Congratulations! We are happy to announce our new Silver GLPI Network partner in Spain: Técnicas Competitivas S.A.

Técnicas Competitivas S.A. is a Spanish company based in Santa Cruz de Tenerife, Canary Islands. It specializes in the provision of services and product development in the field of Information and Communications Technologies (ICT), with several sectors such as private companies, public administrations, health, port sector and telecommunications. Técnicas Competitivas S.A. offers a wide range of services, including consulting, software development, infrastructure or training.Website: https://bit.ly/3yTQp86We are excited that GLPI ITSM solution is becoming more and more represented all over the world and GLPI Network (our support offer for on-premises – get your IT Infrastructure secured) subscription service will be available for more customers through our new partners.Our large partnership network is always open for new collaborations. If you are interested in representing one of our products in your country, get in touch with us: https://glpi-project.org/contact_us/Being a partner means:

• Having an a direct access to the Teclib's tech expertise;
• Get special discounts;
• Access official support,
• Many other tools which will help you to gain more customers and increase reputation on the market by adding open source ITSM to your portfolio.

Discover all benefits of being a partner here: https://glpi-project.org/partners/

¡Mantente conectado! ¡Síguenos en nuestras redes sociales!

Únete a nosotros

GLPI Agent 1.7 has been released.

You're encouraged to upgrade your GLPI agents or migrate if you're still using FusionInventory agents.

Puedes descargarlo en el proyecto github de GLPI Agent: https://github.com/glpi-project/glpi-agent/releases/tag/1.7

Here is a summary of the most important changes of the 1.7 version:

• some important fixes have been made on ToolBox plugin in relation with NetDiscovery and RemoteInventory tasks:
  • the defined timeout will only apply on connection tries during discovery where the agent backend-collect-timeout configuration will apply on the inventory
  • a possible locking issue while running the discovery has been fixed
  • we updated the way we define the “Agent Folder” local target in inventory tasks configuration to have a more appropriate sens when the agent is running as a service
  • an issue blocking the submission of JSON remote inventory was fixed
• for NetDiscovery and NetInventory tasks, we also have:
  • an enhanced support of Toshiba printers
  • a fix related to the support of LLDP connection datas analysis
• for ToolBox plugin, we also fixed the export button on the results page
• the RemoteInventory task also includes:
  • a fix for the inventory of softwares from a windows remote with a windows agent
  • a fix for computer FQDN and domain inventory
  • an update to support timezone inventory
  • an update to support printer inventory via ssh using perl mode
  • a fix for an error preventing ssh inventory because of a wrong option in the “ssh” mode
• the ESX task has been fixed to work as expected with the GlpiInventory plugin without living the job in a “ko” status with just “n/a” as description while the inventory is still normally integrated
• the Inventory task has received few improvements:
  • the support of SentinelOne antivirus on linux. It was implemented by a community contributor, many thanks to him !
  • the assetname-support option has been updated to authorize forcing the asset name with its FQDN on linux. Also that option also changes the computing of the agent name in the same way.
  • a fix related to the inventory of network cards on linux
  • an update to find the wifi card network speed on linux
• the MacOSX package has been udpated to use OpenSSL 3.2.0
• the Apple AppID for the MacOSX package has been updated
• the 1.6 and 1.6.1 linux perl installers had a problem generating an error during agent update and this is now fixed
• to optimize the running time while using a server url with SSL support, we decided to no more try to export the ssl key store if any of the options providing SSL server certificate authentication is still used

As always, you can check the more detailed changelog at: https://github.com/glpi-project/glpi-agent/blob/1.7/Changes

About the MSI windows installer, it appears the used perl version is now completely outdated and requires a very big update. This essentially concerns the OpenSSL and libssh2 libraries, the last been used for remote inventory. As we use StrawberryPerl and this project decided to no more support the 32 bits perl version, we decided the 1.7 version will be the last to provide GLPI Agent in 32 bits. This perl update will be the main goal of the next 1.8 version.

