[Irtalk] Fwd: [dspace-tech] DSPACE JSPUI SECURITY ADVISORY: New DSpace 5.4, 4.4 and 3.5 releases resolve security issues in JSPUI

Hilton Gibson hilton.gibson at gmail.com
Tue Nov 10 18:20:14 SAST 2015


---------- Forwarded message ---------
From: Tim Donohue <tdonohue at duraspace.org>
Date: Tue, 10 Nov 2015 00:16
Subject: [dspace-tech] DSPACE JSPUI SECURITY ADVISORY: New DSpace 5.4, 4.4
and 3.5 releases resolve security issues in JSPUI
To: DSpace Community <dspace-community at googlegroups.com>, DSpace Tech
Support <dspace-tech at googlegroups.com>, DSpace Developers <
dspace-devel at googlegroups.com>


All,

In recent weeks, several security vulnerabilities where discovered in the
JSPUI of DSpace 3.x, 4.x and 5.x sites.  This vulnerability does NOT affect
XMLUI-based sites.

While these security vulnerabilities vary in severity (see below), WE
RECOMMEND ALL JSPUI-based SITES CONSIDER UPGRADING TO EITHER DSPACE 3.5,
4.4 OR 5.4 to ensure your site is secure. (Please note that the DSpace 5.4
release also includes bug fixes and memory usage enhancements.)

   * DSpace 5.4 Release Notes:
https://wiki.duraspace.org/display/DSDOC5x/Release+Notes
   * DSpace 4.4 Release Notes:
https://wiki.duraspace.org/display/DSDOC4x/Release+Notes
   * DSpace 3.5 Release Notes:
https://wiki.duraspace.org/display/DSPACE/DSpace+Release+3.5+Notes


Summary of JSPUI Vulnerabilities:
------------------------------------------------

   - [MEDIUM SEVERITY] Cross-site scripting (XSS injection) is possible in
   JSPUI search interface (in Firefox web browser). (DS-2736
   <https://jira.duraspace.org/browse/DS-2736> - *requires a JIRA account
   to access for two weeks, and then will be public*): This vulnerability
   could allow someone to embed dangerous Javascript code into links to search
   results. If a user was emailed such a link and clicked it, the javascript
   would be run in their local browser. This vulnerability has existed since
   DSpace 3.x, and was discovered by Genaro Contreras
   - [LOW SEVERITY] Expression language injection (EL Injection) is
   possible in JSPUI search interface. (DS-2737
   <https://jira.duraspace.org/browse/DS-2737> - *requires a JIRA account
   to access for two weeks, and then will be public*): This vulnerability
   could allow someone to obtain information from the site/server using JSP
   syntax. This vulnerability has existed since DSpace 3.x, and was
   discovered by Genaro Contreras

If you or your institution have any further questions about these
vulnerabilities, please feel free to email the DSpace Tech Support mailing
list (https://groups.google.com/forum/#!forum/dspace-tech).


-- 
Tim Donohue
Technical Lead for DSpace & DSpaceDirect
DuraSpace.org | DSpace.org | DSpaceDirect.org

-- 
You received this message because you are subscribed to the Google Groups
"DSpace Technical Support" group.
To unsubscribe from this group and stop receiving emails from it, send an
email to dspace-tech+unsubscribe at googlegroups.com.
To post to this group, send email to dspace-tech at googlegroups.com.
Visit this group at http://groups.google.com/group/dspace-tech.
For more options, visit https://groups.google.com/d/optout.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.lib.sun.ac.za/pipermail/irtalk/attachments/20151110/fcd510d4/attachment.html>


More information about the IRTalk mailing list