Good points; thanks, Tim and Emilio. I wasn't about to *report* a vulnerability, I was really just asking for advice on how to address this. (I could have phrased my question better.)
As you suggest, *if* IT or the auditors do supply anything concrete, I will take it up directly with 4Science. On Wed, 21 Oct 2020 at 16:15, Tim Donohue <tim.dono...@lyrasis.org> wrote: > All, > > Per our DSpace Software Support policy, we have a recommended way to > report security issues privately to the developer team: > https://wiki.lyrasis.org/display/DSPACE/DSpace+Software+Support+Policy > > To analyze a potential security issue, we *require* some sort of proof > or example way to exploit the vulnerability. At this time, there are no > known SQL injection vulnerabilities related to DSpace. > > That said, the above support policy does *NOT* apply to DSpace-CRIS, > which is a third-party product built/supported/maintained by 4Science > <https://www.4science.it/en/>. You'd need to contact 4Science directly > regarding any security issues/reports with DSpace-CRIS. > > Thanks, > > Tim > ------------------------------ > *From:* dspace-tech@googlegroups.com <dspace-tech@googlegroups.com> on > behalf of emilio lorenzo <elore...@arvo.es> > *Sent:* Wednesday, October 21, 2020 2:32 AM > *To:* dspace-tech@googlegroups.com <dspace-tech@googlegroups.com> > *Subject:* Re: [dspace-tech] SQL Injection Vulnerability > > > in any case, I think that information about vulnerabilities must be keep > off the public lists,... the "group" has mechanisms to deal with these > issues. > it is only an idea... > BEST > > Emilio > > > On 20/10/2020 10:10, Sean Carte wrote: > > I'm running DSpace-CRIS 5.10 and have received a message from our IT dept > alerting me to an SQL injection vulnerability on our repository. > > It seems the auditors were using HighBond, but they haven't given me any > details as to how they assessed this vulnerability. > > I'm supposed to do something about it, but I don't know what. > > Is there a known vulnerability in DSpace-CRIS 5.10? > > /dspacecris-dut/bin/dspace version > DSpace version: CRIS-5.10.0-SNAPSHOT > SCM revision: 8390fec2945050541427ef1249dbbbd56b1ccdc4 > SCM branch: fix-sword > OS: Linux(amd64) version 4.4.0-190-generic > Discovery: enabled. > JRE: Private Build version 1.8.0_265 > Ant version: Apache Ant(TM) version 1.9.6 compiled on July 20 2018 > Maven version: 3.3.9 > DSpace home: /dspacecris-dut > -- > All messages to this mailing list should adhere to the DuraSpace Code of > Conduct: https://duraspace.org/about/policies/code-of-conduct/ > --- > You received this message because you are subscribed to the Google Groups > "DSpace Technical Support" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to dspace-tech+unsubscr...@googlegroups.com. > To view this discussion on the web visit > https://groups.google.com/d/msgid/dspace-tech/CA%2BxAuhPWr8AO5xqkkTE1SbzXK%3D6xuswSS%2BmmfBPoj9OH3s0w4g%40mail.gmail.com > <https://groups.google.com/d/msgid/dspace-tech/CA%2BxAuhPWr8AO5xqkkTE1SbzXK%3D6xuswSS%2BmmfBPoj9OH3s0w4g%40mail.gmail.com?utm_medium=email&utm_source=footer> > . > > -- > All messages to this mailing list should adhere to the DuraSpace Code of > Conduct: https://duraspace.org/about/policies/code-of-conduct/ > --- > You received this message because you are subscribed to the Google Groups > "DSpace Technical Support" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to dspace-tech+unsubscr...@googlegroups.com. > To view this discussion on the web visit > https://groups.google.com/d/msgid/dspace-tech/81bc6792-7978-a3b2-1bf2-82a239fc245c%40arvo.es > <https://groups.google.com/d/msgid/dspace-tech/81bc6792-7978-a3b2-1bf2-82a239fc245c%40arvo.es?utm_medium=email&utm_source=footer> > . > > -- > All messages to this mailing list should adhere to the DuraSpace Code of > Conduct: https://duraspace.org/about/policies/code-of-conduct/ > --- > You received this message because you are subscribed to the Google Groups > "DSpace Technical Support" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to dspace-tech+unsubscr...@googlegroups.com. > To view this discussion on the web visit > https://groups.google.com/d/msgid/dspace-tech/DM5PR2201MB1148B556D17188670CF03876ED1C0%40DM5PR2201MB1148.namprd22.prod.outlook.com > <https://groups.google.com/d/msgid/dspace-tech/DM5PR2201MB1148B556D17188670CF03876ED1C0%40DM5PR2201MB1148.namprd22.prod.outlook.com?utm_medium=email&utm_source=footer> > . > -- All messages to this mailing list should adhere to the DuraSpace Code of Conduct: https://duraspace.org/about/policies/code-of-conduct/ --- You received this message because you are subscribed to the Google Groups "DSpace Technical Support" group. To unsubscribe from this group and stop receiving emails from it, send an email to dspace-tech+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/dspace-tech/CA%2BxAuhNt4-3_HUofq6Ahn_AMS9O81Ddv5h0DB6dgObhSvw0rnA%40mail.gmail.com.
