<p dir="ltr"><br>
</p>
<br><div class="gmail_quote"><div dir="ltr">---------- Forwarded message ---------<br>From: Tim Donohue <<a href="mailto:tdonohue@duraspace.org">tdonohue@duraspace.org</a>><br>Date: Tue, 10 Nov 2015 00:16<br>Subject: [dspace-tech] DSPACE JSPUI SECURITY ADVISORY: New DSpace 5.4, 4.4 and 3.5 releases resolve security issues in JSPUI<br>To: DSpace Community <<a href="mailto:dspace-community@googlegroups.com">dspace-community@googlegroups.com</a>>, DSpace Tech Support <<a href="mailto:dspace-tech@googlegroups.com">dspace-tech@googlegroups.com</a>>, DSpace Developers <<a href="mailto:dspace-devel@googlegroups.com">dspace-devel@googlegroups.com</a>><br></div><br><br>
  

    
  
  <div bgcolor="#FFFFFF" text="#000000">
    All,
    <br>
    <br>
    In recent weeks, several security vulnerabilities where discovered
    in the JSPUI of DSpace 3.x, 4.x and 5.x sites.  This vulnerability
    does NOT affect XMLUI-based sites.<br>
    <br>
    While these security vulnerabilities vary in severity (see below),
    WE RECOMMEND ALL JSPUI-based SITES CONSIDER UPGRADING TO EITHER
    DSPACE 3.5, 4.4 OR 5.4 to ensure your site is secure. (Please note
    that the DSpace 5.4 release also includes bug fixes and memory usage
    enhancements.)<br>
    <br>
       * DSpace 5.4 Release Notes:
    <a href="https://wiki.duraspace.org/display/DSDOC5x/Release+Notes" target="_blank">https://wiki.duraspace.org/display/DSDOC5x/Release+Notes</a> <br>
       * DSpace 4.4 Release Notes:
    <a href="https://wiki.duraspace.org/display/DSDOC4x/Release+Notes" target="_blank">https://wiki.duraspace.org/display/DSDOC4x/Release+Notes</a> <br>
       * DSpace 3.5 Release Notes:
    <a href="https://wiki.duraspace.org/display/DSPACE/DSpace+Release+3.5+Notes" target="_blank">https://wiki.duraspace.org/display/DSPACE/DSpace+Release+3.5+Notes</a><br>
    <br>
    <br>
    Summary of JSPUI Vulnerabilities:
    <br>
    ------------------------------------------------<br>
    <ul>
      <li><span><span><span>[MEDIUM SEVERITY] Cross-site scripting (XSS
              injection) is possible in JSPUI search interface (in
              Firefox web browser). (<a href="https://jira.duraspace.org/browse/DS-2736" rel="nofollow" target="_blank">DS-2736</a> - <i>requires
                a JIRA account to access for two weeks, and then will be
                public</i>): <span title="Click to edit"><span>This vulnerability could allow
                  someone to embed dangerous Javascript code into links
                  to search results. If a user was emailed such a link
                  and clicked it, the javascript would be run in their
                  local browser. This vulnerability has existed since
                  DSpace 3.x</span></span></span></span></span><span>, and was discovered by </span><span><span title="Click to edit"><span>Genaro Contreras</span></span><br>
        </span></li>
      <li><span><span><span>[LOW SEVERITY] Expression language
              injection (EL Injection) is possible in JSPUI search
              interface. (<a href="https://jira.duraspace.org/browse/DS-2737" rel="nofollow" target="_blank">DS-2737</a> <span><span><span>- <i>requires a JIRA account to
                      access for two weeks, and then will be public</i>):
                    This vulnerability could allow someone to obtain
                    information from the site/server using JSP syntax</span></span></span>.
              <span><span><span><span title="Click to edit"><span>This vulnerability has
                        existed since DSpace 3.x, and was discovered by
                      </span></span></span></span></span></span></span></span><span><span><span><span><span><span><span title="Click to edit"><span><span><span title="Click to edit"><span>Genaro Contreras</span></span></span></span></span></span></span></span></span></span></span><br>
      </li>
    </ul>
    <p>If you or your institution have any further questions about these
      vulnerabilities, please feel free to email the DSpace Tech Support
      mailing list
      (<a href="https://groups.google.com/forum/#!forum/dspace-tech" target="_blank">https://groups.google.com/forum/#!forum/dspace-tech</a>).<br>
    </p>
    <pre cols="72">
-- 
Tim Donohue
Technical Lead for DSpace & DSpaceDirect
DuraSpace.org | DSpace.org | DSpaceDirect.org</pre>
  </div>


<p></p>

-- <br>
You received this message because you are subscribed to the Google Groups "DSpace Technical Support" group.<br>
To unsubscribe from this group and stop receiving emails from it, send an email to <a href="mailto:dspace-tech+unsubscribe@googlegroups.com" target="_blank">dspace-tech+unsubscribe@googlegroups.com</a>.<br>
To post to this group, send email to <a href="mailto:dspace-tech@googlegroups.com" target="_blank">dspace-tech@googlegroups.com</a>.<br>
Visit this group at <a href="http://groups.google.com/group/dspace-tech" target="_blank">http://groups.google.com/group/dspace-tech</a>.<br>
For more options, visit <a href="https://groups.google.com/d/optout" target="_blank">https://groups.google.com/d/optout</a>.<br>
</div>