Fixed an authorization issue where security details in SOLR could go out of sync without a manual reindexing. #2853 <https://github.com/DSpace/DSpace/issues/2853> (Donated by Toni Prieto) - Fixed bug on Browse by Issue Date where the date was treated as a filter rather than a start date for decades. #10055 <https://github.com/DSpace/DSpace/issues/10055> (Donated by Atmire) - Fixed a bug where the IIIF viewer was not working due to a missing mime.types file. #11804 <https://github.com/DSpace/DSpace/issues/11804> (Donated by 4Science) - Fixed a bug where authentication methods would not appear if page refreshed before authentication token expired. #4662 <https://github.com/DSpace/dspace-angular/issues/4662> (Donated by Atmire) - Fixed a bug in hierarchical vocabulary browse where only the first 20 matches to a query were rendered. #4500 <https://github.com/DSpace/dspace-angular/issues/4500> (Donated by Atmire) - Fixed an issue where deleted bitstreams returned HTTP 401 unauthorized instead of 404. #11629 <https://github.com/DSpace/DSpace/issues/11629> (Donated by Jesiel Viana) - Fixed bug where LDAP authentication would fail with when a user's LDAP entry had no email field. #11292 <https://github.com/DSpace/DSpace/issues/11292> (Donated by dataquest) - Fixed bug where metadata export was no longer respecting metadata.hide.* properties #11197 <https://github.com/DSpace/DSpace/pull/11197> (Donated by Atmire) - Fixed bug with the "Show more" functionality of truncatable component for content containing HTML #4948 <https://github.com/DSpace/dspace-angular/issues/4948> (Donated by 4Science) - Fixed an issue where memory errors would occur when downloading large bitstreams from an S3 remote. #12468 <https://github.com/DSpace/DSpace/issues/12468> (Donated by 4Science) - Fixed bug where hierarchical & advanced search on community and collection pages redirected user to the global search route. #5210 <https://github.com/DSpace/dspace-angular/pull/5210> (Donated by Atmire) - Submission / Workflow enhancements and fixes - Fixed an issue where loading many mapped collection forms via item-submission could cause a Fetch error. #10750 <https://github.com/DSpace/DSpace/issues/10750> (Donated by Paulo Graça) - Fixed bug where a Submitter could not deposit items via SWORD when the item had an embargo defined. #10404 <https://github.com/DSpace/DSpace/pull/10404> (Donated by dataquest) - Fixed an issue where it was not possible to download bitstreams during submission while impersonating a user. #8957 <https://github.com/DSpace/DSpace/issues/8957> (Donated by Atmire) - There is now a configurable limit on the number of items that can be added or edited in a single CSV metadata import. #9663 <https://github.com/DSpace/DSpace/issues/9663> (Donated by Neki-IT) - Fixed an issue where controlled vocabulary lookup was not working for text with accented characters. #12097 <https://github.com/DSpace/DSpace/pull/12097>(Donated by Istvan Vig) - Administrative enhancements and fixes - Fixed bug where admin privileges were not immediately inherited from community to collection on creation #9652 <https://github.com/DSpace/DSpace/issues/9652> (Donated by Toni Prieto) - Fixed an issue where the search function from "Edit" in the sidebar listed items which the user is not allowed to edit. #1331 <https://github.com/DSpace/dspace-angular/issues/1331> (Donated by Toni Prieto) - Fixed an issue where the checksum checker could fail to complete due to memory constraints in repositories with many bitstreams. #7322 <https://github.com/DSpace/DSpace/issues/7322> (Donated by Miika Nurminen) - Fixed an issue where the curation task CreateMissingIdentifiers would not work for an item without a handle. #11676 <https://github.com/DSpace/DSpace/pull/11676> (Donated by The Library Code) - Fixed bug where "cleanup" command-line script would fail if deleted bitstreams still had orphaned rows in bundle2bitstream. #11009 <https://github.com/DSpace/DSpace/issues/11009> (Donated by Atmire and The Library Code) - Fixed an issue where after creating a new EPerson, the application would become unresponsive. #5000 <https://github.com/DSpace/dspace-angular/issues/5000> (Donated by PCG Academia) - Fixed bug where creating an EPerson would fail for an email containing uppercase letters. #4338 <https://github.com/DSpace/dspace-angular/issues/4338> (Donated