A new GLPI version is available.This release fixes a critical security issue that have been recently discovered. Update is strongly recommended!You can download the GLPI 10.0.10 archive on GitHub.You will find below the list of security issues fixed in this bugfixes version:
- [SECURITY - Critical] Unallowed PHP script execution (CVE-2023-42802).
- [SECURITY - High] Account takeover via SQL Injection in UI layout preferences (CVE-2023-41320).
- [SECURITY - High] Account takeover via Kanban feature (CVE-2023-41326).
- [SECURITY - High] Account takeover through API (CVE-2023-41324).
- [SECURITY - High] File deletion through document upload process (CVE-2023-42462).
- [SECURITY - Moderate] Sensitive fields enumeration through API (CVE-2023-41321).
- [SECURITY - Moderate] Privilege Escalation from technician to super-admin (CVE-2023-41322).
- [SECURITY - Moderate] Users login enumeration by unauthenticated user (CVE-2023-41323).
- [SECURITY - Moderate] Phishing through a login page malicious URL (CVE-2023-41888).
- [SECURITY - Moderate] SQL injection in ITIL actors (CVE-2023-42461).
Also, here is a short list of main changes done in this version:
- [FEATURE] PHP 8.3 and MySQL 8.1 support.
- [FEATURE] Enable usage of images in rich text of followups/tasks/solution templates.
- [PERFORMANCES] Improve ticket timeline rendering performances.
- [FIX] Fix issues with usage of LDAP bind options.
- [FIX] Fix some issues on SLA/OLA escalation levels computation.
- [FIX] Fix some issues on search on numeric and dates fields.
The full changelog is available for more details.Download GLPI 10.0.10We would like to thank all people who contributed to this new version and all those who contributes regularly to the GLPI project!Regards.
This version is compatible with GLPI 10.0.⚠️ This release requires some bugfixes in GLPI to work properly. These bugfixes are included in GLPI 10.0.9 or later. Please, ensure your GLPI is up to date to prevent useless bug reports.
Bug Fixes
- Adding READ right for display reservations menu tab (03e6281e)
- bad lcoale in en_US (db9986f1)
- resize dashboard to match GLPI's core (#3306) (9272cda3)
- TargetChange: use RichText instead of plaintext (8845b888)
- checkboxesfield,radiosfield,selectfield: add missing error messages (66585193)
- datefield, datetimefield: comparison against empty string (be4831c7)
- dropdownfield: SQL error for GLPI objects / tickets and some specific rights (2539e366)
- dropdownfield: handle specific case with Entity itemtype (bd25e7d1)
- dropdownfield: missing entity restriction setting (54543cb3)
- dropdownfield: prevent language switching and log error (49f8fc07)
- fieldsfield: restore mandatory field as read only (52a9fc2b)
- form,category: obey show count on tabs parameter (f4ebf9e5)
- form_language: obey show counter in tab setting (9dfc3b8d)
- formanswer: php warning (ce078990)
- formanswer: prevent silent rejection of answers (d630302d)
- formanswer: redirect to login if session expired (eb0acb65)
- glpiselectfield: fix namespace (#3287) (613e0fad)
- install: missing row in sql query, causing PHP warning (0c47776a)
- issue: php warnings when anonymisation enabled (f6f01d7d)
- issue: prevent fatal error in tooltip (3419affc)
- question,section: duplicate a question or section must duplicate inner conditions (22597832)
- section: cannot rename section twice (7bbb9b81)
- section: condition rule loss after duplicate / import (883a1227)
- section: duplicate form may lead to bad question id in condition (a6f9c41c)
- section: rename section impacts display of inner questions (c4277d8c)
- selectfield,multiselectfield: fix possible encoding problem (8aaec8ac)
- targetchange,targetproblem: folow method call signature for fields plugin (016696ab)
- textfield: Unescaped HTML when displaying a form answer (6ce71f95)
- textfield: exception while displaying counters (0a857d7f)
- textfield: target ticket title need html encoding (1b71d652)
Full changelog and download: click here
Following the last releases of 10.0.8, a few annoying issues has been detected:
- Update script uses a SQL function incompatible with MySQL 5.7 (#15141)
- Private follow-ups and tasks are invisible to users with appropriate rights (#15128)
In the same time, a moderate security advisory has been reported (SQL injection in dashboard administration - CVE-2023-37278) and fixed in this release.
We released a new version to address these bugs, you can download the GLPI 10.0.9 archive on GitHub.
