GLPI Agent 1.8 has been released.

Vous pouvez le télécharger sur le projet github GLPI Agent : https://github.com/glpi-project/glpi-agent/releases/tag/1.8

This version comes with a lot of changes and enhancements for the MSI packaging for Windows:

• first of all, a huge work has been done to provide the windows installer with Perl 5.38.2 using latest essential libraries version for more security, like OpenSSL 3.2.1 and libssh2 1.11.0.
• the patch for the CVE-2024-28240 security advisory is now based on a DLL library.
• only 64 bits packaging for windows is provided.
• the “Typical” installation no more includes Deploy and Collect tasks.
• 7-zip provided command is now v23.01 version.
• GLPI-AgentMonitor tool is provided in 1.3.0 version and now the installer supports AGENTMONITOR_NEWTICKET_URLto configure the GLPI url for the open new ticket option.

On the inventory side, a new feature will help you reduce the carbon footprint of your GLPI system: the full inventory postpone

• now, by default, and if your server is a GLPI 10, GLPI Agent can decide to postpone the upload of a full inventory up to 14 times, so about 2 weeks using the default configuration. Until then, the agent will upload partial inventories only containing detected changes.
• full-inventory-postpone is a new configuration parameter which value is 14 by default. Setting it to 0, it is still possible to disable this feature coming back to previous normal running.
• glpi-agent script is also supporting --full option to temporary disable the feature.

The MacOSX package only activates Inventory task by default now. You’ll have to explicitly activate any other tasks you need in a dedicated configuration file.

A lot of fixes and enhancement have also been included. Inventory, RemoteInventory, NetworkDiscovery et NetInventory tasks, but also Proxy and ToolBox plugins, are concerned. We encourage you to check all changes details in the official online Changelog available here: https://github.com/glpi-project/glpi-agent/blob/1.8/Changes

We encourage you to update your agents as soon as possible to take advantage of these improvements.

Join us on our social networks so you don't miss any of our news!

Une nouvelle version de GLPI est disponible.

This release fixes a few security issues that have been recently discovered. Update is recommended!

You can download the GLPI 10.0.15 archive on GitHub.

Vous trouverez ci-dessous la liste des problèmes de sécurité corrigés dans cette version corrective :

• [SECURITY - high] Authenticated SQL injection from map search (CVE-2024-31456)
• [SECURITY - high] Account takeover via SQL Injection in saved searches feature (CVE-2024-29889)

Also, here is a short list of main changes done in this version:

• [FIX] Fix used right by reservation form.
• [FIX] Do not rely on input to apply rules rights.
• [FIX] Always store updated SMTP Oauth refresh token.
• [TASK] Upgrade tinymce.

Le journal des modifications complet est disponible pour plus de détails.

Nous tenons à remercier toutes les personnes qui ont contribué à cette nouvelle version et tous ceux qui contribuent régulièrement au projet GLPI !

Cordialement.

Restez connectés ! Suivez-nous sur nos réseaux sociaux !

GLPI Agent 1.7.3 has been released.

Vous pouvez le télécharger sur le projet github GLPI Agent : https://github.com/glpi-project/glpi-agent/releases/tag/1.7.3

This version essentially fixes a regression introduced in the MSI packaging for Windows in the 1.7.2 version:

• the LOCAL parameter was forced to the agent installation folder when not used. After that, local inventory was also generated even if this wasn’t required. This LOCAL configuration will be removed during this update.
• CVE-2024-28241 patch was modified to not be enabled if the installation folder and (if used) the LOCAL parameter remain under the default system folder as there’s not security issue in that case.

These updates only impact Windows installation performed with MSI packaging.

We invite you to upgrade your agents on Windows as soon as possible.

You don’t need to upgrade to 1.7.3 GLPI Agents that were not installed on Windows and which are at least in 1.7 version.

GLPI Agent 1.7.2 has been released!

