From Tim Donohue, DSpace Tech Lead on behalf of the DSpace developers
Austin, TX DSpace 5.5 is now available providing security fixes to both the XMLUI and JSPUI, along with bug fixes to the DSpace 5.x platform.
• DSpace 5.5 can be downloaded immediately from: https://github.com/DSpace/DSpace/releases/tag/dspace-5.5
• 5.5 Release notes are available at: https://wiki.duraspace.org/display/DSDOC5x/Release+Notes
In addition, you are welcome to try out DSpace 5.5 on http://demo.dspace.org/
5.5 Bug Fixes
- XMLUI security fixes
- [HIGH SEVERITY] The XMLUI "themes" path is vulnerable to a full directory traversal. (DS-3094 - requires a JIRA/Wiki account to access.) This means that ANY files on your system which are readable to the Tomcat user account may be publicly accessed via your DSpace site. This XMLUI vulnerability has existed since DSpace 1.5.x, and was discovered by Virginia Tech.
- JSPUI security fixes
- [MEDIUM SEVERITY] The JSPUI "Edit News" feature (accessible to Administrators) can be used to view/edit ANY files which are readable to the Tomcat user account (DS-3063 - requires a JIRA/Wiki account to access.) This JSPUI vulnerability has existed since DSpace 4.0, and was discovered by CINECA.
- REST fixes
- OAI fixes
- Configuration fixes
- Other minor fixes
For much more information on each of these and other fixes, please visit our 5.x Release Notes: https://wiki.duraspace.org/display/DSDOC5x/Release+Notes
The DSpace 5.x documentation is available online at: https://wiki.duraspace.org/display/DSDOC5x/
A PDF copy of the documentation can also be downloaded from:https://github.com/DSpace/DSpace/releases/download/dspace-5.5/DSpace-Manual.pdf
The DSpace application would not exist without the hard work and support of the community. Thank you to the many developers who have worked very hard to deliver all the new features and improvements. Also thanks to the users who provided input and feedback on the development.
The 5.5 release was led by the Committers.
The following individuals provided code or bug fixes to the 5.5 release: Pascal-Nicolas Becker (pnbecker), Andrea Bollini (abollini), Tim Donohue (tdonohue), Claudia Juergen (cjuergen), Bram Luyten (bram-atmire), Ivan Masar (helix84), Dylan Meeus (DylanMeeus), AmberPoo1, Christian Scheible (christian-scheible), Tim Van de Langenbergh (tim-atmire), Mark Wood (mwoodiupui)
A detailed listing of all known people/institutions who contributed directly to DSpace 5.x is available in the Release Notes. If you contributed and were accidentally not listed, please let us know so that we can correct it!
As always, we are happy to hear back from the community about DSpace. Please let us know what you think of 5.5!