From Tim Donohue, DSpace tech lead on behalf of the DSpace developers
Austin, TX DSpace 5.6 is now available providing security fixes to the XMLUI, JSPUI and REST API, along with bug fixes to the DSpace 5.x platform.
- DSpace 5.5 can be downloaded immediately from: https://github.com/DSpace/
DSpace/releases/tag/dspace-5.6 - 5.5 Release notes are available at: https://wiki.duraspace.org/
display/DSDOC5x/Release+Notes
5.6 Security / Bug Fixes
- General security fixes
- [MEDIUM SEVERITY] XML External Entity (XXE) vulnerability in pdfbox. (DS-3309 – requires a JIRA account to access.) This vulnerability was discovered in the 'pdfbox' software and more details can be found at https://www.cvedetails.com/
cve/CVE-2016-2175/. Prior versions of DSpace can easily patch this issue by updating the version of 'pdfbox' used by your DSpace (see ticket for details). This vulnerability affects all versions of DSpace that use pdfbox. It was discovered by Seth Robbins - [MEDIUM SEVERITY] Bitstreams of embargoed and/or withdrawn items can be accessed by anyone (via JSPUI, XMLUI or REST). (DS-3097 – requires a JIRA account to access). This vulnerability could allow anonymous users to read embargoed or withdrawn files, via direct URL access when "request-a-copy" is disabled (which is not the default). This vulnerability affects DSpace 4.x and 5.x, and was discovered by Franziska Ackermann
- [MEDIUM SEVERITY] XML External Entity (XXE) vulnerability in pdfbox. (DS-3309 – requires a JIRA account to access.) This vulnerability was discovered in the 'pdfbox' software and more details can be found at https://www.cvedetails.com/
- Additional JSPUI security fixes
- [HIGH SEVERITY] Any registered user can modify in progress submission. (DS-2895 – requires a JIRA account to access.) This vulnerability could allow registered users to edit others in-progress submissions, provided that they could guess the internal ID of the submission. This vulnerability affects DSpace 1.5.x up to (and including) 5.x and was discovered by Andrea Bollini of 4Science.
- Additional REST security fixes
- [HIGH SEVERITY] SQL Injection Vulnerability in 5.x REST API (DS-3250 – requires a JIRA account to access.) This vulnerability affects DSpace 5.x only and was discovered by Bram Luyten of Atmire.
- JSPUI bug fixes
- XMLUI bug fixes
- Other minor fixes and improvements
For much more information on each of these and other fixes, please visit our 5.x Release Notes: https://wiki.duraspace.org/
5.6 Documentation
The DSpace 5.x documentation is available online at: https://wiki.duraspace.org/
A PDF copy of the documentation can also be downloaded from: https://github.com/DSpace/
5.6 Acknowledgments
The DSpace application would not exist without the hard work and support of the community. Thank you to the many developers who have worked very hard to deliver all the new features and improvements. Also thanks to the users who provided input and feedback on the development.
The 5.6 release was led by the Committers.
The following individuals provided code or bug fixes to the 5.6 release: Andrea Bollini (abollini), Tim Donohue (tdonohue), Ivan Masar (helix84), Oriol Olive (oooriii), Luigi Andrea Pascarelli (lap82), Hardy Pottinger (hardyoyo), Andrea Schweer (aschweer), William Tantzen (wilee53), Mark Wood (mwoodiupui), Bruno Nocera Zanette
A detailed listing of all known people/institutions who contributed directly to DSpace 5.x is available in the Release Notes. If you contributed and were accidentally not listed, please let us know so that we can correct it!
As always, we are happy to hear back from the community about DSpace. Please let us know what you think of 5.6!