A new GLPI version is available!

This release fixes a few security issues that have been recently discovered. The update is recommended!

You can download the GLPI 10.0.16 archive on GitHub.

Vous trouverez ci-dessous la liste des problèmes de sécurité corrigés dans cette version corrective :

• [SECURITY - high] Account takeover via SQL Injection in AJAX scripts (CVE-2024-37148)
• [SECURITY - high] Remote code execution through the plugin loader (CVE-2024-37149)
• [SECURITY - moderate] Authenticated file upload to restricted tickets (CVE-2024-37147)

Also, here is a short list of the main changes done in this version:

• [FIX] Freesize database field was not correctly migrated
• [FIX] Network inventoried stacked switches had all the same name
• [FIX] Remove monitors from inventory when no monitor is present
• [FIX] Import location hierarchy from LDAP and Inventory

Le journal des modifications complet est disponible pour plus de détails.

Nous tenons à remercier toutes les personnes qui ont contribué à cette nouvelle version et tous ceux qui contribuent régulièrement au projet GLPI !

Cordialement.

Restez connectés ! Suivez-nous sur nos réseaux sociaux !

GLPI Agent 1.9 has been released.

Vous pouvez le télécharger sur le projet github GLPI Agent : https://github.com/glpi-project/glpi-agent/releases/tag/1.9

This version comes first with few fixes for the MSI packaging for Windows:

• A regression in the installation of OpenSSL support could prevent communication with servers via the SSL protocol.
• the FULL_INVENTORY_POSTPONE option of MSI installer was not normally managed.

Few fixes and enhancements for inventory was integrated:

• a regression of the partial inventory involved a problem in the integration of softwares into GLPI, in particular with the new full-inventory-postpone option.
• the detection of network ports type has been enhanced on MacOSX.
• the MSSQL databases inventory on Windows has been enhanced to detect all the installed instances.
• the serialnumber detection of recent disks has been enhanced on Windows.

A new snmp-retries has been introduced to enhance network inventory when networks devices not always respond in time.

The use of user notifications of the Deploy task could involve a service crash on Windows.

The ToolBox plugin now accepts some special characters inside passwords of credentials for remote inventory.

Vous pouvez vérifier les détails des modifications dans le journal des modifications officiel en ligne disponible ici : https://github.com/glpi-project/glpi-agent/blob/1.9/Changes

We invite you to update your agents as soon as possible to take advantage of these improvements.

Follow us on our social media so you don't miss any of our news!

GLPI Agent 1.8 has been released.

Vous pouvez le télécharger sur le projet github GLPI Agent : https://github.com/glpi-project/glpi-agent/releases/tag/1.8

This version comes with a lot of changes and enhancements for the MSI packaging for Windows:

• first of all, a huge work has been done to provide the windows installer with Perl 5.38.2 using latest essential libraries version for more security, like OpenSSL 3.2.1 and libssh2 1.11.0.
• the patch for the CVE-2024-28240 security advisory is now based on a DLL library.
• only 64 bits packaging for windows is provided.
• the “Typical” installation no more includes Deploy and Collect tasks.
• 7-zip provided command is now v23.01 version.
• GLPI-AgentMonitor tool is provided in 1.3.0 version and now the installer supports AGENTMONITOR_NEWTICKET_URLto configure the GLPI url for the open new ticket option.

On the inventory side, a new feature will help you reduce the carbon footprint of your GLPI system: the full inventory postpone

• now, by default, and if your server is a GLPI 10, GLPI Agent can decide to postpone the upload of a full inventory up to 14 times, so about 2 weeks using the default configuration. Until then, the agent will upload partial inventories only containing detected changes.
• full-inventory-postpone is a new configuration parameter which value is 14 by default. Setting it to 0, it is still possible to disable this feature coming back to previous normal running.
• glpi-agent script is also supporting --full option to temporary disable the feature.

The MacOSX package only activates Inventory task by default now. You’ll have to explicitly activate any other tasks you need in a dedicated configuration file.

A lot of fixes and enhancement have also been included. Inventory, RemoteInventory, NetworkDiscovery et NetInventory tasks, but also Proxy and ToolBox plugins, are concerned. We encourage you to check all changes details in the official online Changelog available here: https://github.com/glpi-project/glpi-agent/blob/1.8/Changes

We encourage you to update your agents as soon as possible to take advantage of these improvements.

Join us on our social networks so you don't miss any of our news!

Une nouvelle version de GLPI est disponible.

This release fixes a few security issues that have been recently discovered. Update is recommended!

You can download the GLPI 10.0.15 archive on GitHub.

Vous trouverez ci-dessous la liste des problèmes de sécurité corrigés dans cette version corrective :

• [SECURITY - high] Authenticated SQL injection from map search (CVE-2024-31456)
• [SECURITY - high] Account takeover via SQL Injection in saved searches feature (CVE-2024-29889)

Also, here is a short list of main changes done in this version:

• [FIX] Fix used right by reservation form.
• [FIX] Do not rely on input to apply rules rights.
• [FIX] Always store updated SMTP Oauth refresh token.
• [TASK] Upgrade tinymce.

