date:20161013

[dspace-tech] Now available: DSpace 5.6 release, providing security fixes and bug fixes to 5.x

2016-10-13 Thread Tim Donohue


Dear DSpace Community:

On behalf of the DSpace developers, I would like to formally announce 
that DSpace 5.6 is now available.  DSpace 5.6 provides security fixes to 
the XMLUI, JSPUI and REST API, along with bug fixes to the DSpace 5.x 
platform.


 * DSpace 5.5 can be downloaded immediately from:
   https://github.com/DSpace/DSpace/releases/tag/dspace-5.6
 * 5.5 Release notes are available at:
   https://wiki.duraspace.org/display/DSDOC5x/Release+Notes


 5.6 Security / Bug Fixes

 * General security fixes
 o /[MEDIUM SEVERITY] XML External Entity (XXE) vulnerability in
   pdfbox. /(DS-3309  -
   requires a JIRA account to access.) This vulnerability was
   discovered in the 'pdfbox' software and more details can be
   found at https://www.cvedetails.com/cve/CVE-2016-2175/. Prior
   versions of DSpace can easily patch this issue by updating the
   version of 'pdfbox' used by your DSpace (see ticket for
   details).  This vulnerability affects all versions of DSpace
   that use pdfbox. It was discovered by Seth Robbins
 o /[MEDIUM SEVERITY] Bitstreams of embargoed and/or withdrawn
   items can be accessed by anyone (via JSPUI, XMLUI or REST).
   (DS-3097  - requires
   a JIRA account to access). /This vulnerability could allow
   anonymous users to read embargoed or withdrawn files, via direct
   URL access when "request-a-copy" is disabled (which is not the
   default). This vulnerability affects DSpace 4.x and 5.x, and was
   discovered by Franziska Ackermann
 * Additional JSPUI security fixes
 o /[HIGH SEVERITY]  Any registered user can modify in progress
   submission. (DS-2895 
   - requires a JIRA account to access.) /This vulnerability could
   allow registered users to edit others in-progress submissions,
   provided//that they could guess the internal ID of the
   submission. This vulnerability affects DSpace 1.5.x up to (and
   including) 5.x and was discovered by Andrea Bollini of 4Science.
 * Additional REST security fixes
 o /[HIGH SEVERITY] //SQL Injection Vulnerability in 5.x REST
   API (DS-3250  /-
   requires a JIRA account to access.) //This vulnerability affects
   DSpace 5.x only and was discovered by Bram Luyten of Atmire.
 * JSPUI bug fixes
 o JSPUI: Creative Commons license fails with fetch directy the url
   (instead use the Creative Commons REST API) (DS-2604
   )
 o JSPUI: Upload a file, multifile, with a description text during
   the submission process (DS-2623
   )
 o JSPUI: Bug fix to EPerson popup (DS-2968
   )
 * XMLUI bug fixes
 o XMLUI: Recyclable Cocoon components should clear local variables
   (DS-3246 )
 o XMLUI: "Request a copy" feature was not working when the
   property request.item-type was set to all (DS-3294
   )
 o XMLUI: Bug fix to policy search form (DS-3206
   )
 * Other minor fixes and improvements
 o METSRightsCrosswalk NPE During AIP Restore - No Anonymous Read
   (DS-3140 )
 o AIP Restore is not respecting access restrictions (on Items)
   (DS-3266 )
 o Error when missing Context Description in xoai.xml (DS-2874
   )
 o Bug fix to REST API 'find-by-metadata-field' (DS-3248
   )

For much more information on each of these and other fixes, please visit 
our 5.x Release Notes: 
https://wiki.duraspace.org/display/DSDOC5x/Release+Notes 




 5.6 Documentation

The DSpace 5.x documentation is available online at: 
https://wiki.duraspace.org/display/DSDOC5x/


A PDF copy of the documentation can also be downloaded from: 
https://github.com/DSpace/DSpace/releases/download/dspace-5.6/DSpace-Manual.pdf



 5.6 Acknowledgments

The DSpace application would not exist without the hard work and support 
of the community. Thank you to the many developers who have worked very 
hard to deliver all the new features and improvements. Also thanks to 
the users who provided input and feedback on the development.


The 5.6 release was led by the Committers.

The following individuals provided code or bug fixes to the 5.6 release: 
Andrea Bollini (abollini), Tim Donohue (tdonohue), Ivan Masar (helix84), 
Oriol Olive (oooriii), Luigi Andrea Pascarelli (lap82), Hardy Pottinger 
(hardyoyo), Andrea Schweer (aschweer), William Tantzen (wilee53),

[dspace-tech] DSPACE SECURITY ADVISORY: New DSpace 5.6 and 4.7 releases resolve security issues in XMLUI, JSPUI and REST API.