New version GLPI 10.0.7: A new GLPI version is available.

This release fixes several security issues that have been recently discovered. Update is recommended!

You can download the GLPI 10.0.7 archive on GitHub.
We still maintain maintain the 9.5 branch for security fixes and we also release a new version for it: GLPI 9.5.13 archive

You will find below the list of security issues fixed in this bugfixes version:

• [SECURITY - High] SQL injection and Stored XSS via inventory agent request (CVE-2023-28849).
• [SECURITY - High] Account takeover by authenticated user (CVE-2023-28632).
• [SECURITY - High] SQL injection through dynamic reports (CVE-2023-28838).
• [SECURITY - Moderate] Stored XSS through dashboard administration (CVE-2023-28852).
• [SECURITY - Moderate] Stored XSS on external links (CVE-2023-28636).
• [SECURITY - Moderate] Reflected XSS in search pages (CVE-2023-28639).
• [SECURITY - Moderate] Privilege Escalation from technician to super-admin (CVE-2023-28634).
• [SECURITY - Low] Blind Server-Side Request Forgery (SSRF) in RSS feeds (CVE-2023-28633).

Also, here is a short list of main changes done in this version:

• [SECURITY] Optional GLPI router to be able to use a safer web server root directory.
• [FEATURE] Support of SMTP OAuth authentication.
• [FEATURE] Improved inventory file upload feature.
• [FIX] Many fixes and improvements on native inventory.
• [FIX] Some bugs on PHP 8.2.
• [FIX] Caching issues on entities.
• [FIX] Boolean FullText operator not working on knowledge base search.
• [FIX] Unexpected search results when using negative condition on ticket actors.
• [FIX] Issues with LDAP filters/DN.
• [FIX] Unexpected results when searching on knowledge base categories.

The full changelog is available for more details.

We would like to thank all people who contributed to this new version and all those who contributes regularly to the GLPI project!

Download GLPI now: https://glpi-project.org/downloads/

Regards.

A new GLPI version is available.

This release fixes several security issues that have been recently discovered. Update is recommended!

You can download the GLPI 10.0.6 archive on GitHub.
We still maintain maintain the 9.5 branch for security fixes and we also release a new version for it: GLPI 9.5.12 archive

You will find below the list of security issues fixed in this bugfixes version:

• [SECURITY - High] Unauthorized access to inventory files (CVE-2023-22500)
• [SECURITY - Moderate] XSS on browse views (CVE-2023-22722)
• [SECURITY - Moderate] XSS on external links (CVE-2023-22725)
• [SECURITY - Moderate] XSS in RSS Description Link (CVE-2023-22724)
• [SECURITY - Moderate] Unauthorized access to data export (CVE-2023-23610)
• [SECURITY - Low] Stored XSS inside Standard Interface Help Link href attribute (CVE-2022-41941)

Also, here is a short list of main changes done in this version:

• [FEATURE] Unmanaged devices can be handled like a real asset.
• [FEATURE] Handle more actions for stale inventory agents.
• [FEATURE] Added new dictionnary rules for OS.
• [CHANGED] Removed glpi: prefix on console commands.
• [FIX] PHP 8.2 support.
• [FIX] Many fixes and improvements on native inventory.
• [FIX] Reservation display on self-service profile.
• [FIX] Mail collector issues with emails sent from Outlook.
• [FIX] Dashboard issues on “All” tab.
• [FIX] Ticket input is restored when submitted form is not complete.
• [FIX] Notification was not sent when ticket status was set to “pending”.

The full changelog is available for more details.

We would like to thank all people who contributed to this new version and all those who contributes regularly to the GLPI project!

Regards.

A new GLPI version is available.

This release fixes several security issues that has been recently discovered. Update is recommended!

