<div dir="ltr"><div class="gmail_default" style="font-family:arial,helvetica,sans-serif">FYI.</div><div class="gmail_default" style="font-family:arial,helvetica,sans-serif"><br></div><div><div class="gmail_signature"><div dir="ltr"><div><div dir="ltr"><div><div dir="ltr"><div dir="ltr"><div dir="ltr"><div dir="ltr"><div dir="ltr"><div><b><font face="monospace, monospace">Hilton Gibson</font></b></div><div><span style="font-family:monospace,monospace;font-size:12.8000001907349px">Stellenbosch University Library</span><br></div><div><font face="monospace, monospace"><font color="#0000ee"><u><a href="http://orcid.org/0000-0002-2992-208X" target="_blank">http://orcid.org/0000-0002-2992-208X</a></u></font><br></font></div><div><br></div></div></div></div></div></div></div></div></div></div></div></div>
<br><div class="gmail_quote">---------- Forwarded message ----------<br>From: <b class="gmail_sendername">Tim Donohue</b> <span dir="ltr"><<a href="mailto:tdonohue@duraspace.org">tdonohue@duraspace.org</a>></span><br>Date: 21 March 2016 at 19:05<br>Subject: [dspace-tech] DSPACE SECURITY ADVISORY: New DSpace 5.5, 4.5 and 3.6 releases resolve security issues in XMLUI and JSPUI<br>To: DSpace Community <<a href="mailto:dspace-community@googlegroups.com">dspace-community@googlegroups.com</a>>, DSpace Tech Support <<a href="mailto:dspace-tech@googlegroups.com">dspace-tech@googlegroups.com</a>>, DSpace Developers <<a href="mailto:dspace-devel@googlegroups.com">dspace-devel@googlegroups.com</a>><br><br><br>
  

    
  