2016-10-13 Thread Tim Donohue


All,

In recent weeks, several security vulnerabilities where discovered in 
the XMLUI, JSPUI and REST API.


WE RECOMMEND ALL SITES UPGRADE TO EITHER DSPACE 4.7 or 5.6 to ensure 
your site is secure, or manually patch your site using the tickets 
detailed below. (Please note that the DSpace 5.6 release also includes 
bug fixes to the 5.x platform.)


 * DSpace 5.6
 o Release Notes:
   https://wiki.duraspace.org/display/DSDOC5x/Release+Notes
 o Download: https://github.com/DSpace/DSpace/releases/tag/dspace-5.6
 * DSpace 4.7
 o Release Notes:
   https://wiki.duraspace.org/display/DSDOC4x/Release+Notes
 o Download: https://github.com/DSpace/DSpace/releases/tag/dspace-4.7

Summary of general vulnerabilities:

 * /[MEDIUM SEVERITY] XML External Entity (XXE) vulnerability in
   pdfbox. /(DS-3309  -
   requires a JIRA account to access.) This vulnerability was
   discovered in the 'pdfbox' software and more details can be found at
   https://www.cvedetails.com/cve/CVE-2016-2175/. Prior versions of
   DSpace can easily patch this issue by updating the version of
   'pdfbox' used by your DSpace (see ticket for details).  This
   vulnerability affects all versions of DSpace that use pdfbox. It was
   discovered by Seth Robbins
 * /[MEDIUM SEVERITY] Bitstreams of embargoed and/or withdrawn items
   can be accessed by anyone (via JSPUI, XMLUI or REST). (DS-3097
    - requires a JIRA
   account to access). /This vulnerability could allow anonymous users
   to read embargoed or withdrawn files, via direct URL access when
   "request-a-copy" is disabled (which is not the default). This
   vulnerability affects DSpace 4.x and 5.x, and was discovered by
   Franziska Ackermann

Additional JSPUI Vulnerability (affects 1.5.x and above):

 * /[HIGH SEVERITY]  Any registered user can modify in progress
   submission. (DS-2895  -
   requires a JIRA account to access.) /This vulnerability could allow
   registered users to edit others in-progress submissions,
   provided//that they could guess the internal ID of the submission.
   This vulnerability affects DSpace 1.5.x up to (and including) 5.x
   and was discovered by Andrea Bollini of 4Science.

Additional REST Vulnerability (affecting 5.x only):

 * /[HIGH SEVERITY] //SQL Injection Vulnerability in 5.x REST
   API (DS-3250  /- requires
   a JIRA account to access.) //This vulnerability affects DSpace 5.x
   only and was discovered by Bram Luyten of Atmire.


As these vulnerabilities are now considered "public", questions may be 
asked on our DSpace Tech Support mailing list 
(https://groups.google.com/forum/#!forum/dspace-tech) or on the tickets 
themselves.


We also welcome private security reports, concerns or questions via our 
security contact address (secur...@dspace.org).


Sincerely,

Tim Donohue (on behalf of the DSpace Committers)

--
Tim Donohue
Technical Lead for DSpace & DSpaceDirect
DuraSpace.org | DSpace.org | DSpaceDirect.org

--
You received this message because you are subscribed to the Google Groups "DSpace 
Technical Support" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to dspace-tech+unsubscr...@googlegroups.com.
To post to this group, send email to dspace-tech@googlegroups.com.
Visit this group at https://groups.google.com/group/dspace-tech.
For more options, visit https://groups.google.com/d/optout.

Re: [dspace-tech] version 5.6?

2016-10-13 Thread Evgeni Dimitrov

Thank you very much Luigi Andrea,

Best regards
Evgeni

-- 
You received this message because you are subscribed to the Google Groups 
"DSpace Technical Support" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to dspace-tech+unsubscr...@googlegroups.com.
To post to this group, send email to dspace-tech@googlegroups.com.
Visit this group at https://groups.google.com/group/dspace-tech.
For more options, visit https://groups.google.com/d/optout.

Re: [dspace-tech] version 5.6?

2016-10-13 Thread Pascarelli Luigi Andrea

Dear Evgeni,

here the modifications from 5.4 to 5.6:

https://wiki.duraspace.org/display/DSDOC5x/Changes+in+5.x#Changesin5.x-ChangesinDSpace5.6

https://wiki.duraspace.org/display/DSDOC5x/Changes+in+5.x#Changesin5.x-ChangesinDSpace5.5

The guideline to upgrade a DSpace installation are available here:
https://wiki.duraspace.org/display/DSDOC5x/Upgrading+DSpace

In any case the way that you want follow to upgrade is feasible. You can
install from scratch, configure, customize and try if everything is ok.

