NOW AVAILABLE: DSpace 5.4–Bug Fixes, Memory Enhancements++

Tue, 2015-11-10 12:09 -- carol

From Tim Donohue, on behalf of the DSpace 5.4 Release Team, and all the DSpace developers

Winchester, MA  DSpace 5.4 is now available providing security fixes to the JSPUI, along with significant bug fixes and memory usage enhancements to all DSpace 5.x users.

DSpace 5.4 can be downloaded immediately from: https://github.com/DSpace/DSpace/releases/tag/dspace-5.4
5.4 Release notes are available at: https://wiki.duraspace.org/display/DSDOC5x/Release+Notes

In addition, you are welcome to try out DSpace 5.4 on http://demo.dspace.org/and continue to provide any early feedback you may have.

5.4 Bug Fixes

  • JSPUI security fixes:
    • [MEDIUM SEVERITY] Cross-site scripting (XSS injection) is possible in JSPUI search interface (in Firefox web browser). (DS-2736 - requires a JIRA account to access for two weeks, and then will be public): This vulnerability could allow someone to embed dangerous Javascript code into links to search results. If a user was emailed such a link and clicked it, the javascript would be run in their local browser. This vulnerability has existed since DSpace 3.x
      • Discovered by Genaro Contreras
    • [LOW SEVERITY] Expression language injection (EL Injection) is possible in JSPUI search interface. (DS-2737 - requires a JIRA account to access for two weeks, and then will be public): This vulnerability could allow someone to obtain information from the site/server using JSP syntax.This vulnerability has existed since DSpace 3.x
      • Discovered by Genaro Contreras
  • Google Scholar fix:
    • Google Scholar metadata did not guarantee proper ordering of authors (DS-2679)
  • Search / Browse fixes (Discovery/Solr) for JSPUI and XMLUI:
    • Resolved a significant memory leak when searching/browsing (gradual leak) (DS-2869)
    • Resolved a significant memory spike when reindexing (only triggered when running "index-discovery" with no arguments) (DS-2832)
    • Fixes to allow fielded or boolean searches to work once again (DS-2699DS-2803)
    • Solr logging was broken. It did not properly log to the "[dspace]/log/solr.log" files (DS-2790)
  • OAI-PMH fixes:
    • Upgraded the XOAI library to 3.2.10 to resolve several issues
    • OAI did not support harvesting by date (YYYY-MM-DD) without a time (DS-2524DS-2542
    • OAI getRecord was wrongly including all virtual sets (DS-2573)
    • OAI was ignoring the "dspace.oai.url" setting in "oai.cfg" (DS-2744)
  • REST API fixes:
    • /handle not reflecting updates (DS-2692)
    • /collections/<id>/items ignores offset parameter (DS-2719)
    • login/logout thread safety (DS-2830)
  • Deposit/Submission fixes:
    • Fix issue where if PubMed server is down submission lookup fails (DS-2813)
    • JSPUI: Allow reviewers to upload files (DS-2814)
  • Minor fixes to XMLUI Mirage2 theme

For much more information on each of these and other fixes, please visit our 5.x Release Notes: https://wiki.duraspace.org/display/DSDOC5x/Release+Notes

5.4 Documentation

The DSpace 5.x documentation is available online at:https://wiki.duraspace.org/display/DSDOC5x/
 
A PDF copy of the documentation can also be downloaded from:https://github.com/DSpace/DSpace/releases/download/dspace-5.4/DSpace-Manual.pdf

5.4 Acknowledgments

The DSpace application would not exist without the hard work and support of the community. Thank you to the many developers who have worked very hard to deliver all the new features and improvements. Also thanks to the users who provided input and feedback on the development, as well those who participated in the testathons.

The 5.4 release was led by Andrea Schweer (University of Waikato ITS), Tim Donohue and the Committers.

The following individuals provided code or bug fixes to the 5.4 release: Pascal-Nicolas Becker (pnbecker), Arnaud de Bossoreille (arnodb), Brad Dewar (bdewar), Peter Dietz (peterdietz), Tim Donohue (tdonohue), Ondrej Košarko (kosarko), Aleksander Kotynski-Buryla(akotynski), Ivan Masar (helix84), Hardy Pottinger (hpottinger), Christian Scheible (christian-scheible), Andrea Schweer (aschweer), Bill Tantzen (wilee53), Jonas Van Goolen, Chris Wilper (cwilper), Mark H Wood (mwoodiupui), Jun Won Jung (RomanticCat).

A detailed listing of all known people/institutions who contributed directly to DSpace 5.x is available in the Release Notes. If you contributed and were accidentally not listed, please let us know so that we can correct it!

As always, we are happy to hear back from the community about DSpace. Please let us know what you think of 5.3!

 

preserve