All,
In recent weeks, several security vulnerabilities where discovered in
the XMLUI, JSPUI and REST API.
WE RECOMMEND ALL SITES UPGRADE TO EITHER DSPACE 4.7 or 5.6 to ensure
your site is secure, or manually patch your site using the tickets
detailed below. (Please note that the DSpace 5.6 release also includes
bug fixes to the 5.x platform.)
* DSpace 5.6
o Release Notes:
https://wiki.duraspace.org/display/DSDOC5x/Release+Notes
o Download: https://github.com/DSpace/DSpace/releases/tag/dspace-5.6
* DSpace 4.7
o Release Notes:
https://wiki.duraspace.org/display/DSDOC4x/Release+Notes
o Download: https://github.com/DSpace/DSpace/releases/tag/dspace-4.7
Summary of general vulnerabilities:
* /[MEDIUM SEVERITY] XML External Entity (XXE) vulnerability in
pdfbox. /(DS-3309 <https://jira.duraspace.org/browse/DS-3309> -
requires a JIRA account to access.) This vulnerability was
discovered in the 'pdfbox' software and more details can be found at
https://www.cvedetails.com/cve/CVE-2016-2175/. Prior versions of
DSpace can easily patch this issue by updating the version of
'pdfbox' used by your DSpace (see ticket for details). This
vulnerability affects all versions of DSpace that use pdfbox. It was
discovered by Seth Robbins
* /[MEDIUM SEVERITY] Bitstreams of embargoed and/or withdrawn items
can be accessed by anyone (via JSPUI, XMLUI or REST). (DS-3097
<https://jira.duraspace.org/browse/DS-3097> - requires a JIRA
account to access). /This vulnerability could allow anonymous users
to read embargoed or withdrawn files, via direct URL access when
"request-a-copy" is disabled (which is not the default). This
vulnerability affects DSpace 4.x and 5.x, and was discovered by
Franziska Ackermann
Additional JSPUI Vulnerability (affects 1.5.x and above):
* /[HIGH SEVERITY] Any registered user can modify in progress
submission. (DS-2895 <https://jira.duraspace.org/browse/DS-2895> -
requires a JIRA account to access.) /This vulnerability could allow
registered users to edit others in-progress submissions,
provided//that they could guess the internal ID of the submission.
This vulnerability affects DSpace 1.5.x up to (and including) 5.x
and was discovered by Andrea Bollini of 4Science.
Additional REST Vulnerability (affecting 5.x only):
* /[HIGH SEVERITY] //SQL Injection Vulnerability in 5.x REST
API (DS-3250 <https://jira.duraspace.org/browse/DS-3250> /- requires
a JIRA account to access.) //This vulnerability affects DSpace 5.x
only and was discovered by Bram Luyten of Atmire.
As these vulnerabilities are now considered "public", questions may be
asked on our DSpace Tech Support mailing list
(https://groups.google.com/forum/#!forum/dspace-tech) or on the tickets
themselves.
We also welcome private security reports, concerns or questions via our
security contact address (secur...@dspace.org).
Sincerely,
Tim Donohue (on behalf of the DSpace Committers)
--
Tim Donohue
Technical Lead for DSpace & DSpaceDirect
DuraSpace.org | DSpace.org | DSpaceDirect.org
--
You received this message because you are subscribed to the Google Groups "DSpace
Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to dspace-devel+unsubscr...@googlegroups.com.
To post to this group, send email to dspace-devel@googlegroups.com.
Visit this group at https://groups.google.com/group/dspace-devel.
For more options, visit https://groups.google.com/d/optout.
