Une nouvelle version de GLPI est disponible.

This release fixes a few security issues that have been recently discovered. Update is recommended!

You can download the GLPI 10.0.11 archive on GitHub.

Vous trouverez ci-dessous la liste des problèmes de sécurité corrigés dans cette version corrective :

• [SECURITY - moderate] Authenticated SQL Injection (CVE-2023-43813)
• [SECURITY - high] SQL injection through inventory agent request (CVE-2023-46727)
• [SECURITY - high] Remote code execution from LDAP server configuration form on PHP 7.4 (CVE-2023-46726)

On this last point, we wanted to recall the 7.4 version of PHP is very outdated and not supported anymore by the developers!
You should upgrade on a recent version, at least 8.2 (8.0 will be outdated at the end of the year and 8.1 will be only with security fixes).

Also, here is a short list of main changes done in this version:

• [UX] Enhance pending reasons display
• [FIX] various LDAP fixes (timeout, location import, deletion/restoration scenarios)
• [FIX] several inventory fixes (unmanaged assets reconciliation, rules for phones, rules logs for discovery, Cisco stacks, removal of remote management)
• [FIX] several performance enhancements (defer entity tree loading, strong enhancement on actors loading, all assets query execution time, web cron removal, dual ajax call for tab loading)
• [TASK] highlights of security requirements on install/update page. Some options like PHP versions, web folder setup are suggested with a strong visual.

The full changelog is available for more details.

Nous tenons à remercier toutes les personnes qui ont contribué à cette nouvelle version et tous ceux qui contribuent régulièrement au projet GLPI !

Cordialement.