Difference between revisions of "EPrints 3.4.2"
(Adds known vulnerabilities.) |
(Added publication version number) |
||
(11 intermediate revisions by the same user not shown) | |||
Line 1: | Line 1: | ||
+ | {{releasenotes}} | ||
+ | |||
== Release Notes == | == Release Notes == | ||
EPrints 3.4.2 is now available from [https://files.eprints.org/2500 files.eprints.org] and [https://github.com/eprints/eprints3.4/releases/tag/v3.4.2 GitHub]. | EPrints 3.4.2 is now available from [https://files.eprints.org/2500 files.eprints.org] and [https://github.com/eprints/eprints3.4/releases/tag/v3.4.2 GitHub]. | ||
* '''Zero codename:''' ''Blueberry Muffin Derecho'' | * '''Zero codename:''' ''Blueberry Muffin Derecho'' | ||
− | * '''Publication flavour codename:''' ''Pecan Pie Huaico'' | + | * '''Publication flavour codename:''' ''Pecan Pie Huaico (1.2)'' |
=== New Dependencies === | === New Dependencies === | ||
Line 105: | Line 107: | ||
== Known Vulnerabilities == | == Known Vulnerabilities == | ||
− | The following vulnerabilities are patched with the patch | + | The following vulnerabilities are patched with the security patch available at https://files.eprints.org/2548: |
− | ; /cgi/ajax/phrase : [https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-26703 CVE-2021-26703] | + | ; /cgi/ajax/phrase : [https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-26703 CVE-2021-26703] (Remote Code Execution) |
− | ; /cgi/cal : [https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-26475 CVE-2021-26475] and [https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-26476 CVE-2021-26476] | + | ; /cgi/cal : [https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-26475 CVE-2021-26475] (Cross-Site Scripting) and [https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-26476 CVE-2021-26476] (Remote Code Execution) |
− | ; /cgi/dataset_dictionary : [https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-26702 CVE-2021-26702] | + | ; /cgi/dataset_dictionary : [https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-26702 CVE-2021-26702] (Cross-Site Scripting) |
− | ; /cgi/latex2png : [https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3342 CVE-2021-3342] | + | ; /cgi/latex2png : [https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3342 CVE-2021-3342] (Remote Code Execution) |
− | ; /cgi/toolbox/toolbox : https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-26704 CVE-2021-26704] | + | ; /cgi/toolbox/toolbox : [https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-26704 CVE-2021-26704] (Remote Code Execution) |
− | This patch file also modifies <b>/cgi/history_search</b> | + | This patch file also modifies <b>/cgi/history_search</b> to ensure it was not susceptible to MySQL Injection and Cross-Site Scripting. However, no exploit for this potential vulnerability was found. |
== Known Issues == | == Known Issues == | ||
* Search results from admin menu's "Search users" formatting is somewhat broken due to generic changes made to improve [http://accessibility.eprints-hosting.org/accessibility/roadmap.html accessibility]. [https://github.com/eprints/eprints3.4/commit/a0078fa00e1259f07327ebf2ddf1cafdfe4e3ea7 This patch] fixes this issue. | * Search results from admin menu's "Search users" formatting is somewhat broken due to generic changes made to improve [http://accessibility.eprints-hosting.org/accessibility/roadmap.html accessibility]. [https://github.com/eprints/eprints3.4/commit/a0078fa00e1259f07327ebf2ddf1cafdfe4e3ea7 This patch] fixes this issue. | ||
− | * If your repository has a local version of <code>citations/eprint/ | + | * If your repository has a local version of <code>citations/eprint/result.xml</code> this will cause issues when rendering search results for admin's "Search items" and probably also "Advanced search". Ensure <code><tr></code> and <code><td></code> tags are replaced with <code><nowiki><div></nowiki></code> tags. Style attributes can also be removed from these elements as they should now be part of the <code>lib/static/style/auto/search.css</code>. If your archive has its own <code>search.css</code> you may need to copy some content from the <code>lib</code> version of <code>search.css</code> as it relates to ''ep_search_result''. |
* As issues are not public-facing EPrint issue citation was not updated with the public-facing [http://accessibility.eprints-hosting.org/accessibility/roadmap.html accessibility] changes but issue results will render differently unless this is updated to use <code><nowiki><div></nowiki></code> tags rather than <code><tr></code> and <code><td></code> tags. [https://github.com/eprints/eprints3.4/commit/c53677f4f130e303a8cf8513b7c885d62386bec6 This patch] fixes the issue. | * As issues are not public-facing EPrint issue citation was not updated with the public-facing [http://accessibility.eprints-hosting.org/accessibility/roadmap.html accessibility] changes but issue results will render differently unless this is updated to use <code><nowiki><div></nowiki></code> tags rather than <code><tr></code> and <code><td></code> tags. [https://github.com/eprints/eprints3.4/commit/c53677f4f130e303a8cf8513b7c885d62386bec6 This patch] fixes the issue. | ||
