Re: [Dspace-tech] Spring vulnerabilities in DSpace 1.5.2?
The components affected by the issue are not used by DSpace JSPUI as well so there are no issues with the existent installations. DSpace CRIS make use of some spring tags but as far as we know it never use "user input" as attribute of this tags so no issues for DSpace CRIS too. Best regards, Andrea Il 05/09/2013 23:09, stuart yeates ha scritto: > The vulnerability appears to be JSP specific, those running only the > xmlui interface should be fine, right? > > cheers > stuart > > On 06/09/13 04:50, Halliday, James Leonard wrote: >> Hello, >> >> I am trying to follow up on some vulnerabilities in the Spring >> framework, which are documented here: >> >> http://support.springsource.com/security/cve-2011-2730 >> >> A recent survey of all our running DSpace instances showed a DSpace >> 1.5.2 instance with Spring 2.5.1 jars included. These are the jars that >> might be vulnerable. Can someone tell me if the jars are being used in a >> way that makes them vulnerable? There is a later Spring 2.5.x release >> that fixed the problem; should we simply replace the existing jars >> without needing to make any other changes? >> >> Thanks so much. >> >> -Jim Halliday >> >> -Indiana University >> >> >> >> -- >> Learn the latest--Visual Studio 2012, SharePoint 2013, SQL 2012, more! >> Discover the easy way to master current and previous Microsoft technologies >> and advance your career. Get an incredible 1,500+ hours of step-by-step >> tutorial videos with LearnDevNow. Subscribe today and save! >> http://pubads.g.doubleclick.net/gampad/clk?id=58041391&iu=/4140/ostg.clktrk >> >> >> >> ___ >> DSpace-tech mailing list >> DSpace-tech@lists.sourceforge.net >> https://lists.sourceforge.net/lists/listinfo/dspace-tech >> List Etiquette: >> https://wiki.duraspace.org/display/DSPACE/Mailing+List+Etiquette >> > -- Andrea Bollini Dipartimento Servizi e Soluzioni per l'Amministrazione Universitaria Divisione Ricerca Via dei Tizii, 6 00185 Roma, Italy tel. +39 06 44 486 087 - mob. +39 348 82 77 525 http://www.cineca.it -- Learn the latest--Visual Studio 2012, SharePoint 2013, SQL 2012, more! Discover the easy way to master current and previous Microsoft technologies and advance your career. Get an incredible 1,500+ hours of step-by-step tutorial videos with LearnDevNow. Subscribe today and save! http://pubads.g.doubleclick.net/gampad/clk?id=58041391&iu=/4140/ostg.clktrk ___ DSpace-tech mailing list DSpace-tech@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/dspace-tech List Etiquette: https://wiki.duraspace.org/display/DSPACE/Mailing+List+Etiquette
[Dspace-tech] Spring vulnerabilities in DSpace 1.5.2?
Hello, I am trying to follow up on some vulnerabilities in the Spring framework, which are documented here: http://support.springsource.com/security/cve-2011-2730 A recent survey of all our running DSpace instances showed a DSpace 1.5.2 instance with Spring 2.5.1 jars included. These are the jars that might be vulnerable. Can someone tell me if the jars are being used in a way that makes them vulnerable? There is a later Spring 2.5.x release that fixed the problem; should we simply replace the existing jars without needing to make any other changes? Thanks so much. - Jim Halliday - Indiana University -- Learn the latest--Visual Studio 2012, SharePoint 2013, SQL 2012, more! Discover the easy way to master current and previous Microsoft technologies and advance your career. Get an incredible 1,500+ hours of step-by-step tutorial videos with LearnDevNow. Subscribe today and save! http://pubads.g.doubleclick.net/gampad/clk?id=58041391&iu=/4140/ostg.clktrk___ DSpace-tech mailing list DSpace-tech@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/dspace-tech List Etiquette: https://wiki.duraspace.org/display/DSPACE/Mailing+List+Etiquette
Re: [Dspace-tech] Spring vulnerabilities in DSpace 1.5.2?
The vulnerability appears to be JSP specific, those running only the xmlui interface should be fine, right? cheers stuart On 06/09/13 04:50, Halliday, James Leonard wrote: > Hello, > > I am trying to follow up on some vulnerabilities in the Spring > framework, which are documented here: > > http://support.springsource.com/security/cve-2011-2730 > > A recent survey of all our running DSpace instances showed a DSpace > 1.5.2 instance with Spring 2.5.1 jars included. These are the jars that > might be vulnerable. Can someone tell me if the jars are being used in a > way that makes them vulnerable? There is a later Spring 2.5.x release > that fixed the problem; should we simply replace the existing jars > without needing to make any other changes? > > Thanks so much. > > -Jim Halliday > > -Indiana University > > > > -- > Learn the latest--Visual Studio 2012, SharePoint 2013, SQL 2012, more! > Discover the easy way to master current and previous Microsoft technologies > and advance your career. Get an incredible 1,500+ hours of step-by-step > tutorial videos with LearnDevNow. Subscribe today and save! > http://pubads.g.doubleclick.net/gampad/clk?id=58041391&iu=/4140/ostg.clktrk > > > > ___ > DSpace-tech mailing list > DSpace-tech@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/dspace-tech > List Etiquette: > https://wiki.duraspace.org/display/DSPACE/Mailing+List+Etiquette > -- Stuart Yeates Library Technology Services http://www.victoria.ac.nz/library/ -- Learn the latest--Visual Studio 2012, SharePoint 2013, SQL 2012, more! Discover the easy way to master current and previous Microsoft technologies and advance your career. Get an incredible 1,500+ hours of step-by-step tutorial videos with LearnDevNow. Subscribe today and save! http://pubads.g.doubleclick.net/gampad/clk?id=58041391&iu=/4140/ostg.clktrk ___ DSpace-tech mailing list DSpace-tech@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/dspace-tech List Etiquette: https://wiki.duraspace.org/display/DSPACE/Mailing+List+Etiquette