<p dir="ltr"><br>
</p>
<br><div class="gmail_quote"><div dir="ltr">---------- Forwarded message ---------<br>From: Tim Donohue <<a href="mailto:tdonohue@duraspace.org">tdonohue@duraspace.org</a>><br>Date: Tue, 10 Nov 2015 00:16<br>Subject: [dspace-tech] DSPACE JSPUI SECURITY ADVISORY: New DSpace 5.4, 4.4 and 3.5 releases resolve security issues in JSPUI<br>To: DSpace Community <<a href="mailto:dspace-community@googlegroups.com">dspace-community@googlegroups.com</a>>, DSpace Tech Support <<a href="mailto:dspace-tech@googlegroups.com">dspace-tech@googlegroups.com</a>>, DSpace Developers <<a href="mailto:dspace-devel@googlegroups.com">dspace-devel@googlegroups.com</a>><br></div><br><br>
<div bgcolor="#FFFFFF" text="#000000">
All,
<br>
<br>
In recent weeks, several security vulnerabilities where discovered
in the JSPUI of DSpace 3.x, 4.x and 5.x sites. This vulnerability
does NOT affect XMLUI-based sites.<br>
<br>
While these security vulnerabilities vary in severity (see below),
WE RECOMMEND ALL JSPUI-based SITES CONSIDER UPGRADING TO EITHER
DSPACE 3.5, 4.4 OR 5.4 to ensure your site is secure. (Please note
that the DSpace 5.4 release also includes bug fixes and memory usage
enhancements.)<br>
<br>
* DSpace 5.4 Release Notes:
<a href="https://wiki.duraspace.org/display/DSDOC5x/Release+Notes" target="_blank">https://wiki.duraspace.org/display/DSDOC5x/Release+Notes</a> <br>
* DSpace 4.4 Release Notes:
<a href="https://wiki.duraspace.org/display/DSDOC4x/Release+Notes" target="_blank">https://wiki.duraspace.org/display/DSDOC4x/Release+Notes</a> <br>
* DSpace 3.5 Release Notes:
<a href="https://wiki.duraspace.org/display/DSPACE/DSpace+Release+3.5+Notes" target="_blank">https://wiki.duraspace.org/display/DSPACE/DSpace+Release+3.5+Notes</a><br>
<br>
<br>
Summary of JSPUI Vulnerabilities:
<br>
------------------------------------------------<br>
<ul>
<li><span><span><span>[MEDIUM SEVERITY] Cross-site scripting (XSS
injection) is possible in JSPUI search interface (in
Firefox web browser). (<a href="https://jira.duraspace.org/browse/DS-2736" rel="nofollow" target="_blank">DS-2736</a> - <i>requires
a JIRA account to access for two weeks, and then will be
public</i>): <span title="Click to edit"><span>This vulnerability could allow
someone to embed dangerous Javascript code into links
to search results. If a user was emailed such a link
and clicked it, the javascript would be run in their
local browser. This vulnerability has existed since
DSpace 3.x</span></span></span></span></span><span>, and was discovered by </span><span><span title="Click to edit"><span>Genaro Contreras</span></span><br>
</span></li>
<li><span><span><span>[LOW SEVERITY] Expression language
injection (EL Injection) is possible in JSPUI search
interface. (<a href="https://jira.duraspace.org/browse/DS-2737" rel="nofollow" target="_blank">DS-2737</a> <span><span><span>- <i>requires a JIRA account to
access for two weeks, and then will be public</i>):
This vulnerability could allow someone to obtain
information from the site/server using JSP syntax</span></span></span>.
<span><span><span><span title="Click to edit"><span>This vulnerability has
existed since DSpace 3.x, and was discovered by
</span></span></span></span></span></span></span></span><span><span><span><span><span><span><span title="Click to edit"><span><span><span title="Click to edit"><span>Genaro Contreras</span></span></span></span></span></span></span></span></span></span></span><br>
</li>
</ul>
<p>If you or your institution have any further questions about these
vulnerabilities, please feel free to email the DSpace Tech Support
mailing list
(<a href="https://groups.google.com/forum/#!forum/dspace-tech" target="_blank">https://groups.google.com/forum/#!forum/dspace-tech</a>).<br>
</p>
<pre cols="72">
--
Tim Donohue
Technical Lead for DSpace & DSpaceDirect
DuraSpace.org | DSpace.org | DSpaceDirect.org</pre>
</div>
<p></p>
-- <br>
You received this message because you are subscribed to the Google Groups "DSpace Technical Support" group.<br>
To unsubscribe from this group and stop receiving emails from it, send an email to <a href="mailto:dspace-tech+unsubscribe@googlegroups.com" target="_blank">dspace-tech+unsubscribe@googlegroups.com</a>.<br>
To post to this group, send email to <a href="mailto:dspace-tech@googlegroups.com" target="_blank">dspace-tech@googlegroups.com</a>.<br>
Visit this group at <a href="http://groups.google.com/group/dspace-tech" target="_blank">http://groups.google.com/group/dspace-tech</a>.<br>
For more options, visit <a href="https://groups.google.com/d/optout" target="_blank">https://groups.google.com/d/optout</a>.<br>
</div>