by PCG Academia) - Integration fixes - Fixed bug occurring during OAI update process when batch size exceeded and items had metadata-level embargoes. #12112 <https://github.com/DSpace/DSpace/issues/12112> (Donated by Toni Prieto) - Fixed several failures occurring with the OpenAIRE Search API. #11967 <https://github.com/DSpace/DSpace/pull/11967> (Donated by dataquest) - OAI-PMH now serves pre-transformed HTML if the client sends an Accept header requesting text/HTML. #11648 <https://github.com/DSpace/DSpace/issues/11648> (Donated by The Library Code) - ORCID iDs are now included in the metadata that gets sent to DataCite from DSpace. #9883 <https://github.com/DSpace/DSpace/issues/9883> (Donated by Eike Löhden) - ORCID iD icons and links are now displayed according to ORCID's Display guidelines. #4656 <https://github.com/DSpace/dspace-angular/issues/4656> (Donated by 4Science with additions by Nicholas Woodward) - Enabled sending a Client-Id header in requests to the ROR (Research Organization Registry) API. #11653 <https://github.com/DSpace/DSpace/pull/11653> (Donated by 4Science) - Fixed bug where bitstream downloads would fail when using a script blocker on sites with Matomo integration. #4991 <https://github.com/DSpace/dspace-angular/issues/4991> (Donated by PCG Academia) - Performance improvements - Improved performance on item pages with many bitstreams by reducing bitstream authorization requests. #5028 <https://github.com/DSpace/dspace-angular/pull/5028> (Donated by Tina Schönborn) - Improved performance by optimizing the SQL query in the findByEPerson method. #11472 <https://github.com/DSpace/DSpace/pull/11472> (Donated by Toni Prieto) - Improved performance on the signposting endpoint by adding a count query. #12305 <https://github.com/DSpace/DSpace/pull/12305> (Donated by Tina Schönborn) - Improved loading times and cache behavior for the community list page. #9911 <https://github.com/DSpace/DSpace/issues/9911> (Donated by 4Science) - DOIOrganiser bulk operations can now scale for hundreds of items due to adding DAO-level pagination. #9622 <https://github.com/DSpace/DSpace/issues/9622> (Donated by Atmire) - For a full list of changes and contributors in 9.3, see our Release Notes <https://wiki.lyrasis.org/spaces/DSDOC9x/pages/379125829/Release+Notes#ReleaseNotes-9.3ReleaseNotes> New and improved Language support - German (Deutsch) language updates donated by Sascha Szott (saschaszott) - Italian (Italiano) language updates donated by 4Science - Portuguese (Português) language updates donated by Neki-IT - Traditional Chinese (繁體中文) added & donated by eScire A total of 60 individuals contributed to 9.3. For a full list of changes and contributors in 9.3, see our Release Notes <https://wiki.lyrasis.org/spaces/DSDOC9x/pages/379125829/Release+Notes#ReleaseNotes-9.3ReleaseNotes> . Would you like to contribute to a future DSpace release? DSpace is built and supported by community volunteers. We have no centralized development team. Therefore, we welcome contributions from anyone! Contributions may take the form of: - Contributing money to our DSpace Development Fund <https://wiki.lyrasis.org/display/DSPACE/Announcement%3A+DSpace+Development+Fund> - All funds go directly towards development in the next release(s), and you will be acknowledged on our DSpace Development Fund <https://wiki.lyrasis.org/display/DSPACE/Announcement%3A+DSpace+Development+Fund> page. - Contributing code - As a volunteer developer you can determine which issue ticket you’d like to work on. Join our weekly developer meetings <https://wiki.lyrasis.org/display/DSPACE/Developer+Meetings> or get in touch with Tim Donohue <https://wiki.lyrasis.org/display/~tdonohue> if you have any questions. If you’d like more information on ongoing development, please consider joining our weekly developer meetings <https://wiki.lyrasis.org/display/DSPACE/Developer+Meetings>, or follow along by reading the public notes of past meetings. -- All messages to this mailing list should adhere to the Code of Conduct: https://lyrasis.org/code-of-conduct/ --- You received this message because you are subscribed to the Google Groups "DSpace Technical Support" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion visit https://groups.google.com/d/msgid/dspace-tech/e458e70e-e3f6-435c-8a5d-8082e2e6634fn%40googlegroups.com.