You can download the GLPI 10.0.4 archive on GitHub.
We also provide a security release for 9.5 branch : GLPI 9.5.10 archive

You will find below the list of security issues fixed in this bugfixes version:

• [SECURITY - Low] Blind SSRF in RSS feeds and planning (CVE-2022-39276)
• [SECURITY - Low] Stored XSS in user information (CVE-2022-39372)
• [SECURITY - Low] Stored XSS in entity name (CVE-2022-39373)
• [SECURITY - Low] Improper input validation on emails links (CVE-2022-39376)
• [SECURITY - Moderate] Improper access to debug panel (CVE-2022-39370)
• [SECURITY - Moderate] User's session persist after permanently deleting his account (CVE-2022-39234)
• [SECURITY - Moderate] Stored XSS on login page (CVE-2022-39262)
• [SECURITY - Moderate] XSS in external links (CVE-2022-39277)
• [SECURITY - Moderate] XSS through public RSS feed (CVE-2022-39375)
• [SECURITY - High] SQL Injection on REST API (CVE-2022-39323)
• [SECURITY - High] Stored XSS through asset inventory (CVE-2022-39371)

Also, here is a short list of main changes done in this version:

• [FIX] Increase significantly dashboards performance
• [FIX] Several bugs on images pasting
• [FIX] Fixed and improved inventory locks management
• [FIX] Display of printer cartridges
• [FIX] Display and hide actors tooltips in tickets
• [FIX] Improve display of headers above forms
• [FIX] Move breakpoints on responsive displays
• [SECURITY] Inventory API is now disabled by default
• [FEATURE] Dedicated rights has been added for inventory

The full changelog is available for more details.

We would like to thank all people who contributed to this new version and all those who contributes regularly to the GLPI project!

Regards.

A new GLPI version is available.

This release fixes several critical security issues that has been recently discovered. Update is strongly recommended!

You can download the GLPI 10.0.2 archive on GitHub.
Exceptionally, as we have a critical security issue on an unauthenticated page, we also release a GLPI 9.5.8 archive.

You’ll find below the list of security issues fixed in this bugfixes version:

• [SECURITY] Unauthenticated SQL injection on login page (CVE-2022-31061)
• [SECURITY] SQL injection on actor part in assistance forms (CVE-2022-31056)
• [SECURITY] Unauthenticated Sensitive Data Exposure on Refused Inventory Files (CVE-2022-31068)

Also, here is a short list of important bugfixes done in this version:

• FIX adding actors to ITIL Objects (#11796, #11957)
• FIX unwanted “promote to ticket” feature on self-service interface (#11834)
• FIX native inventory do not inject switch information (#11864)
• FIX entity for software creation (#11887, #11837)
• FEAT permits global lock on entity (#11853)

The full changelog is available for more details.

We would like to thank all people who contributed to this new version and all those who contributes regularly to the GLPI project!

Regards.

After several weeks, Teclib’ is happy to announce the release of GLPI 9.5.6.

This release fixes several security issues that has been recently discovered. Update is strongly recommended!

You can download the GLPI 9.5.6 archive on GitHub: click. 

You'll find below the list of security issues fixed in this bugfixes version:

•  [SECURITY] Disclosure of GLPI and server informations in telemetry endpoint [CVE-2021-39211]
• [SECURITY] Autologin cookie accessible by scripts [CVE-2021-39210]
• [SECURITY] Bypassable CSRF protection on ajax endpoints [CVE-2021-39209]
• [SECURITY] Bypassable IP restriction on GLPI API using custom header injection [CVE-2021-39213]

On this last issue, `HTTP_X_FORWARDED_FOR` header can be set by a client to bypass ip restriction of the REST API, we removed the parsing of this header. API Client behind proxies may be affected and loss access to API. We recommend to set the needed header (`REMOTE_ADDR`) in the web server serving GLPI.