Une nouvelle version de GLPI est disponible.
This release fixes several security issues that have been recently discovered. Update is recommended!
You can download the GLPI 10.0.8 archive on GitHub.
You will find below the list of security issues fixed in this bugfixes version:
- [SECURITY - High] SQL injection via inventory agent request (CVE-2023-35924).
- [SECURITY - High] SQL injection through Computer Virtual Machine information (CVE-2023-36808).
- [SECURITY - High] Unauthorized access to Dashboard data (CVE-2023-35939).
- [SECURITY - High] Unauthenticated access to Dashboard data (CVE-2023-35940).
- [SECURITY - Moderate] Reflected XSS in search pages (CVE-2023-34244).
- [SECURITY - Moderate] Unauthorized access to knowledge base items (CVE-2023-34107).
- [SECURITY - Moderate] Unauthorized access to user data (CVE-2023-34106).
Also, here is a short list of main changes done in this version:
- [FEATURE] Improve mail grouping (#14296)
- [FEATURE] Add deleted status in item’s header (#14382)
- [FEATURE] Add option to control the display of dropdowns labels (#14472)
- [FEATURE] Permits to check DB schema from GLPI versions >= 0.80 (#14666)
- [FIX] Improve performance of plugins init (#14511)
- [FIX] Improve performance of kanban views (#14525, #14599, #14764)
- [FIX] Ldap issues with PHP versions >= 8.1 (#14561)
- [FIX] SLA waiting time duration (#14937)
- [FIX] Notification encoding for MS Outlook (#14959)
- A lot of fixes in native inventory
The full changelog is available for more details.
Nous tenons à remercier toutes les personnes qui ont contribué à cette nouvelle version et tous ceux qui contribuent régulièrement au projet GLPI !
Cordialement.
GLPI Agent 1.5 has been released.
You’re encouraged to upgrade your GLPI agents or migrate if you’re still using FusionInventory agents.
Vous pouvez le télécharger sur le projet github GLPI Agent :
https://github.com/glpi-project/glpi-agent/releases/tag/1.5
This release includes a security fix related to CVE-2023-34254. You’ll only be concerned by this security alert if you’re using the remoteinventory task in the case of unix/linux remote inventory via ssh.
Here is a summary of the most important changes:
- libxml2 library is now required for all the features using XML,
- Windows keystore support has been extended to support more stores to ease GLPI SSL certificate validation,
- inventory task has a lot of enhancements. In particular, some WMI timeouts has been fixed on windows and a new
assetname-support option permits to choose to set asset name from short hostname or fqdn on unix/linux, - remoteinventory task includes several important fixes and has been enhanced to support remote inventory multi-threading thanks to the new
remote-workers option, - netdiscovery and netinventory tasks also had their bunch of fixes and many new devices are now supported,
- deploy, collect and ESX tasks also had few fixes and enhancements,
- the embedded HTTPD interface can now use a basic authentication plugin to secure even more access, like for the ToolBox interface,
- MacOSX packages have been updated to use OpenSSL 3.1.1 and zlib 1.2.13,
- the 3.5 version of dmidecode has been included in windows and MacOSX packages,
- the linux perl installer includes several fixes and now supports Oracle Linux 7 installation,
- MSI packaging now permits to install GLPI-AgentMonitor community tool which provides interesting features for users via a systray icon, check the following project for more details: https://github.com/glpi-project/glpi-agentmonitor
Speaking about the MSI packaging, we decided to not sign the packages and provided binaries as code-signing SSL certificate providers are failing to provide us the required certificate in a reasonable time. So you may experience some security alerts until the MSI packages reputation has been nicely established.
As always, you can check the more detailed changelog at:
https://github.com/glpi-project/glpi-agent/blob/1.5/Changes
This version is compatible with GLPI 10.0.
⚠️ This release contains a fix which solves loss of file uploads when a validator edits the requester's answers before approval. This fix requires a patch for GLPI 10.0.7 or older. It is recommended to apply it. The patch is available here.
⚠️ This release contains a fix to prevent multiple form submission, causing requesters to submit several times their request. This fix depends on an other fix in GLPI 10.0.7 or older available here.
Full changelog and download: click here
New version GLPI 10.0.7: A new GLPI version is available.
This release fixes several security issues that have been recently discovered. Update is recommended!
You can download the GLPI 10.0.7 archive on GitHub.