After that you can point to your database and launch database migration (there
are only one sql modification into 5.6 not related schema but related data fix
https://github.com/DSpace/DSpace/blob/dspace-5_x/dspace-api/src/main/resources/org/dspace/storage/rdbms/sqlmigration/postgres/V5.6_2016.08.23__DS-3097.sql).

Hope this help you.

Regards,

Luigi Andrea

Il 13/10/2016 11:23, Evgeni Dimitrov ha scritto:
Is DSpace version 5.6 expected?

If so, I will be considering an update from 5.4 to 5.6.
Is there any difference in the db schema of 5.4 and 5.6?

The best option for me would be to install, configure and customize 5.6 and
when everything is working to transfer the db. Will this be possible?

--
You received this message because you are subscribed to the Google Groups
"DSpace Technical Support" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to
dspace-tech+unsubscr...@googlegroups.com.
To post to this group, send email to
dspace-tech@googlegroups.com.
Visit this group at https://groups.google.com/group/dspace-tech.
For more options, visit https://groups.google.com/d/optout.

--
Luigi Andrea Pascarelli

DSpace and DSpace-CRIS Committer

4Science, www.4science.it

office: Via Edoardo D'Onofrio 304, 00155 Roma, Italy
tel: +39 333 934 1782
skype: l_a_p82
linkedin: luigiandreapascarelli

an Itway Group Company
Italy, France, Spain, Portugal, Greece, Turkey, Lebanon, Qatar, U.A.Emirates

Save a tree. Don't print this e-mail unless it's really necessary.

DISCLAIMER: The information contained in this message is confidential, can be
legally protected by local Laws,
and must be exclusively used by the recipient. The publication, use,
distribution, printing or unauthorized copy
of the content of this message is strictly forbidden and it can be illegal. If
you received this message by mistake,
please destroy it and notify it to the sender.

--
You received this message because you are subscribed to the Google Groups
"DSpace Technical Support" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to dspace-tech+unsubscr...@googlegroups.com.
To post to this group, send email to dspace-tech@googlegroups.com.
Visit this group at https://groups.google.com/group/dspace-tech.
For more options, visit https://groups.google.com/d/optout.

[dspace-tech] Re: Compiling DSpace 6 with Mirage2 theme does not generate CSS files

2016-10-13 Thread Art Lowel

Apparently this issue occurred for a lot of maven 3 plugins after maven 
switched 
from org/sonatype/aether to org/eclipse/aether in version 3.1 

Is it possible that you're using a maven version lower than 3.1, and if so, 
could you upgrade to the latest version and try again?

