A new GLPI version is available.

This release fixes several security issues that has been recently discovered. Update is recommended!

You can download the GLPI 10.0.4 archive on GitHub.
We also provide a security release for 9.5 branch : GLPI 9.5.10 archive

You will find below the list of security issues fixed in this bugfixes version:

• [SECURITY - Low] Blind SSRF in RSS feeds and planning (CVE-2022-39276)
• [SECURITY - Low] Stored XSS in user information (CVE-2022-39372)
• [SECURITY - Low] Stored XSS in entity name (CVE-2022-39373)
• [SECURITY - Low] Improper input validation on emails links (CVE-2022-39376)
• [SECURITY - Moderate] Improper access to debug panel (CVE-2022-39370)
• [SECURITY - Moderate] User's session persist after permanently deleting his account (CVE-2022-39234)
• [SECURITY - Moderate] Stored XSS on login page (CVE-2022-39262)
• [SECURITY - Moderate] XSS in external links (CVE-2022-39277)
• [SECURITY - Moderate] XSS through public RSS feed (CVE-2022-39375)
• [SECURITY - High] SQL Injection on REST API (CVE-2022-39323)
• [SECURITY - High] Stored XSS through asset inventory (CVE-2022-39371)

Also, here is a short list of main changes done in this version:

• [FIX] Increase significantly dashboards performance
• [FIX] Several bugs on images pasting
• [FIX] Fixed and improved inventory locks management
• [FIX] Display of printer cartridges
• [FIX] Display and hide actors tooltips in tickets
• [FIX] Improve display of headers above forms
• [FIX] Move breakpoints on responsive displays
• [SECURITY] Inventory API is now disabled by default
• [FEATURE] Dedicated rights has been added for inventory

The full changelog is available for more details.

We would like to thank all people who contributed to this new version and all those who contributes regularly to the GLPI project!

Regards.

This version is compatible with GLPI 10.0.

Upgrade from 2.13.0 or later

A database sanity check is done before running the upgrade. If the tables of the plugin have a difference with the expected schema the upgrade will fail with a message similar to the following:

The database schema is not consistent with the installed Formcreator 2.13.0.
To see the logs enable the plugin and run the command bin/console glpi:database:check_schema_integrity -p formcreator

It is required to fix the database, using the diff produced by the CLI command given in the message. Once done, try again to upgrade.

ℹ️ If you know what you are doing you may bypass the sanity check from CLI with the following command.

bin/console glpi:plugin:install formcreator -f -p skip-db-check

Possible encoding problems in tickets created in GLPI 9.5 or older

⚠️ GLPI 10.0 encodes rich text content in a different way compared to GLPI 9.5. This revealed some bugs in the plugin in previous versions and GLPI may display old tickets with HTML tags. A CLI tool is available to fix 2 types of inconsistencies. You should test the command in a testing environment or do a backup first.

bin/console glpi:plugins:formcreator:clean_tickets

Bug Fixes

• just reencode br (cce2e7e1c)
• show KB items without category (91f4deb75)
• abstractitiltarget: email addresses were ignored (4c28a09b8)
• docs: mix of single and singular/plural locales (dc8f38cc3)
• dropdownfield: tree depth not restored in design dialog (af4096bba)
• fields: add default value to prevent SQL error (#2965) (19f039569)
• form: risk of selecting the wrong form in DOM (bb31fd163)
• form: submit once (b00844208)
• form: unescape form name (5b802658a)
• formanswer: PHP 8.1 compatbility, error message if invalid JSON detected (8ff7ff91a)
• formanswer: PHP 8.1 compatibility: null passed instead of string (297fb2713)
• formanswer: redirect after submission of targetless form (4d60239d1)
• requesttypefield: warning if comparing against empty value (dca5afb82)
• section: label for conditions in designer (01e570319)
• wizard: FAQ list (#3031) (bb0732ca7)

Features

• tool to repair escaping problem in some tickets (68db0ffda)
• form: submit forms once (abed86101)
• formanswer: notification with URL to generated objets (fa6a360f0)
• formanswer: restore toasts when craeting targets (f43df3ebb)
• install: show the DB diff when upgrade runs from CLI (#2994) (4abb099a6)

Help / Contribution needed
Locales updates: Some languages don’t have maintainer, or are late (many untranslated content). Please contribute on Transifex.