We still maintain maintain the 9.5 branch for security fixes and we also release a new version for it: GLPI 9.5.13 archive
You will find below the list of security issues fixed in this bugfixes version:
- [SECURITY - High] SQL injection and Stored XSS via inventory agent request (CVE-2023-28849).
- [SECURITY - High] Account takeover by authenticated user (CVE-2023-28632).
- [SECURITY - High] SQL injection through dynamic reports (CVE-2023-28838).
- [SECURITY - Moderate] Stored XSS through dashboard administration (CVE-2023-28852).
- [SECURITY - Moderate] Stored XSS on external links (CVE-2023-28636).
- [SECURITY - Moderate] Reflected XSS in search pages (CVE-2023-28639).
- [SECURITY - Moderate] Privilege Escalation from technician to super-admin (CVE-2023-28634).
- [SECURITY - Low] Blind Server-Side Request Forgery (SSRF) in RSS feeds (CVE-2023-28633).
Also, here is a short list of main changes done in this version:
- [SECURITY] Optional GLPI router to be able to use a safer web server root directory.
- [FEATURE] Support of SMTP OAuth authentication.
- [FEATURE] Improved inventory file upload feature.
- [FIX] Many fixes and improvements on native inventory.
- [FIX] Some bugs on PHP 8.2.
- [FIX] Caching issues on entities.
- [FIX] Boolean FullText operator not working on knowledge base search.
- [FIX] Unexpected search results when using negative condition on ticket actors.
- [FIX] Issues with LDAP filters/DN.
- [FIX] Unexpected results when searching on knowledge base categories.
The full changelog is available for more details.
Nous tenons à remercier toutes les personnes qui ont contribué à cette nouvelle version et tous ceux qui contribuent régulièrement au projet GLPI !
Download GLPI now: https://glpi-project.org/downloads/
Cordialement.
This version is compatible with GLPI 10.0.
⚠️ File / image upload removed from public forms
In GLPI 10.0.5 contains a fix which breaks ability to upload files from a public form. It not possible restore this feature without introducing a security problem. Therefore, in this version, it is no longer possible to add a question of type File in a public form. Questions of type Textarea won't allow users to upload pictures anymore.
It is recommended to update your public forms to remove questions of type File. If you don't, then requesters will encounter problems when they try to upload files.
Upgrade from 2.13.0 or later
A database sanity check is done before running the upgrade. If the tables of the plugin have a difference with the expected schema the upgrade will fail with a message similar to the following:
The database schema is not consistent with the installed Formcreator 2.13.0. To see the logs enable the plugin and run the command bin/console glpi:database:check_schema_integrity -p formcreator
It is required to fix the database, using the diff produced by the CLI command given in the message. Once done, try again to upgrade.
ℹ️ If you know what you are doing you may bypass the sanity check from CLI with the following command.
bin/console glpi:plugin:install formcreator -f -p skip-db-check
Bug Fixes
- add missing domain for public forms translation (#3162) (970f183c6)
- duplicate key when updating a profile (1bd6a2ab6)
- remote glpi prefix for commands (651444a27)
- abstractitiltarget: set priority from urgency and impact (#3178) (1269edd51)
- checkboxes: better display (f8fe93a63)
- checkboxes: padding between items (a62f879ce)
- condition: infinite loop detection (172d5e8eb)
- dropdownfield: prevent ambiguous column name (b54523219)
- form: remove obsolete translations on update (3cc58ac7d)
- form: rename form answer properties tab (a3395179d)
- form_language: avoid persistent rich editor toolbar when closing modal (11a8808b5)
- form_language: display problems when translating (93073e656)
- form_language: filter out obsolete translations (b38555c5e)
- formanswer: access restriction (a9451d982)
- install: distinguish error messages for sanity check (b798bf264)
- notifications: missing lang tags (3cad18562)
- question: missing conditions count after update (ea185beb8)
- question: updating a question returns sanitized label (936ccd475)
- radios: update escaping of valies (c940e1764)
- radiosfield: better display (fe6c2e8d0)
- restrictedformcriteria: bad key when generating error message (6cabca1fe)
- targetchange,targetproblem: harmonize implemetnation with targetticket (1ba402de0)
- targetchange,targetproblem: missed code refactor (e24d2fc13)
- targetticket: wrong property label (fd3d30973)
- textareafield: target ticket shows HTML when image uploaded (56fc8d54d)
- translation: avoid rn when using formatted rich (html) text (24113a353)
Fonctionnalités
This version is compatible with GLPI 10.0.
