by Polina Marishicheva | Oct 5, 2022 | Blog, News
We published corrective versions on september 14, 2022:
These fix two critical security vulnerabilities: a SQL Injection (CVE-2022-35947), and a Remote Code Execution (CVE-2022-35914, vulnerability in the third-party library, htmlawed), the latter has been massively exploited since October 3, 2022 to execute code on insecure servers, available on the internet, hosting GLPI (GLPI Network Cloud instances are not impacted).
If you are not on the latest version 9.5.9 or 10.0.3, you must update your instances according to the recommended method (from an empty folder, without overwriting existing GLPI files).
We noticed there is a scenario where the corrective versions can also be impacted: when a GLPI update has been performed, by unpacking the archive over the existing folders and files. We insist this way of updating GLPI is a bad practice and despite the current security problem, exposes you to bugs.
We invite you to correctly re-install your GLPI as indicated in the documentation:
- from an empty folder
- copy the files from the archive of the latest version
- get your
config/ and files/ directories from the old instance.
Workarounds to deal with RCE urgency (this does not fix SQL injection):
- delete the
vendor/htmlawed/htmlawed/htmLawedTest.php file (be careful not to touch the htmLawed.php file which is legitimate). - prevent web access to the
vendor/ folder by setting (in the case of Apache for example) an adequate .htaccess.
If your server has already been corrupted, you probably need to start from a new server, on which you will import your SQL dump and the folders mentioned above.
by Polina Marishicheva | Sep 20, 2022 | News
This version is compatible with GLPI 10.0.
⚠️ You must upgrade from a previous stable version. Upgrading from a development or testing version is not supported.
Bug Fixes
- inverted existence test on ticket update (2acc5cd4)
- log more errors, and update obsolete error logging (ae28ed6d)
- restore page redirections existing in v2.12 (582f926c)
- update obsolete error logging (da8929e0)
- abstractitiltarget: glpi 10.0.3 will require a data with a valid value (5f385bb8)
- actorfield: default value not saved (c3baebbe)
- actorfield: php warning (6d3e98d1)
- checkboxesfield: replace div with p in checkbowes answers (9ef95343)
- composite: php warning breaks JSON if a ticket is not generated (2108983c)
- descriptionfield: bad form rendering (87a74058)
- filefield: php error when switching field type to file (a03c7a0a)
- form: javascript (f05bc697)
- form: list on self service homepage (ba6d4a58)
- form: undefined var (169d2c8e)
- form: url to form answer lists may be invalid (6cd29e6d)
- install: avoid alter table fail (4dadea8a)
- install: missing method in upgrade to 2.13.1 (7e9cdcd5)
- issue: issue not deleted when tichet goes to trash bin (c977b1ca)
- issue: purge issue when deleting associated ticket (76444ecc)
- issue: recreate when restore ticket (2656e284)
- item_targetticket: uuid to ID conversion (e9f326c0)
- section: name encoding in designer and rendered form” (491dcb69)
- targetticket: bad constant name (48dda4f3)
- targetticket: table structure inconsistency (ff56f3f1)
- targetticket: table structure inconsistency (892a83c3)
- targetticket,targetchange: tags from queestion or specific tags not saved (ec08d95e)
Features
- prepare compatibility with PHP 8.2 (#2966) (4bb7f3c3)
- formanswer,issue: show title in navigation header (1878e4b0)
- kb: preselect see all categorie (1b669d4f)
Help / Contribution needed
Locales updates: Some languages don’t have maintainer, or are late (many untranslated content). Please contribute on Transifex.
by Polina Marishicheva | Aug 18, 2022 | Blog, News
This version is compatible with GLPI 10 only.