This version is compatible with GLPI 10.0.

⚠️ You must upgrade from a previous stable version. Upgrading from a development or testing version is not supported.

Bug Fixes

• inverted existence test on ticket update (2acc5cd4)
• log more errors, and update obsolete error logging (ae28ed6d)
• restore page redirections existing in v2.12 (582f926c)
• update obsolete error logging (da8929e0)
• abstractitiltarget: glpi 10.0.3 will require a data with a valid value (5f385bb8)
• actorfield: default value not saved (c3baebbe)
• actorfield: php warning (6d3e98d1)
• checkboxesfield: replace div with p in checkbowes answers (9ef95343)
• composite: php warning breaks JSON if a ticket is not generated (2108983c)
• descriptionfield: bad form rendering (87a74058)
• filefield: php error when switching field type to file (a03c7a0a)
• form: javascript (f05bc697)
• form: list on self service homepage (ba6d4a58)
• form: undefined var (169d2c8e)
• form: url to form answer lists may be invalid (6cd29e6d)
• install: avoid alter table fail (4dadea8a)
• install: missing method in upgrade to 2.13.1 (7e9cdcd5)
• issue: issue not deleted when tichet goes to trash bin (c977b1ca)
• issue: purge issue when deleting associated ticket (76444ecc)
• issue: recreate when restore ticket (2656e284)
• item_targetticket: uuid to ID conversion (e9f326c0)
• section: name encoding in designer and rendered form" (491dcb69)
• targetticket: bad constant name (48dda4f3)
• targetticket: table structure inconsistency (ff56f3f1)
• targetticket: table structure inconsistency (892a83c3)
• targetticket,targetchange: tags from queestion or specific tags not saved (ec08d95e)

Features

• prepare compatibility with PHP 8.2 (#2966) (4bb7f3c3)
• formanswer,issue: show title in navigation header (1878e4b0)
• kb: preselect see all categorie (1b669d4f)

Help / Contribution needed
Locales updates: Some languages don’t have maintainer, or are late (many untranslated content). Please contribute on Transifex.

A new GLPI version is available.

This release fixes several critical security issues that has been recently discovered. Update is strongly recommended!

You can download the GLPI 10.0.3 archive on GitHub.
Exceptionally, as we have critical security issues that affects GLPI 9.5, we also release a GLPI 9.5.9 archive.

You’ll find below the list of security issues fixed in this bugfixes version:

• [SECURITY] XSS through registration API (CVE-2022-35945)
• [SECURITY] Leak of sensitive information through login page error (CVE-2022-31143)
• [SECURITY] Stored XSS through global search (CVE-2022-31187)
• [SECURITY] [critical] Command injection using a third-party library script (CVE-2022-35914)
• [SECURITY] SQL injection through plugin controller (CVE-2022-35946)
• [SECURITY] [critical] Authentication via SQL injection (CVE-2022-35947)
• [SECURITY] Blind Server-Side Request Forgery (SSRF) in RSS feeds and planning (CVE-2022-36112)

Also, here is a short list of main changes done in this version:

• [FEATURE] More precise rights checks on inventory (#12610)
• [FEATURE] Display of last inventoried value for locked fields (#12602)
• [FEATURE] Permit to use rules to add computers as virtual machines (#12572)
• [SECURITY] Delegate session cookies security to sysadmin (#12302)
• [FIX] Prevent collector failure on invalid mail header (#12232)
• [FIX] Many fixes on network inventory

The full changelog is available for more details.

We would like to thank all people who contributed to this new version and all those who contributes regularly to the GLPI project!

Regards.

This version is compatible with GLPI 10 only.

