New silver partner in Burkina Faso: CVP

We are happy to announce our new Silver partner in Burkina Faso: CVP.

CVP is a Digital Services Company (ESN), offering for more than 18 years solutions related to business information systems (outsourcing, systems integration, systems and networks, IT audit).

As part of the partnership established with us, CVP’s teams support customers in the success of their projects to set up a service management solution with GLPI.

They are with you at all stages of the project: initiation, planning, execution, control and closure.

They offer the following services:

  • Outsourcing;
  • Internet services;
  • Trainings;
  • Audit and advice;
  • Software and hardware sales;
  • System and network;
  • Software engineering;
  • Energy and telecommunications.

Website: https://bit.ly/45inMwi

We are excited that GLPI ITSM solution is becoming more and more represented all over the world and GLPI Network (our support offer for on-premises – get your IT Infrastructure secured) subscription service will be available for more customers through our new partners.

Our large partnership network is always open for new collaborations. If you are interested in representing one of our products in your country, get in touch with us: https://glpi-project.org/contact_us/

Being a partner means:

  • Having an a direct access to the Teclib´s tech expertise;
  • Get special discounts;
  • Access official support,
  • Many other tools which will help you to gain more customers and increase reputation on the market by adding open source ITSM to your portfolio.

Discover all benefits of being a partner here: https://glpi-project.org/partners/

Teclib goes to Embrunman in 2023.

 

In a few hours our colleague Christian Osorio will start one of the most prestigious races – Embrunman 2023. Here he is sharing with us his feelings and thought before the triathlon will start: 

 

“With only a few hours left before the EmbrunMan event, I’m starting to feel a good kind of nervousness! I’ve been getting ready for this day for 8 months, working with my Club members, family, and friends. It’s all been leading up to August 15.

As the time goes by, I’m feeling more and more excited and happy. I can’t help but imagine myself crossing the finish line tomorrow during the race!

Christian Osorio prepares for Embrunman 2023.

The bike ride I’m going to do will be the longest one I’ve ever done. But I feel prepared because I’ve been training with my coach and the Les Sardines Triathlon Marseille Club.

The plan for eating and drinking is all set! I’ve included my race plan and imagined how it will go”.

The importance of preparation before the race:

This is what I’ll use during the race in the three different parts. Each thing has an important job, and I can’t forget anything. If I do, I’ll have to make choices during the race to adjust my speed, stop to eat and drink at the planned times, and change how I get my energy and water. The weather will be very hot, so I think I’ll need to drink about 800ml of water every hour for 12 hours. I’ll also eat about 66g of sugar every hour for 12 hours, and I’ll have to keep taking minerals to help my body hold onto water. To stay safe in the sun, I’ll wear a white helmet, a cap, and use SPF 50 sunscreen for kids! I’ve got the tools to change my bike tire two times if I need to.

Embrunman 2023:

Wow, I’m so excited to do this race with a big uphill climb of over 400 meters! I want to feel every step of the way up to the 42nd kilometer. I know there will be times when I feel sure of myself, times when I doubt, feel scared, zone out, and even times when everything seems unclear. But these moments will make me think and grow, and I’ll make important choices.

This kind of challenge is like practice for life. It will help me handle everyday challenges calmly, with discipline and accuracy! I’ll be really happy when I finish this triathlon that I’m looking forward to so much. I hope I’ll have a medal around my neck tomorrow! 🏅

Teclib x Christian are getting ready!

GLPI 10.0.9

Following the last releases of 10.0.8, a few annoying issues has been detected:

  • Update script uses a SQL function incompatible with MySQL 5.7 (#15141)
  • Private follow-ups and tasks are invisible to users with appropriate rights (#15128)

In the same time, a moderate security advisory has been reported (SQL injection in dashboard administration – CVE-2023-37278) and fixed in this release.

We released a new version to address these bugs, you can download the GLPI 10.0.9 archive on GitHub.

Important message about security (CVE-2022-35947, CVE-2022-35914)!

We published corrective versions on september 14, 2022:

These fix two critical security vulnerabilities: a SQL Injection (CVE-2022-35947), and a Remote Code Execution (CVE-2022-35914, vulnerability in the third-party library, htmlawed), the latter has been massively exploited since October 3, 2022 to execute code on insecure servers, available on the internet, hosting GLPI (GLPI Network Cloud instances are not impacted).