On Thursday, October 13, 2016 at 8:01:46 AM UTC+2, Ari wrote:
>
> Thanks Illja!
> I think you spotted the problem. 
>
> git checkout master:
> - compile -> there is no main.css in 
> /dspace-installer/webapps/xmlui/themes/Mirage2/styles directory
> git checkout d872f5db0373286bed50d815e2628e154bf730db 
> - compile -> there is main.css in 
> /dspace-installer/webapps/xmlui/themes/Mirage2/styles and everything works
>
> I'm compiling within Centos 7 docker image without pre-installed deps for 
> Mirage2. This worked fine earlier with DSpace 6.
>
> On Wednesday, 12 October 2016 11:04:15 UTC+3, Ari wrote:
>>
>> Hi,
>> I just tried to compile latest DSpace 6 version with Mirage2. Previously 
>> I had no problems with Mirage2 but now it seems that .css files are not 
>> generated. In the log (below) I can see error with compass. 
>> Any ideas what could cause that?
>>
>>
>>
>> urls[25] = file:/usr/share/tomcat/.m2/repository/org/codehaus/plexus/
>> plexus-utils/1.5.8/plexus-utils-1.5.8.jar
>> Number of foreign imports: 1
>> import: Entry[import  from realm ClassRealm[maven.api, parent: null]]
>>
>> -
>>
>> at org.apache.maven.plugin.DefaultBuildPluginManager.executeMojo(
>> DefaultBuildPluginManager.java:125)
>> ... 23 more
>> Caused by: java.lang.NoClassDefFoundError: Lorg/eclipse/aether/
>> RepositorySystemSession;
>> at java.lang.Class.getDeclaredFields0(Native Method)
>> at java.lang.Class.privateGetDeclaredFields(Class.java:2509)
>> at java.lang.Class.getDeclaredFields(Class.java:1819)
>> at com.google.inject.spi.InjectionPoint.getInjectionPoints(
>> InjectionPoint.java:661)
>> at com.google.inject.spi.InjectionPoint.forInstanceMethodsAndFields(
>> InjectionPoint.java:366)
>> at com.google.inject.internal.ConstructorBindingImpl.
>> getInternalDependencies(ConstructorBindingImpl.java:165)
>> at com.google.inject.internal.InjectorImpl.getInternalDependencies(
>> InjectorImpl.java:609)
>> at com.google.inject.internal.InjectorImpl.cleanup(InjectorImpl.java:
>> 565)
>> at com.google.inject.internal.InjectorImpl.initializeJitBinding(
>> InjectorImpl.java:551)
>> at com.google.inject.internal.InjectorImpl.createJustInTimeBinding(
>> InjectorImpl.java:865)
>> at com.google.inject.internal.InjectorImpl.
>> createJustInTimeBindingRecursive(InjectorImpl.java:790)
>> at com.google.inject.internal.InjectorImpl.getJustInTimeBinding(
>> InjectorImpl.java:278)
>> at com.google.inject.internal.InjectorImpl.getBindingOrThrow(
>> InjectorImpl.java:210)
>> at com.google.inject.internal.InjectorImpl.getProviderOrThrow(
>> InjectorImpl.java:986)
>> at com.google.inject.internal.InjectorImpl.getProvider(InjectorImpl.
>> java:1019)
>> at com.google.inject.internal.InjectorImpl.getProvider(InjectorImpl.
>> java:982)
>> at com.google.inject.internal.InjectorImpl.getInstance(InjectorImpl.
>> java:1032)
>> at org.sonatype.guice.bean.reflect.AbstractDeferredClass.get(
>> AbstractDeferredClass.java:45)
>> at com.google.inject.internal.ProviderInternalFactory.provision(
>> ProviderInternalFactory.java:86)
>> at com.google.inject.internal.InternalFactoryToInitializableAdapter.
>> provision(InternalFactoryToInitializableAdapter.java:55)
>> at com.google.inject.internal.ProviderInternalFactory$1.call(
>> ProviderInternalFactory.java:70)
>> at com.google.inject.internal.
>> ProvisionListenerStackCallback$Provision.provision(
>> ProvisionListenerStackCallback.java:100)
>> at org.sonatype.guice.plexus.lifecycles.PlexusLifecycleManager.
>> onProvision(PlexusLifecycleManager.java:138)
>> at com.google.inject.internal.
>> ProvisionListenerStackCallback$Provision.provision(
>> ProvisionListenerStackCallback.java:109)
>> at com.google.inject.internal.ProvisionListenerStackCallback.
>> provision(ProvisionListenerStackCallback.java:55)
>> at com.google.inject.internal.ProviderInternalFactory.circularGet(
>> ProviderInternalFactory.java:68)
>> at com.google.inject.internal.InternalFactoryToInitializableAdapter.
>> get(InternalFactoryToInitializableAdapter.java:47)
>> at com.google.inject.internal.InjectorImpl$2$1.call(InjectorImpl.java
>> :997)
>> at com.google.inject.internal.InjectorImpl.callInContext(InjectorImpl
>> .java:1047)
>> at com.google.inject.internal.InjectorImpl$2.get(InjectorImpl.java:
>> 993)
>> at com.google.inject.Scopes$1$1.get(Scopes.java:59)
>> at org.sonatype.guice.bean.locators.LazyBeanEntry.getValue(
>> LazyBeanEntry.java:83)
>> at org.sonatype.guice.plexus.locators.LazyPlexusBean.getValue(
>> LazyPlexusBean.java:49)

[dspace-tech] version 5.6?

2016-10-13 Thread Evgeni Dimitrov

Is DSpace version 5.6 expected?

If so, I will be considering an update from 5.4 to 5.6.
Is there any difference in the db schema of 5.4 and 5.6?

The best option for me would be to install, configure and customize 5.6 and
when everything is working to transfer the db. Will this be possible?

-- 
You received this message because you are subscribed to the Google Groups 
"DSpace Technical Support" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to dspace-tech+unsubscr...@googlegroups.com.
To post to this group, send email to dspace-tech@googlegroups.com.
Visit this group at https://groups.google.com/group/dspace-tech.
For more options, visit https://groups.google.com/d/optout.

[dspace-tech] Now available: DSpace 5.6 release, providing security fixes and bug fixes to 5.x

[dspace-tech] DSPACE SECURITY ADVISORY: New DSpace 5.6 and 4.7 releases resolve security issues in XMLUI, JSPUI and REST API.

Re: [dspace-tech] version 5.6?

Re: [dspace-tech] version 5.6?

[dspace-tech] Re: Compiling DSpace 6 with Mirage2 theme does not generate CSS files

[dspace-tech] version 5.6?

6 matches

Site Navigation

Mail list logo

Footer information