Also, here is a short list of important bugfixes done in this version:

•  FIX Mailgate "Missing type for Ticket template" warning
• FIX Display of images in tickets from collected mails
• FIX Encoding issue with emails in GB2312 containing special characters
• FIX Emails rules not working after upgrading to 9.5.5
• FIX Incorrect KPIs Dashboards compared to the GLPI filter
• FIX marking LDAP user as deleted after a failed password
• FIX Prevent usage of date filters on full LDAP sync

The full changelog is available for more details.

We would like to thank all people who contributed to this new version and all those who contributes regularly to the GLPI project!

Looking for professional support? Check our GLPI Network Subscriptions offer or try GLPI Network Cloud. 

After several weeks, Teclib’ is happy to announce the release of GLPI 9.5.5.

This release fixes a security issue that has been recently discovered. Update is recommended!

You can download the GLPI 9.5.5 archive on GitHub.

You’ll find below the list of changes in this bugfixes version:

• [security] Stored XSS in plugins information (CVE-2021-3486 by @n3k00n3)
• fix entity creation
• removal of raw html in massive actions list
• fix issue with date_creation fields updated with older instances of MySQL servers
• fix wrong count of software counts in assets
• Fix Core API errors on deprecation checks

The full changelog is available for more details.

We would like to thank all people who contributed to this new version and all those who contributes regularly to the GLPI project!

Looking for professional support? Check our GLPI Network Subscriptions offer or try GLPI Network Cloud. 

Teclib’ is happy to announce the release of GLPI 9.5.3.

 

This release fixes medium security issues that has been recently discovered. Update is recommended!

You can download the GLPI 9.5.3 archive on GitHub.

Here is the list of security cases detected and fixed in this version:

• [security] Any CalDAV calendars is read-only for every authenticated user (CVE-2020-26212)
• [security] Insecure Direct Object References in ajax files (CVE-2020-27662 && CVE-2020-27663)

Note that some are present since a long time (version 0.68), but this time none of these issues was considered as high/critical.

We also fixed a lot of bugs, here are important ones:

• we continue the work on stabilizing the usage of laminas/mail library:
  • Attachments were not imported as documents with specific content-disposition.
  • Some HTML mails were imported as text (and html was present in the description of the ticket).
• For the dashboards:
  • Bars and lines graphs were animated not correct inn recent versions of chromium based browsers.
  • Default pages for users without dashboard were empty.
  • Adding some missing filters: tech users and tech groups.
• Misc:
  • A new cli command to set GLPI configuration values.
  • Response time on personnal tab of index is now improved.
  • PHP8 compatibility.

The full changelog is available for more details.

We would like to thank all people who contributed to this new version and all those who contributes regularly to the GLPI project!

After several weeks, Teclib’ is happy to announce the release of GLPI 9.5.2.

This release fixes several security issues that has been recently discovered. Update is strongly recommended!

 

You can download the GLPI 9.5.2 archive on GitHub.

Here is the list of security flaws detected and fixed in this version:

• [security] SQL injection with a query parameter of user form (CVE-2020-15176)
• [security] Removal of .htaccess file in the files folder via a plugin endpoint (CVE-2020-15175)
• [security] Leakage issue with knowledge base (CVE-2020-15217)
• [security] Stored XSS in install script (CVE-2020-15177)
• [security] Minor SQL Injection in Buscar API (CVE-2020-15226)

Note, some are present since a long time (0.68).

We also fixed a lot of issues, here are important ones:

• mailgates issues:
  • encoding errors
  • missing images in some tickets
  • exceptions for some particular messages
• a small notice (listTables) was visible while updating to 9.5.1.
• in some rare cases, the encryption process of passwords could fail
• For the dashboards:
  • fix user preferences
  • fix overlap of mini dashboard above tickets list

And we worked on improving the dashboards:

• new summary widget
• new articles widget
• display labels on point and bar (with a new available option)
• cards have now a minimum size
• we added personnal filters. Toggle edit mode, and add filters on top of dashboards.

The full changelog is available for more details.

We would like to thank all people who contributed to this new version and all those who contributes regularly to the GLPI project!

Regards.