GLPI 10.0.7 is available!

by | Mar 28, 2023 | News

New version GLPI 10.0.7: A new GLPI version is available.

This release fixes several security issues that have been recently discovered. Update is recommended!

You can download the GLPI 10.0.7 archive on GitHub.
We still maintain maintain the 9.5 branch for security fixes and we also release a new version for it: GLPI 9.5.13 archive

You will find below the list of security issues fixed in this bugfixes version:

  • SQL injection and Stored XSS via inventory agent request (CVE-2023-28849).
  • Account takeover by authenticated user (CVE-2023-28632).
  • SQL injection through dynamic reports (CVE-2023-28838).
  • Stored XSS through dashboard administration (CVE-2023-28852).
  • Stored XSS on external links (CVE-2023-28636).
  • Reflected XSS in search pages (CVE-2023-28639).
  • Privilege Escalation from technician to super-admin (CVE-2023-28634).
  • Blind Server-Side Request Forgery (SSRF) in RSS feeds (CVE-2023-28633).

Also, here is a short list of main changes done in this version:

  • Optional GLPI router to be able to use a safer web server root directory.
  • Support of SMTP OAuth authentication.
  • Improved inventory file upload feature.
  • Many fixes and improvements on native inventory.
  • Some bugs on PHP 8.2.
  • Caching issues on entities.
  • Boolean FullText operator not working on knowledge base search.
  • Unexpected search results when using negative condition on ticket actors.
  • Issues with LDAP filters/DN.
  • Unexpected results when searching on knowledge base categories.

The full changelog is available for more details.

We would like to thank all people who contributed to this new version and all those who contributes regularly to the GLPI project!

Download GLPI now: https://glpi-project.org/downloads/

Regards.

New Silver Partner : OPEN COMPUTACIÓN S.A.

by | Feb 16, 2023 | News

We are happy to announce our new Silver partner in Argentina – Open Computación S.A.

 Open Computación S.A. is a company with more than 20 years in the IT field, dedicated to generating value to its customers through its services such as: server administration, hosting, helpdesk, virtualization, technical service.

 It also offers management services through tools such as GLPI, being able to adapt it to the needs of its customers.

Website: https://www.opensa.com.ar/

We are excited that GLPI ITSM solution is becoming more and more represented all over the world and GLPI Network (our support offer for on-premises – get your IT Infrastructure secured) subscription service will be available for more customers through our new partners.

Our large partnership network is always open for new collaborations. If you are interested in representing one of our products in your country, get in touch with us: https://glpi-project.org/contact

Being a partner means:

  • Having an a direct access to the Teclib´s tech expertise;
  • Get special discounts;
  • Access official support,
  • Many other tools which will help you to gain more customers and increase reputation on the market by adding open source ITSM to your portfolio.
  • Discover all benefits of being a partner here: https://glpi-project.org/partners/

New Formcreator 2.13.4 is available!

by | Jan 25, 2023 | News

This version is compatible with GLPI 10.0.

Upgrade from 2.13.0 or later

A database sanity check is done before running the upgrade. If the tables of the plugin have a difference with the expected schema the upgrade will fail with a message similar to the following:

The database schema is not consistent with the installed Formcreator 2.13.0. 
To see the logs enable the plugin and run the command bin/console glpi:database:check_schema_integrity -p formcreator

It is required to fix the database, using the diff produced by the CLI command given in the message. Once done, try again to upgrade.

ℹ️ If you know what you are doing you may bypass the sanity check from CLI with the following command.

bin/console glpi:plugin:install formcreator -f -p skip-db-check

Bug Fixes

  • handle undefined setting for service catalog homepage (411ae3597)
  • typo in french locale (f61ded17a)
  • abstractitiltarget: multiple tag questions set but not displayed in designer (90f2a95d8)
  • checkboxesfield,multiselectfield: default value not displayed (8f36ab726)
  • composite: ignore link to non existing ticket (8502d4b16)
  • condition: allow longer texts (eecdf8a2a)
  • condition: display of tested question shows wrong item (5d34da8b4)
  • condition: width of question dropdown (ce0389efd)
  • dropdownfield: empty SQL IN statement when restricted tickets rights (5c5244a85)
  • form: image upload handling in header field (5dc66a5ef)
  • formanswer: default search filter hides legit access (2dc9f8e3f)
  • formanswer: malformed search option (5339b7912)
  • formanswer: missing newline between sections of fullform tag (61122bc93)
  • formanswer: temporary disable debug mode (e9e8da484)
  • formanswer, textfield, textareafield: escaping (3e0666d4d)
  • glpiselectfield: cannot set empty value by default for entity question (fe2130bbe)
  • glpiselectfield: restore entity restriction for users (e525b3a82)
  • helpdesk: better handling of users that can’t see tickets (a93f03126)
  • install: add empty schema for new version (817a9ec7e)
  • install: resync not needed in upgrade to 2.13.4 (d66a12017)
  • install: typo in method name (eac5d77ac)
  • issue: follow entity change on ticket transfer (434bd3572)
  • issues: Tooltip consistency with core (c45d21550)
  • question: subtype plural and appliance in bad group (1f780370a)
  • tagfield: php warning (cc4b673a8)
  • targetticket: allow more itemtypes to associated elements (#3155) (cee504c24)
  • textfield: useless HTML entity encode (c3d03b51e)