Upgrade from 2.13.0 or later
A database sanity check is done before running the upgrade. If the tables of the plugin have a difference with the expected schema the upgrade will fail with a message similar to the following:
The database schema is not consistent with the installed Formcreator 2.13.0. To see the logs enable the plugin and run the command bin/console glpi:database:check_schema_integrity -p formcreator
It is required to fix the database, using the diff produced by the CLI command given in the message. Once done, try again to upgrade.
ℹ️ If you know what you are doing you may bypass the sanity check from CLI with the following command.
bin/console glpi:plugin:install formcreator -f -p skip-db-check
Bug Fixes
- handle undefined setting for service catalog homepage (411ae3597)
- typo in french locale (f61ded17a)
- abstractitiltarget: multiple tag questions set but not displayed in designer (90f2a95d8)
- checkboxesfield,multiselectfield: default value not displayed (8f36ab726)
- composite: ignore link to non existing ticket (8502d4b16)
- condition: allow longer texts (eecdf8a2a)
- condition: display of tested question shows wrong item (5d34da8b4)
- condition: width of question dropdown (ce0389efd)
- dropdownfield: empty SQL IN statement when restricted tickets rights (5c5244a85)
- form: image upload handling in header field (5dc66a5ef)
- formanswer: default search filter hides legit access (2dc9f8e3f)
- formanswer: malformed search option (5339b7912)
- formanswer: missing newline between sections of fullform tag (61122bc93)
- formanswer: temporary disable debug mode (e9e8da484)
- formanswer, textfield, textareafield: escaping (3e0666d4d)
- glpiselectfield: cannot set empty value by default for entity question (fe2130bbe)
- glpiselectfield: restore entity restriction for users (e525b3a82)
- helpdesk: better handling of users that can't see tickets (a93f03126)
- install: add empty schema for new version (817a9ec7e)
- install: resync not needed in upgrade to 2.13.4 (d66a12017)
- install: typo in method name (eac5d77ac)
- issue: follow entity change on ticket transfer (434bd3572)
- issues: Tooltip consistency with core (c45d21550)
- question: subtype plural and appliance in bad group (1f780370a)
- tagfield: php warning (cc4b673a8)
- targetticket: allow more itemtypes to associated elements (#3155) (cee504c24)
- textfield: useless HTML entity encode (c3d03b51e)
Fonctionnalités
- drop support for GLPI 10.1 (a99a8bcb2)
- dropdownfield: always show ticket id (0190adac9)
- issue: access tickets from service catalog (a6b4f19d0)
- question: add support for database sub itemtype (45126012d)
- wizard: selectable home page in service catalog (95103fe54)
Une nouvelle version de GLPI est disponible.
This release fixes several security issues that have been recently discovered. Update is recommended!
You can download the GLPI 10.0.6 archive on GitHub.
We still maintain maintain the 9.5 branch for security fixes and we also release a new version for it: GLPI 9.5.12 archive
You will find below the list of security issues fixed in this bugfixes version:
- [SECURITY - High] Unauthorized access to inventory files (CVE-2023-22500)
- [SECURITY - Moderate] XSS on browse views (CVE-2023-22722)
- [SECURITY - Moderate] XSS on external links (CVE-2023-22725)
- [SECURITY - Moderate] XSS in RSS Description Link (CVE-2023-22724)
- [SECURITY - Moderate] Unauthorized access to data export (CVE-2023-23610)
- [SECURITY - Low] Stored XSS inside Standard Interface Help Link href attribute (CVE-2022-41941)
Also, here is a short list of main changes done in this version:
- [FEATURE] Unmanaged devices can be handled like a real asset.
- [FEATURE] Handle more actions for stale inventory agents.
- [FEATURE] Added new dictionnary rules for OS.
- [CHANGED] Removed
glpi: prefix on console commands. - [FIX] PHP 8.2 support.
- [FIX] Many fixes and improvements on native inventory.
- [FIX] Reservation display on self-service profile.
- [FIX] Mail collector issues with emails sent from Outlook.
- [FIX] Dashboard issues on “All” tab.
- [FIX] Ticket input is restored when submitted form is not complete.
- [FIX] Notification was not sent when ticket status was set to “pending”.
The full changelog is available for more details.
Nous tenons à remercier toutes les personnes qui ont contribué à cette nouvelle version et tous ceux qui contribuent régulièrement au projet GLPI !
Cordialement.