Vous pouvez le télécharger sur le projet github GLPI Agent : https://github.com/glpi-project/glpi-agent/releases/tag/1.7.2

This version specifically fixes 2 critical security issues related to MSI packaging on windows:

• CVE-2024-28240: A local user could modify the GLPI Agent configuration to gain higher privileges.
• CVE-2024-28241: A local user could modify the GLPI-Agent installation to gain higher privileges, but only when GLPI Agent is not installed in the default installation folder.

These security issues impact all Windows installation performed with MSI packaging.

We encourage you to upgrade all these agents as soon as possible!

Anyway you don’t need to upgrade to 1.7.2 after updating to 1.7.1 if your GLPI Agent was not installed on windows with the MSI package.

Une nouvelle version de GLPI est disponible.

Due to a few regressions in the last (10.0.13), an early release is available.

You can download the GLPI 10.0.14 archive on GitHub.

Here is the list of corrections made in this version:

• [FIX] Fix assign field when suppliers assign is available
• [FIX] Switching entities issues

Cordialement.

A new GLPI version is available!

This release fixes a few security issues that have been recently discovered. Update is recommended!

You can download the GLPI 10.0.13 archive on GitHub.

Vous trouverez ci-dessous la liste des problèmes de sécurité corrigés dans cette version corrective :

• [SECURITY - high] SQL Injection in through the search engine (CVE-2024-27096)
• [SECURITY - moderate] Blind SSRF using Arbitrary Object Instantiation (CVE-2024-27098)
• [SECURITY - moderate] Stored XSS in dashboards (CVE-2024-27104)
• [SECURITY - moderate] Reflected XSS in debug mode (CVE-2024-27914)
• [SECURITY - moderate] Sensitive fields access through dropdowns (CVE-2024-27930)
• [SECURITY - moderate] Users emails enumeration (CVE-2024-27937)

Also, here is a short list of main changes done in this version:

• [FIX] Error when creating a Ticket with SLA/OLA.
• [FIX] Weekly recurrent reservations creation does not work.

Le journal des modifications complet est disponible pour plus de détails.

Nous tenons à remercier toutes les personnes qui ont contribué à cette nouvelle version et tous ceux qui contribuent régulièrement au projet GLPI !

Cordialement.

Une nouvelle version de GLPI est disponible.

This release fixes a few security issues that have been recently discovered. Update is recommended!

You can download the GLPI 10.0.12 archive on GitHub.

Vous trouverez ci-dessous la liste des problèmes de sécurité corrigés dans cette version corrective :

• [SECURITY - moderate] Reflected XSS in reports pages (CVE-TODO)
• [SECURITY - moderate] LDAP Injection during authentication (CVE-2023-51446)

Also, here is a short list of main changes done in this version:

• [FIX] Regression with entity selector missing cache invalidation
• [FIX] Better handling of connection issues during LDAP synchronization
• [PERF] The entity selector get significant reduction of load time in some cases

Le journal des modifications complet est disponible pour plus de détails.

Nous tenons à remercier toutes les personnes qui ont contribué à cette nouvelle version et tous ceux qui contribuent régulièrement au projet GLPI !

Cordialement.

GLPI Agent 1.7.1 has been released.

Vous pouvez le télécharger sur le projet github GLPI Agent : https://github.com/glpi-project/glpi-agent/releases/tag/1.7.1

The 1.7.1 version specifically fixes SSL connections problems introduced with 1.7 version update for windows and MacOSX agents but only when you’re using windows keystore or macosx keychain to publish the ssl chain validation for your GLPI server.

You don’t need to update to 1.7.1 after updating to 1.7 if you’re not in that case.

GLPI Agent 1.7 has been released.

You're encouraged to upgrade your GLPI agents or migrate if you're still using FusionInventory agents.

