[IRTalk] Fwd: [dspace-tech] DSPACE SECURITY ADVISORY: New DSpace 5.5, 4.5 and 3.6 releases resolve security issues in XMLUI and JSPUI

Mon Mar 21 19:39:56 SAST 2016

FYI.

*Hilton Gibson*
Stellenbosch University Library
*http://orcid.org/0000-0002-2992-208X
<http://orcid.org/0000-0002-2992-208X>*

---------- Forwarded message ----------
From: Tim Donohue <tdonohue at duraspace.org>
Date: 21 March 2016 at 19:05
Subject: [dspace-tech] DSPACE SECURITY ADVISORY: New DSpace 5.5, 4.5 and
3.6 releases resolve security issues in XMLUI and JSPUI
To: DSpace Community <dspace-community at googlegroups.com>, DSpace Tech
Support <dspace-tech at googlegroups.com>, DSpace Developers <
dspace-devel at googlegroups.com>

All,

In recent weeks, a two different security vulnerabilities where discovered
in the XMLUI and JSPUI.

WE RECOMMEND ALL SITES UPGRADE TO EITHER DSPACE 3.6, 4.5 OR 5.5 to ensure
your site is secure. (Please note that the DSpace 5.5 release also includes
bug fixes to the 5.x platform.)

   -   DSpace 5.5
   - Release Notes:
      <https://wiki.duraspace.org/display/DSDOC5x/Release+Notes>
      https://wiki.duraspace.org/display/DSDOC5x/Release+Notes
      - Download: https://github.com/DSpace/DSpace/releases/tag/dspace-5.5
   -   DSpace 4.5
      - Release Notes:
      <https://wiki.duraspace.org/display/DSDOC4x/Release+Notes>
      https://wiki.duraspace.org/display/DSDOC4x/Release+Notes
      - Download: https://github.com/DSpace/DSpace/releases/tag/dspace-4.5
   -   DSpace 3.6
      - Release Notes:
      https://wiki.duraspace.org/display/DSPACE/DSpace+Release+3.6+Notes
      - Download: https://github.com/DSpace/DSpace/releases/tag/dspace-3.6

Summary of XMLUI Vulnerability (affects 1.5.x and above):

   - *[HIGH SEVERITY] The XMLUI "themes" path is vulnerable to a full
   directory traversal. (DS-3094 <https://jira.duraspace.org/browse/DS-3094> -
   requires a JIRA/Wiki account to access.) This means that ANY files on your
   system which are readable to the Tomcat user account may be publicly
   accessed via your DSpace site.* This XMLUI vulnerability has existed
   since DSpace 1.5.x, and was discovered by Virginia Tech.
      - While we highly recommend upgrading, patches are also available by
      visiting the ticket linked above (requires a JIRA/Wiki account
to access).
      - As 1.5.x, 1.6.x, 1.7.x and 1.8.x sites are also affected, we
      recommend 1.x.x. sites consider upgrading to 5.x or manually applying a
      patch. Beginning with DSpace 5.x, we now provide an easier upgrade
      process from any prior version of DSpace (1.x.x, 3.x or 4.x). See the 5.x
      release notes for more information:
      <https://wiki.duraspace.org/display/DSDOC5x/Release+Notes>
      https://wiki.duraspace.org/display/DSDOC5x/Release+Notes

Summary of JSPUI Vulnerability (affects 4.x and above):

   - *[MEDIUM SEVERITY] The JSPUI "Edit News" feature (accessible to
   Administrators) can be used to view/edit ANY files which are readable to
   the Tomcat user account (DS-3063
   <https://jira.duraspace.org/browse/DS-3063> - requires a JIRA/Wiki account
   to access.) *This JSPUI vulnerability has existed since DSpace 4.0, and
   was discovered by CINECA.

As these vulnerabilities are now considered "public", questions may be
asked on our DSpace Tech Support mailing list (
<https://groups.google.com/forum/#%21forum/dspace-tech>
https://groups.google.com/forum/#!forum/dspace-tech) or on the tickets
themselves.

We also welcome private security reports, concerns or questions via our new
security contact address (security at dspace.org).

Sincerely,

Tim Donohue (on behalf of the DSpace Committers)

-- 
Tim Donohue
Technical Lead for DSpace & DSpaceDirect
DuraSpace.org | DSpace.org | DSpaceDirect.org

-- 
You received this message because you are subscribed to the Google Groups
"DSpace Technical Support" group.
To unsubscribe from this group and stop receiving emails from it, send an
email to dspace-tech+unsubscribe at googlegroups.com.
To post to this group, send email to dspace-tech at googlegroups.com.
Visit this group at https://groups.google.com/group/dspace-tech.
For more options, visit https://groups.google.com/d/optout.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.lib.sun.ac.za/pipermail/irtalk/attachments/20160321/a9f2d592/attachment.html>