From Tim Donohue, DSpace and DSpaceDirect Tech Lead, on behalf of the DSpace Committers

As you may have seen earlier this week (in the JSPUI security notice email), DSpace 5.9 is now available! DSpace 5.9 provides bug fixes and improvements to the DSpace 5.x platform.

DSpace 5.9 can be downloaded immediately from: https://github.com/DSpace/DSpace/releases/tag/dspace-5.9

5.9 Release notes are available at: https://wiki.duraspace.org/display/DSDOC5x/Release+Notes

DSpace 5.9 is a bug fix release to resolve several issues located in previous 5.x releases. As it only provides only bug fixes, DSpace 5.9 should constitute an easy upgrade from DSpace 5.x for most users. No database changes should be necessary when upgrading from DSpace 5.x to 5.9.

DSpace 5.9 contains two security fixes for JSPUI users. If you use JSPUI we recommend that you test and upgrade this release as soon as possible (or upgrade to 6.3, which also fixes these issues).

JSPUI security fixes include
[HIGH SEVERITY] A user can inject malicious Javascript into the names of EPeople or Groups. This is most severe in sites which allow anyone to register for a new account. (https://jira.duraspace.org/browse/DS-3866 – requires a JIRA account to access.)
Reported by Julio Brafman
[MEDIUM SEVERITY] Any user was able to export metadata to CSV format if they knew the correct JSPUI path/parameters. Additionally, the exported CSV included metadata fields which are flagged as hidden in configuration. (https://jira.duraspace.org/browse/DS-3840 – requires a JIRA account to access.)
Reported by Eike Kleiner (ZHAW, Zurich University of Applied Sciences)
Major bug fixes include
Update DSpace ORCID Integration to use ORCID API v2 (instead of now obsolete ORCID v1): DS-3447
Update DSpace Statistics to use GeoIP API v2 (instead of now discontinued GeoIP API v1): DS-3832
Other API-level fixes (affecting all UIs)
PostgreSQL JDBC driver upgraded to latest version (to allow for full compatibility with PostgreSQL v10): DS-3854
Ensure ImageMagick thumbnails respect the orientation of original file: DS-3839
OAI-PMH Fixes
Enhanced “oai import” command to report on items that cause indexing issues: DS-3852
Fix 500 error when no Community or Collection: DS-3853
XMLUI Fixes
Fixed Mirage v2 build issues caused by Bower Registry URL change: DS-3936
Fixed performance issues for Items with 100+ bitstreams: DS-3883
Fix issue where search results lose Community/Collection context when sorting: DS-3835
Update Mirage to use recommended MathJax inline delimiters (DS-3087) and to use new CDN location (DS-3560)
For more information, see the Changes section in the DuraSpace wiki.

5.9 Acknowledgments

The 5.9 release was led by the DSpace Committers, with major support from Kim Shepherd and Tim Donohue.

The following individuals provided code or bug fixes to the 5.9 release: Pascal-Nicolas Becker, Ben Bosman, Terry Brady, Tim Donohue, Alex Magaz Graça, Lotte Hofstede, Ivan Masár, Hardy Pottinger, Kim Shepherd, Jonas Van Goolen and Mark H. Wood.

A detailed listing of all known people/institutions who contributed directly to DSpace 5.x is available in the Release Notes. If you contributed and were not listed, please let us know so that we can correct it!

As always, we are happy to hear back from the community about DSpace. Please let us know what you think of 5.9!