If you are not on the latest version 9.5.9 or 10.0.3, you must update your instances according to the recommended method (from an empty folder, without overwriting existing GLPI files).

We noticed there is a scenario where the corrective versions can also be impacted: when a GLPI update has been performed, by unpacking the archive over the existing folders and files. We insist this way of updating GLPI is a bad practice and despite the current security problem, exposes you to bugs.

We invite you to correctly re-install your GLPI as indicated in the documentation:

  • from an empty folder
  • copy the files from the archive of the latest version
  • get your config/ and files/ directories from the old instance.

Workarounds to deal with RCE urgency (this does not fix SQL injection):

  • delete the vendor/htmlawed/htmlawed/htmLawedTest.php file (be careful not to touch the htmLawed.php file which is legitimate).
  • prevent web access to the vendor/ folder by setting (in the case of Apache for example) an adequate .htaccess.

If your server has already been corrupted, you probably need to start from a new server, on which you will import your SQL dump and the folders mentioned above.

Formcreator 2.13.0 – final release!

This version is compatible with GLPI 10 only.

documentation review and updates

Bug Fixes

  • cannot delete a ticket from service catalog (acec9bb8)
  • abstractitiltarget: alternative email lost if no requester user (78fd8450)
  • abstracttarget: uuid should not be updated (b1e492d3)
  • checkboxesfield: avoid HTML br tag (c3a60bbb)
  • condition: compatibility with Advanced forms validation (6685b943)
  • descriptinfield: conversion to target requires escaping (b79cfa95)
  • filefield: mandatory check may cause exception (3f711a54)
  • form: PHP warning (844ef96c)
  • form: bad URL when using advanced form validation plugin (adb9fba5)
  • formanswer: grid style updated for current version of gridstack (85b6a686)
  • formanswer: select inherited class if needed (955dc969)
  • formanswer: update gridstack css (70deaa06)
  • glpiselectfield: missing entity restrict (40c9ab73)
  • install: prevent useless warnings (001d12f5)
  • install: use modern settings for tables (f04e4181)
  • issue: remove duplicate item in status dropdown (27f9f313)
  • ldapselectfield: log LDAP error instead of showing it to user (e170dc6f)
  • ldapselectfield: no translation for items (d170c79c)
  • targetticket: prevent exception in inconsistent target ticket (ba6ed88e)
  • textarea: on change event broken (9fb70edb)
  • textarea: rn chars added between lines (66571b80)
  • textarea, entityconfig: embedded image question description (#2901) (0d78db1a)
  • textareafield: embedded image upload broken (d58075cd)
  • textareafield: missing escape before compare (ba78e935)

Features

  • formanswer: order formanswers by date desc (7fdeda51)
  • ldapselectfield: lazy loading (bffcb5b7)

Help / Contribution needed
Locales updates: Some languages don’t have maintainer, or are late (many untranslated content). Please contribute on Transifex.

Check the changelog & download

GLPI is NOT affected by the Log4j vulnerability CVE-2021-44228

 

 

A newly revealed critical vulnerability impacting Apache Log4j was disclosed and registered as CVE-2021-44228 with the highest severity rating. Log4j is an open-source, Java-based logging utility widely used by enterprise applications and cloud services. By exploiting this vulnerability, a remote attacker could take control of the affected system.

We would like to assure all users that GLPI core and its plugins, being written in PHP and not using Log4j, are not affected by the Log4Shell vulnerability.

Exploiting this vulnerability requires a Java Virtual Machine and the org.apache.logging.log4j.core.lookup.JndiLookup Java class in a vulnerable version. None of them are included or used in GLPI distributions.

We can also confirm that:

  • GLPI Android Agent (writen in Java), doesn’t use Log4j library, and thus is not affected by the Log4Shell vulnerability
  • GLPI Agent (writen in Perl), is not affected by the Log4Shell vulnerability

Warning: this does not prevent layers/tools potentially upstream of GLPI (reverse-proxy, firewall, etc.), or connected to GLPI, which we are not aware of in your context, from being potentially impacted.

For example, if you have a Metabase server connected to GLPI you should note that Metabase (<0.41.4) is affected by Log4j vulnerability, and you should update it ASAP!

Documentation: