Dear DSpace Community: On behalf of the DSpace developers, I would like to formally announce that DSpace 5.7 is now available. DSpace 5.7 provides security fixes to the XMLUI, JSPUI and REST API, along with bug fixes to the DSpace 5.x platform.
- DSpace 5.7 can be downloaded immediately from: https://github.com/DSpace/DSpace/releases/tag/dspace-5.7 - 5.7 Release notes are available at: https://wiki.duraspace.org/display/DSDOC5x/Release+Notes 5.7 Security / Bug Fixes - Security fixes for both JSPUI and XMLUI: - *[HIGH SEVERITY] Basic (Traditional) Workflow approval process is vulnerable to unauthorized manipulations. *( https://jira.duraspace.org/browse/DS-3647 - requires a JIRA account to access.) - Discovered by Pascal Becker (The Library Code / TU Berlin). - *[LOW SEVERITY] DSpace shipped with a version of Apache Commons Configuration that was vulnerable to COLLECTIONS-580 (Deserialization Vulnerability).* (https://jira.duraspace.org/browse/DS-3520 - requires a JIRA account to access.) - Discovered by Alan Orth. - *[LOW SEVERITY] DSpace failed to check if policies had valid dates when checking access permissions. *( https://jira.duraspace.org/browse/DS-3619 - requires a JIRA account to access.) - Discovered by Pascal Becker (The Library Code / TU Berlin). - Security fixes for REST API: - *[HIGH SEVERITY] A user with submit permissions can bypass workflow approvals by depositing via REST API. *( https://jira.duraspace.org/browse/DS-3281 - requires a JIRA account to access.) - Discovered by Emilio Lorenzo. - XMLUI bug fixes: - /handleresolver path was no longer working: DS-3366 <https://jira.duraspace.org/browse/DS-3366> - Fix broken images when running Mirage 2 on Jetty: DS-3289 <https://jira.duraspace.org/browse/DS-3289> - Improve error message when user attempts to update an e-mail address to an existing address: DS-3584 <https://jira.duraspace.org/browse/DS-3584> - Fix error when uploading large files (>2GB) via a web browser: DS-2359 <https://jira.duraspace.org/browse/DS-2359> - JSPUI bug fixes - READ access rights not being respected on Collection homepage: DS-3441 <https://jira.duraspace.org/browse/DS-3441> - Solr Statistics fixes: - Sharding statistics was unstable: DS-3436 <https://jira.duraspace.org/browse/DS-3436>, DS-3458 <https://jira.duraspace.org/browse/DS-3458> - AIP Backup and Restore fixes: - Failed AIP imports left files in assetstore: DS-2227 <https://jira.duraspace.org/browse/DS-2227> 5.7 Acknowledgments The DSpace application would not exist without the hard work and support of the community. Thank you to the many developers who have worked very hard to deliver all the new features and improvements. Also thanks to the users who provided input and feedback on the development. The 5.7 release was led by the DSpace Committers. The following individuals provided code or bug fixes to the 5.7 release: Pascal-Nicolas Becker (pnbecker), Andrea Bollini (abollini), Terry Brady (terrywbrady), Samuel Cambien (samuelcambien), Yana De Pauw, Tom Desair (tomdesair), Peter Dietz (peterdietz), Tim Donohue (tdonohue), Claudia Juergen (cjuergen), Bram Luyten (bram-atmire), Ivan Masar (helix84), Alan Orth (alanorth), Andrea Pascarelli (lap82), Kim Shepherd (kshepherd), Mark Wood (mwoodiupui), Jonas Van Goolen (jonas-atmire), Philip Vissenaekens (PhilipVis), and Arvo Consultores y TecnologĂa. S.L (arvoConsultores) A detailed listing of all known people/institutions who contributed directly to DSpace 5.x is available in the Release Notes. If you contributed and were accidentally not listed, please let us know so that we can correct it! As always, we are happy to hear back from the community about DSpace. Please let us know what you think of 5.7! Sincerely, Tim Donohue (on behalf of the DSpace Committers) -- Tim Donohue Technical Lead for DSpace & DSpaceDirect DuraSpace.org | DSpace.org | DSpaceDirect.org -- You received this message because you are subscribed to the Google Groups "DSpace Technical Support" group. To unsubscribe from this group and stop receiving emails from it, send an email to dspace-tech+unsubscr...@googlegroups.com. To post to this group, send email to dspace-tech@googlegroups.com. Visit this group at https://groups.google.com/group/dspace-tech. For more options, visit https://groups.google.com/d/optout.