[IRTalk] Fwd: [dspace-tech] DSPACE SECURITY ADVISORY: New DSpace 5.5, 4.5 and 3.6 releases resolve security issues in XMLUI and JSPUI
hilton.gibson at gmail.com
Mon Mar 21 19:39:56 SAST 2016
Stellenbosch University Library
---------- Forwarded message ----------
From: Tim Donohue <tdonohue at duraspace.org>
Date: 21 March 2016 at 19:05
Subject: [dspace-tech] DSPACE SECURITY ADVISORY: New DSpace 5.5, 4.5 and
3.6 releases resolve security issues in XMLUI and JSPUI
To: DSpace Community <dspace-community at googlegroups.com>, DSpace Tech
Support <dspace-tech at googlegroups.com>, DSpace Developers <
dspace-devel at googlegroups.com>
In recent weeks, a two different security vulnerabilities where discovered
in the XMLUI and JSPUI.
WE RECOMMEND ALL SITES UPGRADE TO EITHER DSPACE 3.6, 4.5 OR 5.5 to ensure
your site is secure. (Please note that the DSpace 5.5 release also includes
bug fixes to the 5.x platform.)
- DSpace 5.5
- Release Notes:
- Download: https://github.com/DSpace/DSpace/releases/tag/dspace-5.5
- DSpace 4.5
- Release Notes:
- Download: https://github.com/DSpace/DSpace/releases/tag/dspace-4.5
- DSpace 3.6
- Release Notes:
- Download: https://github.com/DSpace/DSpace/releases/tag/dspace-3.6
Summary of XMLUI Vulnerability (affects 1.5.x and above):
- *[HIGH SEVERITY] The XMLUI "themes" path is vulnerable to a full
directory traversal. (DS-3094 <https://jira.duraspace.org/browse/DS-3094> -
requires a JIRA/Wiki account to access.) This means that ANY files on your
system which are readable to the Tomcat user account may be publicly
accessed via your DSpace site.* This XMLUI vulnerability has existed
since DSpace 1.5.x, and was discovered by Virginia Tech.
- While we highly recommend upgrading, patches are also available by
visiting the ticket linked above (requires a JIRA/Wiki account
- As 1.5.x, 1.6.x, 1.7.x and 1.8.x sites are also affected, we
recommend 1.x.x. sites consider upgrading to 5.x or manually applying a
patch. Beginning with DSpace 5.x, we now provide an easier upgrade
process from any prior version of DSpace (1.x.x, 3.x or 4.x). See the 5.x
release notes for more information:
Summary of JSPUI Vulnerability (affects 4.x and above):
- *[MEDIUM SEVERITY] The JSPUI "Edit News" feature (accessible to
Administrators) can be used to view/edit ANY files which are readable to
the Tomcat user account (DS-3063
<https://jira.duraspace.org/browse/DS-3063> - requires a JIRA/Wiki account
to access.) *This JSPUI vulnerability has existed since DSpace 4.0, and
was discovered by CINECA.
As these vulnerabilities are now considered "public", questions may be
asked on our DSpace Tech Support mailing list (
https://groups.google.com/forum/#!forum/dspace-tech) or on the tickets
We also welcome private security reports, concerns or questions via our new
security contact address (security at dspace.org).
Tim Donohue (on behalf of the DSpace Committers)
Technical Lead for DSpace & DSpaceDirect
DuraSpace.org | DSpace.org | DSpaceDirect.org
You received this message because you are subscribed to the Google Groups
"DSpace Technical Support" group.
To unsubscribe from this group and stop receiving emails from it, send an
email to dspace-tech+unsubscribe at googlegroups.com.
To post to this group, send email to dspace-tech at googlegroups.com.
Visit this group at https://groups.google.com/group/dspace-tech.
For more options, visit https://groups.google.com/d/optout.
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the IRTalk