Features

  • drop support for GLPI 10.1 (a99a8bcb2)
  • dropdownfield: always show ticket id (0190adac9)
  • issue: access tickets from service catalog (a6b4f19d0)
  • question: add support for database sub itemtype (45126012d)
  • wizard: selectable home page in service catalog (95103fe54)

Check the changelog and download

New version 10.0.6 of GLPI!

by | Jan 24, 2023 | News

A new GLPI version is available.

This release fixes several security issues that have been recently discovered. Update is recommended!

You can download the GLPI 10.0.6 archive on GitHub.
We still maintain maintain the 9.5 branch for security fixes and we also release a new version for it: GLPI 9.5.12 archive

You will find below the list of security issues fixed in this bugfixes version:

  • Unauthorized access to inventory files (CVE-2023-22500)
  • XSS on browse views (CVE-2023-22722)
  • XSS on external links (CVE-2023-22725)
  • XSS in RSS Description Link (CVE-2023-22724)
  • Unauthorized access to data export (CVE-2023-23610)
  • Stored XSS inside Standard Interface Help Link href attribute (CVE-2022-41941)

Also, here is a short list of main changes done in this version:

  • Unmanaged devices can be handled like a real asset.
  • Handle more actions for stale inventory agents.
  • Added new dictionnary rules for OS.
  • Removed glpi: prefix on console commands.
  • PHP 8.2 support.
  • Many fixes and improvements on native inventory.
  • Reservation display on self-service profile.
  • Mail collector issues with emails sent from Outlook.
  • Dashboard issues on “All” tab.
  • Ticket input is restored when submitted form is not complete.
  • Notification was not sent when ticket status was set to “pending”.

The full changelog is available for more details.

We would like to thank all people who contributed to this new version and all those who contributes regularly to the GLPI project!

Regards.

New version Formcreator 2.12.6 for GLPI 9.5.10 and GLPI 9.5.11

by | Nov 22, 2022 | Formcreator, News

This version is compatible with GLPI 9.5.5 or later only. Users of GLPI 10 must use Formcreator 2.13 or later. Support of GLPI 9.5.4 and earlier has been dropped, see notes of version 2.11.3 to know the reason.

⚠️ This version intends to fix compatibility with GLPI 9.5.10 and 9.5.11 which contains an upgrade of TinyMCE (used for rich text editors). Some other fixes are also available in this release; see the changelog.

⚠️ Important note: Some administrators use business rules relying on the request source field in tickets to distinguish tickets created by Formcreator. A change has been done in the plugin to allow customization of the request source via ticket templates. Target ticktets without template will lose the request source “Formcreator”. If business rules use the request source “Formcreator” it is recommended to add a ticket template to target tickets, with a predefiend field “request source” set to “Formcreator”.

Bug Fixes

  • abstracttarget: retrieve sub itemtype from question (eccf3d1a)
  • condition: empty sql IN statement (8e4d0491)
  • dropdownfield,glpiselectfield: shiw item ID only on user preference (53dc3aeb)
  • form: lightbulb always gray in darker theme (76a42bb4)
  • glpiselectfield: bad WHERE criteria with entities (154a3531)
  • glpiselectfield: comparison with regex (e6986b04)
  • issue: performance problem in sync issue query (0e1761c9)
  • issue: performance problem in sync issue query (74b38ec0)
  • issue: requester replaced by author on ticket update (a8580a79)
  • issue: sync issues problem when a ticket has several validators (backport 2.12) (#2971) (e3011590)
  • radiosfield: accessibility from keyboard (e528aae7)
  • targetticket: assign group actor from object (42aaadd4)
  • textareafield: compatibility with GLPI 9.10 (a325a948)
  • textareafield: compatibility with GLPI 9.5.10 (7f2ff1a9)
  • textfield: remove invalid ‘\r\n’ tokens (#3065) (da9d8dca)
  • wizard: bad label when searching KB items (f469d048)

Features

  • ldapselectfield: lazy loading (1afc6753)

Help / Contribution needed

  • Locales updates: Some languages don’t have maintainer, or are late (many untranslated content). Please contribute on Transifex.
  • documentation review and updates
Check the changelog & download