Dear DSpace Community, On behalf of the DSpace developers, I would like to formally announce that DSpace 5.11 is now available. DSpace 5.11 provides security fixes, bug fixes and improvements to the DSpace 5.x platform.
We highly recommend all DSpace 5.x users upgrade to 5.11, or manually patch the security issues listed below. DSpace 5.11 can be downloaded immediately from: https://github.com/DSpace/DSpace/releases/tag/dspace-5.11 5.11 Release notes are available at: https://wiki.lyrasis.org/display/DSDOC5x/Release+Notes Security fixes include: * [HIGH] CVE-2022-31195<https://github.com/DSpace/DSpace/security/advisories/GHSA-8rmh-55h4-93h5> (impacts XMLUI and JSPUI): Path traversal vulnerability in Simple Archive Format package import (ItemImportService API). * Reported by Johannes Moritz of Ripstech * [HIGH] CVE-2022-31194<https://github.com/DSpace/DSpace/security/advisories/GHSA-qp5m-c3m9-8q2p> (impacts JSPUI only) : The JSPUI resumable upload implementations in SubmissionController and FileUploadRequest are vulnerable to multiple path traversal attacks. * Reported by Johannes Moritz of Ripstech * [HIGH] CVE-2022-31193<https://github.com/DSpace/DSpace/security/advisories/GHSA-763j-q7wv-vf3m> (impacts JSPUI only) : The JSPUI controlled vocabulary servlet is vulnerable to an open redirect attack. * Reported by Johannes Moritz of Ripstech * [MODERATE] CVE-2022-31191<https://github.com/DSpace/DSpace/security/advisories/GHSA-c558-5gfm-p2r8> (impacts JSPUI only) : The JSPUI spellcheck "Did you mean" HTML and autocomplete HTML are vulnerable to Cross Site Scripting (XSS). * Reported by Hassan Bhuiyan, Brunel University London * [MODERATE] CVE-2022-31192<https://github.com/DSpace/DSpace/security/advisories/GHSA-4wm8-c2vv-xrpq> (impacts JSPUI only) : The JSPUI "Request a Copy" feature is vulnerable to Cross Site Scripting (XSS) attacks. * Reported by Andrea Bollini of 4Science Major bug fixes include: * Fix Mirage 2 build broken by disappearance of JRuby gems torquebox.org<http://torquebox.org/> mirror: https://github.com/DSpace/DSpace/commit/0428da8dab7a02c592ec96ab9cea545f5b6de42d * Database fixes * Migrate update-sequences.sql script to dspace database command: DS-4167 (#2361)<https://github.com/DSpace/DSpace/pull/2361> * XMLUI fixes * Fix Discovery label for metadata values under authority control: DS-2852 (#1701)<https://github.com/DSpace/DSpace/pull/1701> * Fix missing date values while faceting: DS-3791 (#2679)<https://github.com/DSpace/DSpace/pull/2679> * Fix support for custom sitemap.xmap in Mirage 2: DS-3545 (#1691)<https://github.com/DSpace/DSpace/pull/1691> * JSPUI fixes * Fix bug in JSPUI Shibboleth session renewal: DS-3444 (#2566)<https://github.com/DSpace/DSpace/pull/2566> * Update Sherpa Romeo layout: DS-4377 (#2565)<https://github.com/DSpace/DSpace/pull/2565> * Fix issue with duplicate headers when bitstream title has a comma: DS-4340 (#2514)<https://github.com/DSpace/DSpace/pull/2514> * REST API fixes: * Fix Maven build issue due to blocking of plaintext HTTP repositories: #3247<https://github.com/DSpace/DSpace/issues/3247> (see #3274<https://github.com/DSpace/DSpace/pull/3274>) * Improve performance of collections endpoints: DS-4342 (#2517)<https://github.com/DSpace/DSpace/pull/2517> Additional bug fixes and improvements can be found in the release notes at https://wiki.lyrasis.org/display/DSDOC5x/Release+Notes 5.11 Acknowledgments The 5.11 release was led by Alan Orth, Kim Shepherd, Nicholas Woodward and Hrafn Malmquist (of Cottage Labs) The following individuals provided tests, code or bug fixes or review to the 5.11 release (in alphabetical order by given name): Andrea Bollini, Andrea Jenis Saroni, Andrew Bennet, Bram Luyten, Hrafn Malmquist, Iordanis Kostelidis, Jonas Van Goolen, Kim Shepherd, Kristof De Langhe, Lotte Hofstede, Luigi Andrea Pascarelli, Mark H. Wood, Pascal-Nicolas Becker, Philip Vissenaekens, samuel, Terry Brady, Tim Donohue. A detailed listing of all known people/institutions who contributed directly to DSpace 5.x is available in the Release Notes. If you contributed and were not listed, please let us know so that we can correct it! As always, we are happy to hear back from the community about DSpace. Please let us know what you think of 5.11! Sincerely, Tim Donohue (on behalf of the DSpace Committers) -- Tim Donohue (he/him) Technical Lead, DSpace tim.dono...@lyrasis.org Lyrasis.org<https://www.lyrasis.org/> | DSpace.org<http://dspace.org> [cid:7da56fca-f99f-4736-9d83-6d2d783579b5] -- All messages to this mailing list should adhere to the Code of Conduct: https://www.lyrasis.org/about/Pages/Code-of-Conduct.aspx --- You received this message because you are subscribed to the Google Groups "DSpace Developers" group. To unsubscribe from this group and stop receiving emails from it, send an email to dspace-devel+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/dspace-devel/PH0PR22MB3274E497A90CD015CB84E975ED999%40PH0PR22MB3274.namprd22.prod.outlook.com.