documentation review and updates
Bug Fixes
- cannot delete a ticket from service catalog (acec9bb8)
- abstractitiltarget: alternative email lost if no requester user (78fd8450)
- abstracttarget: uuid should not be updated (b1e492d3)
- checkboxesfield: avoid HTML br tag (c3a60bbb)
- condition: compatibility with Advanced forms validation (6685b943)
- descriptinfield: conversion to target requires escaping (b79cfa95)
- filefield: mandatory check may cause exception (3f711a54)
- form: PHP warning (844ef96c)
- form: bad URL when using advanced form validation plugin (adb9fba5)
- formanswer: grid style updated for current version of gridstack (85b6a686)
- formanswer: select inherited class if needed (955dc969)
- formanswer: update gridstack css (70deaa06)
- glpiselectfield: missing entity restrict (40c9ab73)
- install: prevent useless warnings (001d12f5)
- install: use modern settings for tables (f04e4181)
- issue: remove duplicate item in status dropdown (27f9f313)
- ldapselectfield: log LDAP error instead of showing it to user (e170dc6f)
- ldapselectfield: no translation for items (d170c79c)
- targetticket: prevent exception in inconsistent target ticket (ba6ed88e)
- textarea: on change event broken (9fb70edb)
- textarea: rn chars added between lines (66571b80)
- textarea, entityconfig: embedded image question description (#2901) (0d78db1a)
- textareafield: embedded image upload broken (d58075cd)
- textareafield: missing escape before compare (ba78e935)
Features
- formanswer: order formanswers by date desc (7fdeda51)
- ldapselectfield: lazy loading (bffcb5b7)
Help / Contribution needed
Locales updates: Some languages don’t have maintainer, or are late (many untranslated content). Please contribute on Transifex.
Check the changelog & download
by Polina Marishicheva | Aug 16, 2022 | Success cases
Colin Chen, Director of Technology:
“One of the handy function I found with GLPI is that the asset association with users, it’s very useful when users can connect with their own device when they try to submit a ticket”.
GLPI SUCCESS CASES
YK Pao School
YK Pao School is a pioneering international Chinese school. The school is a private non-profit institution founded in 2007, in memory of shipping magnate Sir Yue-Kong Pao, the renowned Chinese businessman, statesman and philanthropist.
With around 1600 students from China and overseas, the school offers a unique Year 1-12 educational programme that integrates elements of Shanghai and international curricula, culminating with the IGCSE and IB Diploma programmes, both of which are complemented by core components of the Shanghai curriculum.
GLPI helped us to quickly build up the IT Asset management system and the out-of-box solution for ticket management. The highlight function of AD integration is very important if you want to quickly build a solution for everyone in the organization. One of the handy function I found with GLPI is that the asset association with users, it’s very useful when users can connect with their own device when they try to submit a ticket.
We use Asset Management the most, it has been super helpful since 0.85 with the Dashboard plugin. We also use the Helpdesk/Change – Problem Management feature. Financial management was integrated with Asset management, this is also important when you want to develop a long-term strategy for your asset management.
GLPI solution
Colin Chen, Director of Technology: “It was way back when I was at university, I was interesting in open source solutions and GLPI was the leading platform for IT Asset and Ticket management.
The first version I tried I guess should be 0.7x. At YK Pao School GLPI helped us to quickly build up the IT Asset management system and the out-of-box solution for ticket management.
The highlight function of AD integration is very important if you want to quickly build a solution for everyone in the organization. One of the handy function I found with GLPI is that the asset association with users, it’s very useful when users can connect with their own device when they try to submit a ticket”.
Do you use GLPI and want to share your experience?
We are proud to state that our solution is used by millions of people worldwide. If you are one of them and you want to contribute the promotion, we invite you to leave your contact details.
We will be delighted to hear your story!
Try all features on GLPI Network Cloud
Any questions? Get in touch with us!
by Polina Marishicheva | Jun 10, 2022 | Success cases
Italo Menezes, IT Analyst:
“Now we can manage our own problems, providing for our customer the forms created on the platform and help them to fix their problems, by local or by remote access”.
GLPI SUCCESS CASES
Drogarias Retiro
Pharmaceutical. Founded in 1974, Drogaria Retiro is a chain of pharmacies which has been serving with care and dedication for 47 years.
Today they have more than 60 stores and more than 1,000 employees, being in the commerce area one of the companies that most employs in the South Fluminense region.
Get the control of the tickets.
We use GLPI Helpdesk to handle with the tickets of our customers, and schedule maintenance on their sites.
GLPI solution
Italo Menezes, IT Analyst: “Now we can manage our own problems, providing for our customer the forms created on the platform and help them to fix their problems, by local or by remote access.
My GLPI experience has been so much productive, associated with the plugins Formcreator and Behavior, we can now have a better view of the issues in our Company. With some time spend in the knowledge of Plugins work, we customize totally for our use”.
Do you use GLPI and want to share your experience?
We are proud to state that our solution is used by millions of people worldwide. If you are one of them and you want to contribute the promotion, we invite you to leave your contact details.
We will be delighted to hear your story!
Try all features on GLPI Network Cloud
Any questions? Get in touch with us!