  <div bgcolor="#FFFFFF" text="#000000">
    All, <br>
    <br>
    In recent weeks, a two different security vulnerabilities where
    discovered in the XMLUI and JSPUI.<br>
    <br>
    WE RECOMMEND ALL SITES UPGRADE TO EITHER DSPACE 3.6, 4.5 OR 5.5 to
    ensure your site is secure. (Please note that the DSpace 5.5 release
    also includes bug fixes to the 5.x platform.)<br>
    <ul>
      <li>  DSpace 5.5 <br>
      </li>
      <ul>
        <li>Release Notes: <a href="https://wiki.duraspace.org/display/DSDOC5x/Release+Notes" rel="nofollow" target="_blank"></a><a href="https://wiki.duraspace.org/" target="_blank">https://wiki.duraspace.org/</a>display/DSDOC5x/Release+Notes</li>
        <li>Download:
          <a href="https://github.com/DSpace/DSpace/releases/tag/dspace-5.5" target="_blank">https://github.com/DSpace/DSpace/releases/tag/dspace-5.5</a></li>
      </ul>
      <li>   DSpace 4.5</li>
      <ul>
        <li>Release Notes: <a href="https://wiki.duraspace.org/display/DSDOC4x/Release+Notes" rel="nofollow" target="_blank"></a><a href="https://wiki.duraspace.org/" target="_blank">https://wiki.duraspace.org/</a>display/DSDOC4x/Release+Notes</li>
        <li>Download:
          <a href="https://github.com/DSpace/DSpace/releases/tag/dspace-4.5" target="_blank">https://github.com/DSpace/DSpace/releases/tag/dspace-4.5</a></li>
      </ul>
      <li>   DSpace 3.6</li>
      <ul>
        <li>Release Notes:
          <a href="https://wiki.duraspace.org/display/DSPACE/DSpace+Release+3.6+Notes" target="_blank">https://wiki.duraspace.org/display/DSPACE/DSpace+Release+3.6+Notes</a></li>
        <li>Download:
          <a href="https://github.com/DSpace/DSpace/releases/tag/dspace-3.6" target="_blank">https://github.com/DSpace/DSpace/releases/tag/dspace-3.6</a></li>
      </ul>
    </ul>
    Summary of XMLUI Vulnerability (affects 1.5.x and above): <br>
    <ul>
      <li><span><span><span><em>[HIGH SEVERITY] The XMLUI "themes" path
                is vulnerable to a full directory traversal. (<span><span><span><a href="https://jira.duraspace.org/browse/DS-3094" rel="nofollow" target="_blank">DS-3094</a> - requires a
                      JIRA/Wiki account to access</span></span></span>.)
                This means that ANY files on your system which are
                readable to the Tomcat user account may be publicly
                accessed via your DSpace site.</em></span></span></span><span><span><span> This XMLUI vulnerability has existed since
              DSpace 1.5.x, and was discovered by Virginia Tech.</span></span></span></li>
      <ul>
        <li><span><span><span>While we highly recommend upgrading,
                patches are also available by visiting the ticket linked
                above (requires a JIRA/Wiki account to access).</span></span></span></li>
        <li><span><span><span>As 1.5.x, 1.6.x, 1.7.x and 1.8.x sites
                are also affected, we recommend 1.x.x. sites consider
                upgrading to 5.x or manually applying a patch. </span></span></span>Beginning
          with DSpace 5.x, we now provide an easier upgrade process from
          any prior version of DSpace (1.x.x, 3.x or 4.x). See the 5.x
          release notes for more information: <a href="https://wiki.duraspace.org/display/DSDOC5x/Release+Notes" rel="nofollow" target="_blank"></a><a href="https://wiki.duraspace.org/" target="_blank">https://wiki.duraspace.org/</a>display/DSDOC5x/Release+Notes</li>
      </ul>
    </ul>
    Summary of JSPUI Vulnerability (affects 4.x and above):<br>
    <ul>
      <li><span><em>[MEDIUM SEVERITY] The JSPUI
            "Edit News" feature (accessible to Administrators) can be
            used to view/edit ANY files which are readable to the Tomcat
            user account (<a href="https://jira.duraspace.org/browse/DS-3063" rel="nofollow" target="_blank">DS-3063</a> - <span><span><span><span><span><span>requires a
                        JIRA/Wiki account to access</span></span></span>.)
                </span></span></span></em><span><span><span>This JSPUI vulnerability
                has existed since DSpace 4.0, and was discovered by</span></span></span></span><span><span><span><span> CINECA.</span></span></span></span></li>
    </ul>
    <div bgcolor="#FFFFFF" text="#000000">
      <p>As these vulnerabilities are now considered "public", questions
        may be asked on our DSpace Tech Support mailing list (<a href="https://groups.google.com/forum/#%21forum/dspace-tech" rel="nofollow" target="_blank"></a><a href="https://groups.google.com/" target="_blank">https://groups.google.com/</a>forum/#!forum/dspace-tech)
        or on the tickets themselves.<br>
      </p>
      <p>We also welcome private security reports, concerns or questions
        via our new security contact address (<a href="mailto:security@dspace.org" target="_blank">security@dspace.org</a>).<br>
      </p>
      <p>Sincerely,<br>
        <br>
        Tim Donohue (on behalf of the DSpace Committers)<span class="HOEnZb"><font color="#888888"><br>
      </font></span></p><span class="HOEnZb"><font color="#888888">
    </font></span></div><span class="HOEnZb"><font color="#888888">
    <pre cols="72">-- 
Tim Donohue
Technical Lead for DSpace & DSpaceDirect
DuraSpace.org | DSpace.org | DSpaceDirect.org</pre>
  </font></span></div><span class="HOEnZb"><font color="#888888">


<p></p>

-- <br>
You received this message because you are subscribed to the Google Groups "DSpace Technical Support" group.<br>
To unsubscribe from this group and stop receiving emails from it, send an email to <a href="mailto:dspace-tech+unsubscribe@googlegroups.com" target="_blank">dspace-tech+unsubscribe@googlegroups.com</a>.<br>
To post to this group, send email to <a href="mailto:dspace-tech@googlegroups.com" target="_blank">dspace-tech@googlegroups.com</a>.<br>
Visit this group at <a href="https://groups.google.com/group/dspace-tech" target="_blank">https://groups.google.com/group/dspace-tech</a>.<br>
For more options, visit <a href="https://groups.google.com/d/optout" target="_blank">https://groups.google.com/d/optout</a>.<br>
</font></span></div><br></div>