From Tim Donohue, DSpace tech lead on behalf of the DSpace developers

Austin, TX  DSpace 5.6 is now available providing security fixes to the XMLUI, JSPUI and REST API, along with bug fixes to the DSpace 5.x platform.

5.6 Security / Bug Fixes

  • General security fixes
    • [MEDIUM SEVERITY] XML External Entity (XXE) vulnerability in pdfbox. (DS-3309 – requires a JIRA account to access.) This vulnerability was discovered in the 'pdfbox' software and more details can be found at  Prior versions of DSpace can easily patch this issue by updating the version of 'pdfbox' used by your DSpace (see ticket for details).  This vulnerability affects all versions of DSpace that use pdfbox. It was discovered by Seth Robbins
    • [MEDIUM SEVERITY] Bitstreams of embargoed and/or withdrawn items can be accessed by anyone (via JSPUI, XMLUI or REST). (DS-3097 – requires a JIRA account to access). This vulnerability could allow anonymous users to read embargoed or withdrawn files, via direct URL access when "request-a-copy" is disabled (which is not the default). This vulnerability affects DSpace 4.x and 5.x, and was discovered by Franziska Ackermann
  • Additional JSPUI security fixes
    • [HIGH SEVERITY]  Any registered user can modify in progress submission. (DS-2895 – requires a JIRA account to access.) This vulnerability could allow registered users to edit others in-progress submissions, provided that they could guess the internal ID of the submission. This vulnerability affects DSpace 1.5.x up to (and including) 5.x and was discovered by Andrea Bollini of 4Science.
  • Additional REST security fixes
    • [HIGH SEVERITY]  SQL Injection Vulnerability in 5.x REST API (DS-3250 – requires a JIRA account to access.) This vulnerability affects DSpace 5.x only and was discovered by Bram Luyten of Atmire.
  • JSPUI bug fixes
    • JSPUI: Creative Commons license fails with fetch directy the url (instead use the Creative Commons REST API) (DS-2604
    • JSPUI: Upload a file, multifile, with a description text during the submission process (DS-2623)
    • JSPUI: Bug fix to EPerson popup (DS-2968)
  • XMLUI bug fixes
    • XMLUI: Recyclable Cocoon components should clear local variables (DS-3246
    • XMLUI: "Request a copy" feature was not working when the property request.item-type was set to all ( DS-3294)
    • XMLUI: Bug fix to policy search form (DS-3206)
  • Other minor fixes and improvements
    • METSRightsCrosswalk NPE During AIP Restore – No Anonymous Read (DS-3140)
    • AIP Restore is not respecting access restrictions (on Items) (DS-3266)
    • Error when missing Context Description in xoai.xml (DS-2874)
    • Bug fix to REST API 'find-by-metadata-field' (DS-3248

For much more information on each of these and other fixes, please visit our 5.x Release Notes:

5.6 Documentation

The DSpace 5.x documentation is available online at:
A PDF copy of the documentation can also be downloaded from:

5.6 Acknowledgments

The DSpace application would not exist without the hard work and support of the community. Thank you to the many developers who have worked very hard to deliver all the new features and improvements. Also thanks to the users who provided input and feedback on the development.

The 5.6 release was led by the Committers.

The following individuals provided code or bug fixes to the 5.6 release: Andrea Bollini (abollini), Tim Donohue (tdonohue), Ivan Masar (helix84), Oriol Olive (oooriii), Luigi Andrea Pascarelli (lap82), Hardy Pottinger (hardyoyo), Andrea Schweer (aschweer), William Tantzen (wilee53), Mark Wood (mwoodiupui), Bruno Nocera Zanette

A detailed listing of all known people/institutions who contributed directly to DSpace 5.x is available in the Release Notes. If you contributed and were accidentally not listed, please let us know so that we can correct it!

As always, we are happy to hear back from the community about DSpace. Please let us know what you think of 5.6!



Leave a Reply

Your email address will not be published. Required fields are marked *