Hi Alvin, Based on the error, it sounds like you may be installing the "dspace-4_x" branch from GitHub? That "dspace-4_x" branch in GitHub has versions that look like "4.4-SNAPSHOT".
If you wanted to actually install DSpace 4.3, you'd want to use the tagged "dspace-4.3" version in GitHub. https://github.com/DSpace/DSpace/releases/tag/dspace-4.3 So, with git, you'd first need to checkout that tag into a new branch, e.g. # Checks out the 4.3 tagged release into a new "dspace-4.3" branch git checkout dspace-4.3 -b dspace-4.3 Essentially, the error is occurring because all our "dspace-x_x" maintenance branches have a version ending in "-SNAPSHOT". These "SNAPSHOT" versions don't exist in Maven Central (as they are not official DSpace releases). While you *can* technically build/compile DSpace from that "dspace-4_x" maintenance branch, you'd need to *first* do so from the root source ([dspace-source]), so that it auto-builds each and every 4.4-SNAPSHOT module for you locally. Your error is occurring cause you tried to first build from "[dspace-source]/dspace" and the 4.4-SNAPSHOT versions do not yet exist on your local system. I hope that helps! - Tim On 3/9/2015 3:44 PM, Hutchinson, Alvin wrote: > I have tried to run the update for our current DSpace (version 4.2) to > version 4.3 per the security notice below. > > However when I run [dspace-source]/dspace/mvn -U clean package (according to > the upgrade document) I see the following error: > > > [INFO] DSpace Kernel :: Additions and Local Customizations FAILURE [ 2.345 > s] > <snip> > . . . > . . . . > [ERROR] Failed to execute goal on project additions: Could not resolve > dependencies for project org.dspace.modules:additions:jar:4.4-SNAPSHOT: Could > not find artifact org.dspace:dspace-api:jar:4.4-SNAPSHOT in sonatype-releases > (https://oss.sonatype.org/content/repositories/releases/) -> [Help 1] > > > I can provide other details as necessary but from the error, I assume that > the executable should have been looking for > org.dspace.modules:additions:jar:4.3-SNAPSHOT rather than 4.4 > > Or am I missing something? > > Alvin Hutchinson > Smithsonian Libraries > hutchins...@si.edu > > > -----Original Message----- > > ------------------------------ > > Message: 2 > Date: Thu, 26 Feb 2015 11:30:21 -0600 > From: Tim Donohue <tdono...@duraspace.org> > Subject: [Dspace-general] DSPACE SECURITY ADVISORY: New DSpace 5.1, > 4.3 and 3.4 releases resolve security issues in XMLUI and JSPUI > To: dspace-general <dspace-gene...@lists.sourceforge.net>, > dspace-tech <dspace-tech@lists.sourceforge.net>, dspace-devel > <dspace-de...@lists.sourceforge.net> > Message-ID: <54ef582d.7090...@duraspace.org> > Content-Type: text/plain; charset=utf-8; format=flowed > > > All, > > In recent weeks, several security vulnerabilities where discovered in the > XMLUI and JSPUI of DSpace 3.x, 4.x and 5.x sites. Some of these > vulnerabilities also affect Space 1.x.x sites. > > While these security vulnerabilities vary in severity (see below), WE > RECOMMEND ALL DSPACE USERS CONSIDER UPGRADING TO EITHER DSPACE 3.4, 4.3 OR > 5.1 to ensure your site is secure. Please note that the DSpace 5.1 release > also includes several minor bug fixes to the 5.x platform. > > * DSpace 5.1 Release Notes: > https://wiki.duraspace.org/display/DSDOC5x/Release+Notes > * DSpace 4.3 Release Notes: > https://wiki.duraspace.org/display/DSDOC4x/Release+Notes > * DSpace 3.4 Release Notes: > https://wiki.duraspace.org/display/DSPACE/DSpace+Release+3.4+Notes > > Where possible, WE ALSO RECOMMEND IMMEDIATELY REMOVING ANY > "allowLinking=true" SETTINGS from your Tomcat <Context> configuration. > Previously our DSpace installation documentation erroneously listed examples > which included "allowLinking=true", while the Tomcat documentation details it > as a possible security concern [1]. The XMLUI Directory Traversal > Vulnerability (see below) is also exacerbated by having "allowLinking=true" > enabled. > > [NOTICE FOR DSPACE 1.x.x USERS:] Per our DSpace Software Support Policy [2], > all DSpace 1.x.x versions are now "End-Of-Life" (EOL). This includes versions > 1.8.3 and below. As such, we will not be releasing any further 1.x.x versions > (even though several of these vulnerabilities do exist in 1.x.x versions). We > recommend either manually patching your instances or upgrading. If you are > considering an upgrade from DSpace 1.x.x, note that, as of DSpace 5, your > existing data (i.e. database contents, search/browse indexes) will now be > automatically upgraded from ANY prior version of DSpace (1.x.x, 3.x or 4.x). > Therefore, you may wish to consider upgrading directly to DSpace 5.1, as the > 5.x upgrade process is simplified. > > ======================== > Vulnerabilities Summary > ======================== > > Summary of XMLUI Vulnerabilities: > --------------------------------- > > [HIGH SEVERITY] XMLUI Directory Traversal