documentation review and updates

Bug Fixes

• cannot delete a ticket from service catalog (acec9bb8)
• abstractitiltarget: alternative email lost if no requester user (78fd8450)
• abstracttarget: uuid should not be updated (b1e492d3)
• checkboxesfield: avoid HTML br tag (c3a60bbb)
• condition: compatibility with Advanced forms validation (6685b943)
• descriptinfield: conversion to target requires escaping (b79cfa95)
• filefield: mandatory check may cause exception (3f711a54)
• form: PHP warning (844ef96c)
• form: bad URL when using advanced form validation plugin (adb9fba5)
• formanswer: grid style updated for current version of gridstack (85b6a686)
• formanswer: select inherited class if needed (955dc969)
• formanswer: update gridstack css (70deaa06)
• glpiselectfield: missing entity restrict (40c9ab73)
• install: prevent useless warnings (001d12f5)
• install: use modern settings for tables (f04e4181)
• issue: remove duplicate item in status dropdown (27f9f313)
• ldapselectfield: log LDAP error instead of showing it to user (e170dc6f)
• ldapselectfield: no translation for items (d170c79c)
• targetticket: prevent exception in inconsistent target ticket (ba6ed88e)
• textarea: on change event broken (9fb70edb)
• textarea: rn chars added between lines (66571b80)
• textarea, entityconfig: embedded image question description (#2901) (0d78db1a)
• textareafield: embedded image upload broken (d58075cd)
• textareafield: missing escape before compare (ba78e935)

Features

• formanswer: order formanswers by date desc (7fdeda51)
• ldapselectfield: lazy loading (bffcb5b7)

Help / Contribution needed
Locales updates: Some languages don’t have maintainer, or are late (many untranslated content). Please contribute on Transifex.

Check the changelog & download

GLPI Agent 1.4 has been released.

You’re encouraged to upgrade your GLPI agents or migrate if you’re still using FusionInventory agents.

You can download it on the GLPI Agent github project:

This release includes few fixes and enhancements.

The most important one fixes a regression introduced in GLPI-Agent v1.3 which prevents windows or macosx agents to communicate with HTTPS GLPI server using a publicly signed SSL certificate.

For the other ones:

• new ssl-fingerprint option feature now also works on CentOS7,
• on SSL communication error, the agent will report a more explicit reason,
• we added support for linux systemd-nspawn container inventory,
• we added a new Acer monitor model support: B226WL,
• we fixed the support of non-standard port for ssh remote inventory,
• the MacOSX packages have been upgraded to use OpenSSL 3.0.4,
• the linux perl installer now support installation on Oracle Linux 8.

As always, you can check the more detailed changelog at:

A new GLPI version is available.

This release fixes several critical security issues that has been recently discovered. Update is strongly recommended!

You can download the GLPI 10.0.2 archive on GitHub.
Exceptionally, as we have a critical security issue on an unauthenticated page, we also release a GLPI 9.5.8 archive.

You’ll find below the list of security issues fixed in this bugfixes version:

• [SECURITY] Unauthenticated SQL injection on login page (CVE-2022-31061)
• [SECURITY] SQL injection on actor part in assistance forms (CVE-2022-31056)
• [SECURITY] Unauthenticated Sensitive Data Exposure on Refused Inventory Files (CVE-2022-31068)

Also, here is a short list of important bugfixes done in this version:

• FIX adding actors to ITIL Objects (#11796, #11957)
• FIX unwanted “promote to ticket” feature on self-service interface (#11834)
• FIX native inventory do not inject switch information (#11864)
• FIX entity for software creation (#11887, #11837)
• FEAT permits global lock on entity (#11853)

The full changelog is available for more details.

We would like to thank all people who contributed to this new version and all those who contributes regularly to the GLPI project!

Regards.

You’re encouraged to upgrade your GLPI agents or migrate if you’re still using FusionInventory agents.

You can download it on the GLPI Agent github project:
https://github.com/glpi-project/glpi-agent/releases/tag/1.3

This release includes some fixes and enhancements. Here are the most important ones:

• we implemented a feature request from the community to support SSL server certificate of the GLPI server deployment with operating system deployment feature:
  • on windows, the glpi server certificate can be deployed through the enterprise keystore,
  • on macosx, the glpi server certificate can be deployed in system keychain through a MDM.
• we added the support of the new ‘ssl-fingerprint’ option and it permits to trust a GLPI server certificate without the need of deploying a certificate:
  • you can first enable one time the ‘no-ssl-check’ option on one agent to find the related ssl fingerprint reported in agent log,
  • then you can set the discovered value for all your agents and disable ‘no-ssl-check’ on the first one.
• the windows MSI packaging is now using Perl 5.36.0 and includes some fixes and improvements:
  • as it was wrongly creating firewall rules, this is fixed and wrong rules are removed,
  • few libraries was missing if you wanted to use SNMPv3 authentication during network discovery or inventory,
  • the installer was failing to create the windows task when you wanted to use windows task scheduling,
  • few configurations was not possible during silent installation.
• the MacOSX packages has been upgraded to use Perl 5.36.0, OpenSSL 3.0.3 & zlib 1.2.12 and the installation on APFS filesystem has also been fixed.
• for linux packaging, we have also few big improvements:
  • AppImage support for older linux like CentOS 7,
  • AppImage uninstallation process has been improved,
  • Snap packaging has been upgraded to use Perl 5.36.0,
  • perl linux installer has been enhanced to support installation on openSUSE.
• For inventory task, we integrated:
  • a patch from the community which can fix monitor inventory on linux,
  • an Oracle database inventory support update,
  • an update to avoid false positive antivirus alert during software inventory on windows,
  • a fix on JSON format support to avoid wrongly encoded strings on macosx,
  • a fix against a JSON validation error while monitor serial is an integer,
  • a fix on generated partial inventory as the ‘partial’ property was missing,
  • an update for additional-content option support while using JSON format.
• RemoteInventory task has been improved so remote ssh inventory of linux/unix platforms can fallback on ssh command calls when libssh2 is not available.
• Netdiscovery and NetInventory tasks now includes a module from the community which enhances DefensePro support.

As always, you can check the more detailed changelog at:
https://github.com/glpi-project/glpi-agent/blob/1.3/Changes

This version is compatible with GLPI 10 only, and is a Release candidate version. Use it only for testing and bug report purpose.

Starting from this version, tags format will change. Previous tags were prefixed with v. This prefix is dropped. See #2376

Upgrade from a previous 2.13.0-Alpha or Beta version
⚠️ The following steps are necessary only when upgrading from a previous development, alpha or beta version. When upgrading from a old release to 2.13.0, you shall not do them.

1 removing the mini_dashboard for Formcreator (counters)
The counters has been changed. You must delete the mini dashboard installed by previous alpha versions of Formcreator. If you’re upgrading from 2.13.0-beta.1 you may skip this step.

Execute the following SQL requests:

DELETE
FROM glpi_dashboards_items
WHERE dashboards_dashboards_id = (
SELECT id
FROM glpi_dashboards_dashboards
WHERE key=‘plugin_formcreator_issue_counters’
);

DELETE FROM glpi_dashboards_dashboards WHERE key=‘plugin_formcreator_issue_counters’;
then proceed with the next step (forced upgrade). It will build the new version of the mini dashboard. If you miss this step, the previous dashboard will show empty cards. see #2727

2 Forced upgrade
If you want to upgrade from an older 2.13.0-alpha or 2.13.0-beta version, you should do a forced upgtrade from command line. It will run the upgtrade from the previous minor version (2.12.0) to the current version, update the possible differences of schema in the tables of the plugin. Run the following in CLI : php bin/console glpi:plugin:install formcreator -u glpi -f -p force-upgrade This command exists specifically for development purpose or for active testers.

Rename of anonymous forms to public forms
Some users of the plugin have been confused with the anonymous forms. Anonymous form are not a way to create tickets preventing technicians to identify requesters or authors. They are accessible by users without being logged in GLPI. Because of this confusion, anonymous forms are renamed public forms.

Help / Contribution needed
Locales updates: Some languages don’t have maintainer, or are late (many untranslated content). Please contribute on Transifex.
documentation review and updates

Check the changelog & download: https://github.com/pluginsGLPI/formcreator/releases/tag/2.13.0-rc.1

Here is the first bugfixes release for GLPI 10.
You can download the archive on GitHub.

A lot of issues have been fixed since the first GLPI 10 version.
Below you will find a short list of key points of this release:

• Several fixes on inventory rules
• Several fixes for reservation feature
• Fix status change in assistance objects when modifying actors
• Fix preselection as requester in assistance object
• Add global locks management for inventory
• Re-implementation of the document addition action in assistance object
• Impersonate feature now displays hints if unavailable
• Updates with GLPI console can now check integrity of the database
• The GANTT feature has been moved to a plugin
• The GLPI licence has been moved to GPLv3+

The full changelog is available for more details.

We would like to thank all people who contributed to this new version and all those who contribute regularly to the GLPI project!

Regards.