* Trying to "Save and Return" on a non-multiple compound field causes an internal server error. [https://github.com/eprints/eprints3.4/pull/84/commits/23cf710a96ac07a44702e4b181b47ec29302e336 This patch] fixes the issue. | * Trying to "Save and Return" on a non-multiple compound field causes an internal server error. [https://github.com/eprints/eprints3.4/pull/84/commits/23cf710a96ac07a44702e4b181b47ec29302e336 This patch] fixes the issue. | ||
+ | * BibTeX import when uploading from a file (not pasted data) fails. [https://github.com/eprints/eprints3.4/commit/001079ce4fafc8d63af925efc639c7a62296c453 This patch] fixes the issue. | ||
== Planned Development == | == Planned Development == |
Latest revision as of 21:50, 18 July 2021
Release Notes
3.4 | 3.4.1 | 3.4.2 | 3.4.3 | 3.4.4 | 3.4.5 | 3.4.6
3.3 | 3.3.5 | 3.3.6 | 3.3.7 | 3.3.8 | 3.3.9 | 3.3.10 | 3.3.11 | 3.3.13 | 3.3.14 | 3.3.15 | 3.3.16
3.2.0 | 3.2.1 | 3.2.2 | 3.2.3 | 3.2.4 | 3.2.5 | 3.2.6 | 3.2.7 | 3.2.8 | 3.2.9
Contents
Release Notes
EPrints 3.4.2 is now available from files.eprints.org and GitHub.
- Zero codename: Blueberry Muffin Derecho
- Publication flavour codename: Pecan Pie Huaico (1.2)
New Dependencies
Dependencies can be installed as RPMs (yum install PACKAGE), DEBs (apt-get install PACKAGE) or CPAN (cpan MODULE). Perl's Text::Unidecode
module is now needed to better order browse views.
- Perl
Text::Unidecode
module- RPM:
perl-Text-Unidecode
- DEB:
libtext-unidecode-perl
- CPAN:
Text::Unidecode
- RPM:
Also see new dependencies for EPrints 3.4.1 if you are upgrading from 3.4.0 or earlier.
Changes since 3.4.1
New Functionality
- Capability for enabling caching of citations to improve page load times, particularly browse views.
- Provides HTTP PATCH functionality to support incremental metadata changes. (Particularly useful for Symplectic Repository Tools 2 integration).
- Provides facility to define custom handlers for integration with third party applications.
- New DOI import plugin using UNIXREF that provides a richer source of metadata.
- Allows access records to be saved and processed from disk rather than a database table (requires manual enabling / still experimental).
- Supports embedded HTML5 video blocks including subtitles.
- New MetaField for case insensitive IDs, useful for usernames and email addresses.
- New MetaField for keywords. Backwards compatible with text and longtext fields but more accurate at matching individual potentially multiple word keywords.
- New MetaField that provides word count addition to long text fields (requires jQuery to be installed in archive's
javascript/auto/
directory). - Allow certain countries not to have to provide a successful Recaptcha for requests (e.g. in China ReCAPTCHA is blocked).
- Render function to allow publications with long creators/editors listed to neatly truncated.
- Script for generating XML sitemaps for use with tools like Google Search Console
Security Improvements
- Prevention of offsite redirects after login.
- Logs out all sessions on password change.
- Rate limits number of password reset emails that can be sent.
- Ensures document full texts are reindexed to add or remove depending on changes to document security.
- Blocks JavaScript in uploaded HTML documents from potentially performing malicious actions as the logged in user.
- Restricts get_tables call for database to those in the current repository.
- Evaluates user-defined
can_request_view_document
to ensure errors to not lead to unauthorised access to documents and adds notifications for system administrators in webserver logs and epadmin test. (Mainly to handle Apache 2.4 causing error when calling$r->connection->remote_ip
).
General Improvements
- Improves accessibility of EPrints user interfaces.
- Allows subject line of RequestCopy emails to be customised by the user (in case item being requested has no title set).
- Better parsing of BibTeX for import.
- Better error and warning colours for command lines tools.
- Better formatting of person name strings.
- Allows server-wide specification of EPrints flavour (rather than just archive level).
- New functions for ordering various types of MetaField or for sanitising ordering. Ensuring (person) names are consistently ordered.
- Enables multi-lingual support for templates, tooltips and workflow headings.
- Removes any remaining use of full URLs within default template and static pages that can cause a multitude of issues including http/https interoperability.
- Comprehensive review and addition of missing phrases.
- Allows epadmin create to allow an organisation name to be set as a phrase.
- Improves compound multiple field table rendering to not display lots of UNSPECIFIED if a column has no row with a value set.
- Better support for read-only MetaFields.
- Provides EPrints Script test for whether one string contains another.
- Provides checking for individual user roles within a workflow.
- Allows data objects other the EPrint to have revision histories.
- Improves Xapian indexing checking.