Vulnerabilities: These > vulnerabilities allows someone to potentially access any file on your local > filesystem which is readable to the Tomcat user account. This includes files > which are unrelated to DSpace or Tomcat, but are readable to all users on the > filesystem (e.g. on Linux this includes /etc/passwd, /etc/hosts, etc). This > also includes Tomcat configuration files (which may or may not contain > passwords). These vulnerabilities have existed since DSpace 1.5.2. The > initial vulnerability was discovered by Khalil Shreateh, with additional > (related) vulnerabilities discovered by the Committer Team. > > In some configurations of Tomcat, simply removing any "allowLinking=true" > settings from your Tomcat's <Context> configuration will limit the directory > traversal vulnerability's severity to only allow access to files within the > XMLUI web application directory. > > More information (and a patch) is available at > https://jira.duraspace.org/browse/DS-2445 (Requires a DuraSpace JIRA account > to access for two weeks, and then will be publicly available) > > > Summary of JSPUI Vulnerabilities: > --------------------------------- > > [MEDIUM SEVERITY] JSPUI Directory Traversal Vulnerability: This vulnerability > allows someone to potentially access any file within the JSPUI web > application directory (e.g. WEB-INF/web.xml). This vulnerability is believed > to have existed in all prior versions of DSpace, and was discovered by Khalil > Shreateh. > > More information (and a patch) is available at > https://jira.duraspace.org/browse/DS-2448 (Requires a DuraSpace JIRA account > to access for two weeks, and then will be publicly available) > > [LOW SEVERITY] Cross-site scripting (XSS injection) is possible in JSPUI > Recent Submissions listings. This vulnerability could allow a > depositor/submitter to embed dangerous Javascript code into the metadata of a > new submission, thus causing that code to be run across other user accounts. > However, this vulnerability is only possible by someone with privileges to > add content to your DSpace site. This vulnerability has existed since DSpace > 1.5.x, and was discovered by Jean-Paul Zhao (University of Toronto). > > More information is available at > https://jira.duraspace.org/browse/DS-1702 (Requires a DuraSpace JIRA account > to access for two weeks, and then will be publicly available) > > [LOW SEVERITY] Cross-site scripting (XSS injection) is possible in JSPUI > Discovery search form: This vulnerability could allow someone to embed > dangerous Javascript code into links to search results. If a user was emailed > such a link and clicked it, the javascript would be run in their local > browser. This vulnerability has existed since DSpace 3.x. It was discovered > on DSpace 4.x and 5.x by Gabriela Mircea (McMaster > University) and Khalil Shreateh. It was discovered on DSpace 3.x by Ilyas > Orak (Biznet Bilisim A.S.). > > More information is available at > https://jira.duraspace.org/browse/DS-2044 (Requires a DuraSpace JIRA account > to access for two weeks, and then will be publicly available) > > > If you or your institution have any further questions about these > vulnerabilities, please feel free to email the DSpace Tech Support mailing > list (dspace-tech@lists.sourceforge.net). > > -- > > [1] Tomcat warnings on "allowLinking=true": > https://tomcat.apache.org/tomcat-8.0-doc/security-howto.html#Context > [2] DSpace Software Support Policy: > https://wiki.duraspace.org/display/DSPACE/DSpace+Software+Support+Policy > > > > > ------------------------------------------------------------------------------ > Dive into the World of Parallel Programming The Go Parallel Website, sponsored > by Intel and developed in partnership with Slashdot Media, is your hub for all > things parallel software development, from weekly thought leadership blogs to > news, videos, case studies, tutorials and more. Take a look and join the > conversation now. http://goparallel.sourceforge.net/ > _______________________________________________ > DSpace-tech mailing list > DSpace-tech@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/dspace-tech > List Etiquette: > https://wiki.duraspace.org/display/DSPACE/Mailing+List+Etiquette > ------------------------------------------------------------------------------ Dive into the World of Parallel Programming The Go Parallel Website, sponsored by Intel and developed in partnership with Slashdot Media, is your hub for all things parallel software development, from weekly thought leadership blogs to news, videos, case studies, tutorials and more. Take a look and join the conversation now. http://goparallel.sourceforge.net/ _______________________________________________ DSpace-tech mailing list DSpace-tech@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/dspace-tech List Etiquette: https://wiki.duraspace.org/display/DSPACE/Mailing+List+Etiquette