Le journal des modifications complet est disponible pour plus de détails.

Nous tenons à remercier toutes les personnes qui ont contribué à cette nouvelle version et tous ceux qui contribuent régulièrement au projet GLPI !

Cordialement.

Restez connectés ! Suivez-nous sur nos réseaux sociaux !

GLPI Agent 1.7.3 has been released.

Vous pouvez le télécharger sur le projet github GLPI Agent : https://github.com/glpi-project/glpi-agent/releases/tag/1.7.3

This version essentially fixes a regression introduced in the MSI packaging for Windows in the 1.7.2 version:

• the LOCAL parameter was forced to the agent installation folder when not used. After that, local inventory was also generated even if this wasn’t required. This LOCAL configuration will be removed during this update.
• CVE-2024-28241 patch was modified to not be enabled if the installation folder and (if used) the LOCAL parameter remain under the default system folder as there’s not security issue in that case.

These updates only impact Windows installation performed with MSI packaging.

We invite you to upgrade your agents on Windows as soon as possible.

You don’t need to upgrade to 1.7.3 GLPI Agents that were not installed on Windows and which are at least in 1.7 version.

GLPI Agent 1.7.2 has been released!

Vous pouvez le télécharger sur le projet github GLPI Agent : https://github.com/glpi-project/glpi-agent/releases/tag/1.7.2

This version specifically fixes 2 critical security issues related to MSI packaging on windows:

• CVE-2024-28240: A local user could modify the GLPI Agent configuration to gain higher privileges.
• CVE-2024-28241: A local user could modify the GLPI-Agent installation to gain higher privileges, but only when GLPI Agent is not installed in the default installation folder.

These security issues impact all Windows installation performed with MSI packaging.

We encourage you to upgrade all these agents as soon as possible!

Anyway you don’t need to upgrade to 1.7.2 after updating to 1.7.1 if your GLPI Agent was not installed on windows with the MSI package.

Une nouvelle version de GLPI est disponible.

Due to a few regressions in the last (10.0.13), an early release is available.

You can download the GLPI 10.0.14 archive on GitHub.

Here is the list of corrections made in this version:

• [FIX] Fix assign field when suppliers assign is available
• [FIX] Switching entities issues

Cordialement.

A new GLPI version is available!

This release fixes a few security issues that have been recently discovered. Update is recommended!

You can download the GLPI 10.0.13 archive on GitHub.

Vous trouverez ci-dessous la liste des problèmes de sécurité corrigés dans cette version corrective :

• [SECURITY - high] SQL Injection in through the search engine (CVE-2024-27096)
• [SECURITY - moderate] Blind SSRF using Arbitrary Object Instantiation (CVE-2024-27098)
• [SECURITY - moderate] Stored XSS in dashboards (CVE-2024-27104)
• [SECURITY - moderate] Reflected XSS in debug mode (CVE-2024-27914)
• [SECURITY - moderate] Sensitive fields access through dropdowns (CVE-2024-27930)
• [SECURITY - moderate] Users emails enumeration (CVE-2024-27937)

Also, here is a short list of main changes done in this version:

• [FIX] Error when creating a Ticket with SLA/OLA.
• [FIX] Weekly recurrent reservations creation does not work.

Le journal des modifications complet est disponible pour plus de détails.

Nous tenons à remercier toutes les personnes qui ont contribué à cette nouvelle version et tous ceux qui contribuent régulièrement au projet GLPI !

Cordialement.

Une nouvelle version de GLPI est disponible.

This release fixes a few security issues that have been recently discovered. Update is recommended!

You can download the GLPI 10.0.12 archive on GitHub.

Vous trouverez ci-dessous la liste des problèmes de sécurité corrigés dans cette version corrective :

• [SECURITY - moderate] Reflected XSS in reports pages (CVE-TODO)
• [SECURITY - moderate] LDAP Injection during authentication (CVE-2023-51446)

Also, here is a short list of main changes done in this version:

• [FIX] Regression with entity selector missing cache invalidation
• [FIX] Better handling of connection issues during LDAP synchronization
• [PERF] The entity selector get significant reduction of load time in some cases

Le journal des modifications complet est disponible pour plus de détails.

Nous tenons à remercier toutes les personnes qui ont contribué à cette nouvelle version et tous ceux qui contribuent régulièrement au projet GLPI !

Cordialement.

GLPI Agent 1.7.1 has been released.

Vous pouvez le télécharger sur le projet github GLPI Agent : https://github.com/glpi-project/glpi-agent/releases/tag/1.7.1

The 1.7.1 version specifically fixes SSL connections problems introduced with 1.7 version update for windows and MacOSX agents but only when you’re using windows keystore or macosx keychain to publish the ssl chain validation for your GLPI server.

You don’t need to update to 1.7.1 after updating to 1.7 if you’re not in that case.