Vous pouvez le télécharger sur le projet github GLPI Agent : https://github.com/glpi-project/glpi-agent/releases/tag/1.7

Here is a summary of the most important changes of the 1.7 version:

• some important fixes have been made on ToolBox plugin in relation with NetDiscovery and RemoteInventory tasks:
  • the defined timeout will only apply on connection tries during discovery where the agent backend-collect-timeout configuration will apply on the inventory
  • a possible locking issue while running the discovery has been fixed
  • we updated the way we define the “Agent Folder” local target in inventory tasks configuration to have a more appropriate sens when the agent is running as a service
  • an issue blocking the submission of JSON remote inventory was fixed
• for NetDiscovery and NetInventory tasks, we also have:
  • an enhanced support of Toshiba printers
  • a fix related to the support of LLDP connection datas analysis
• for ToolBox plugin, we also fixed the export button on the results page
• the RemoteInventory task also includes:
  • a fix for the inventory of softwares from a windows remote with a windows agent
  • a fix for computer FQDN and domain inventory
  • an update to support timezone inventory
  • an update to support printer inventory via ssh using perl mode
  • a fix for an error preventing ssh inventory because of a wrong option in the “ssh” mode
• the ESX task has been fixed to work as expected with the GlpiInventory plugin without living the job in a “ko” status with just “n/a” as description while the inventory is still normally integrated
• the Inventory task has received few improvements:
  • the support of SentinelOne antivirus on linux. It was implemented by a community contributor, many thanks to him !
  • the assetname-support option has been updated to authorize forcing the asset name with its FQDN on linux. Also that option also changes the computing of the agent name in the same way.
  • a fix related to the inventory of network cards on linux
  • an update to find the wifi card network speed on linux
• the MacOSX package has been udpated to use OpenSSL 3.2.0
• the Apple AppID for the MacOSX package has been updated
• the 1.6 and 1.6.1 linux perl installers had a problem generating an error during agent update and this is now fixed
• to optimize the running time while using a server url with SSL support, we decided to no more try to export the ssl key store if any of the options providing SSL server certificate authentication is still used

As always, you can check the more detailed changelog at: https://github.com/glpi-project/glpi-agent/blob/1.7/Changes

About the MSI windows installer, it appears the used perl version is now completely outdated and requires a very big update. This essentially concerns the OpenSSL and libssh2 libraries, the last been used for remote inventory. As we use StrawberryPerl and this project decided to no more support the 32 bits perl version, we decided the 1.7 version will be the last to provide GLPI Agent in 32 bits. This perl update will be the main goal of the next 1.8 version.

Une nouvelle version de GLPI est disponible.

This release fixes a few security issues that have been recently discovered. Update is recommended!

You can download the GLPI 10.0.11 archive on GitHub.

Vous trouverez ci-dessous la liste des problèmes de sécurité corrigés dans cette version corrective :

• [SECURITY - moderate] Authenticated SQL Injection (CVE-2023-43813)
• [SECURITY - high] SQL injection through inventory agent request (CVE-2023-46727)
• [SECURITY - high] Remote code execution from LDAP server configuration form on PHP 7.4 (CVE-2023-46726)

On this last point, we wanted to recall the 7.4 version of PHP is very outdated and not supported anymore by the developers!
You should upgrade on a recent version, at least 8.2 (8.0 will be outdated at the end of the year and 8.1 will be only with security fixes).

Also, here is a short list of main changes done in this version:

• [UX] Enhance pending reasons display
• [FIX] various LDAP fixes (timeout, location import, deletion/restoration scenarios)
• [FIX] several inventory fixes (unmanaged assets reconciliation, rules for phones, rules logs for discovery, Cisco stacks, removal of remote management)
• [FIX] several performance enhancements (defer entity tree loading, strong enhancement on actors loading, all assets query execution time, web cron removal, dual ajax call for tab loading)
• [TASK] highlights of security requirements on install/update page. Some options like PHP versions, web folder setup are suggested with a strong visual.

The full changelog is available for more details.

Nous tenons à remercier toutes les personnes qui ont contribué à cette nouvelle version et tous ceux qui contribuent régulièrement au projet GLPI !

Cordialement.