- Additions to index tokenizer mappings.
- Removes
Text::Unidecode
Perl module as this is better provided by Linux package repositories. - Allows user-defined sort functions for browse views.
- Adds user-definable get_item method for ItemRef MetaFields so fromform method can be used with this type of field.
- Adds user-definable render_item function for ItemRef MetaFields so ItemRef fields can be usefully rendered in browse views.
- Adds classes for option list HTML elements to make it easier to apply CSS styles.
- Adds HTTPS support for SWORD deposit client.
- Generally reduces the use of full URL (with protocol) when absolute/relative path would be more appropriate.
- Makes "Remove Item (with notification)" appear on actions bar when item is in live archive to make it consistent with "Remove Item".
Bug fixes
- Fixes typo effecting position of Review page's move to archive button.
- Fixes error that broke JavaScript for expanding dl tree elements.
- Fixes broken epm command line tool.
- Fixes bug with feeds for latest_tool page.
- Fixes bug causing update_triples event queue tasks to fail.
- Fixes bug with 404 error when attempting to access RequestCopy page.
- Fixes some general encoding issues in export plugins.
- Fixes bug to again allow epadmin test to be run without an archive specified.
- Fixes bug with warning of missing brief citation for event queue.
- Fixes issue with MySQL no longer allowing creation of a MySQL user on granting of privileges.
- Allow DOI to be Endnote exported for any publication type.
- Fixes bugs with HTTPS everywhere configuration breaking some URLs in OAI-PMH and elsewhere.
- Fixes substring out of bounds error when there is no icon URL for a document.
- Fixes hard-coding of entry UID for History iCal export.
- Fixes lack of link for non-specified year items in year browse view menu.
- Fixes issue with use of
EPrints::Sword::Utils
. - Fixes check for whether a browse view is a list based on prefix of view's ID.
- Various fixes to image and video conversion through changes to convert and ffmpeg parameters.
- Fixes duplicate event queue tasks being created by resetting to waiting instead.
- Fixes issues access Bazaar behind a HTTP proxy.
- Removes hard-coding of EPrints filesystem path where possible.
- Removes hard-coding of
site_lib
in EPrints include path and all other references. - Removes
TeX::Encode::BibTeX
andTeX::Encode::charmap
Perl sub-modules as these come as part ofTeX::Encode
that should already be installed as a dependency (since EPrints 3.4.1). - Fixes case-sensitivity on document type guessing when file extension is in upper case.
- Fixes fuzzy matching on browse view causing generate_views to generate more views than expected.
- Fixes typo for epm sources configuration option.
- Better parse pageranges that include page numbers with hyphens.
- Fixes typo in index tokenizer's apply_mapping function.
- Fixes issues with Storage Manager when CSRF protection is enabled.
- Fixes broken add and edit phrase functionality when CSRF protection is enabled.
- Fixes "insecure connection" bug when exporting from "Actions" tab.
- Adds most basic default workflow for files to fix viewing of files through "Manage records".
- Tidies up
robots.txt
generation. - Fixes broken documentation link on newly created repository homepages.
- Removes missing browse views menu links on zero template.
- Fixes OpenDOAR policy tools link.
Known Vulnerabilities
The following vulnerabilities are patched with the security patch available at https://files.eprints.org/2548:
- /cgi/ajax/phrase
- CVE-2021-26703 (Remote Code Execution)
- /cgi/cal
- CVE-2021-26475 (Cross-Site Scripting) and CVE-2021-26476 (Remote Code Execution)
- /cgi/dataset_dictionary
- CVE-2021-26702 (Cross-Site Scripting)
- /cgi/latex2png
- CVE-2021-3342 (Remote Code Execution)
- /cgi/toolbox/toolbox
- CVE-2021-26704 (Remote Code Execution)
This patch file also modifies /cgi/history_search to ensure it was not susceptible to MySQL Injection and Cross-Site Scripting. However, no exploit for this potential vulnerability was found.
Known Issues
- Search results from admin menu's "Search users" formatting is somewhat broken due to generic changes made to improve accessibility. This patch fixes this issue.
- If your repository has a local version of
citations/eprint/result.xml
this will cause issues when rendering search results for admin's "Search items" and probably also "Advanced search". Ensureand
tags are replaced with
<div>
tags. Style attributes can also be removed from these elements as they should now be part of thelib/static/style/auto/search.css
. If your archive has its ownsearch.css
you may need to copy some content from thelib
version ofsearch.css
as it relates to ep_search_result. - As issues are not public-facing EPrint issue citation was not updated with the public-facing accessibility changes but issue results will render differently unless this is updated to use
<div>
tags rather than<tr>
and<td>
tags. This patch fixes the issue. - Trying to "Save and Return" on a non-multiple compound field causes an internal server error. This patch fixes the issue.
- BibTeX import when uploading from a file (not pasted data) fails. This patch fixes the issue.
Planned Development
See EPrints 3.4.3.