GLPI 9.5.4

 

 

Teclib’ is happy to announce the release of GLPI 9.5.4.

This release fixes several medium security issues that has been recently discovered. Update is recommended!

You can download the GLPI 9.5.4 archive on GitHub.

Here is the list of security cases detected and fixed in this version:

  • Horizontal Privilege Escalation (CVE-2021-21326 by¬†@indevi0us)
  • Entities switch IDOR (CVE-2021-21255 by¬†@indevi0us)
  • XSS injection in ajax/kanban (CVE-2021-21258 by¬†@lbpierre)
  • XSS injection on ticket update (CVE-2021-21314 by¬†@ArianeBlow)
  • Stored XSS on documents (CVE-2021-21312 by¬†@RedShellSec)
  • XSS on tabs (CVE-2021-21313 by¬†@RedShellSec)
  • Stored XSS in budget type (CVE-2021-21325 by¬†@lbpierre)
  • Remote objects instantiation (CVE-2021-21327 by¬†@vadymsoroka)
  • Insecure Direct Object Reference (IDOR) on ‚ÄúSolutions‚ÄĚ (CVE-2021-21324 by¬†@indevi0us)

Note that some are present since a long time (version 0.68), but this time none of these issues were considered as high/critical.

We also fixed a lot of bugs, here are the important ones:

  • We continue the work on stabilising the usage of laminas/mail library:
    • Handle RFC5987 format in Content-Disposition header
    • Fix email attachement decoding logic
    • Fix tickets ID fetching from email headers
  • For the dashboards:
    • Fix graph counts
    • Add search filter criteria for widget by year
    • New filter ‚Äėmy groups‚Äô
  • Misc:
    • Populate meta criteria in a generic way
    • Make custom css from entity inheritables

The full changelog is available for more details.

We would like to thank all people who contributed to this new version and all those who contributes regularly to the GLPI project! 

Need professional support? Check our options here: https://glpi-project.org/subscriptions/

GLPI 9.5.3

Teclib’ is happy to announce the release of GLPI 9.5.3.

This release fixes medium security issues that has been recently discovered. Update is recommended!

You can download the GLPI 9.5.3 archive on GitHub.

Here is the list of security cases detected and fixed in this version:

  • Any CalDAV calendars is read-only for every authenticated user (CVE-2020-26212)
  • Insecure Direct Object References in ajax files (CVE-2020-27662 && CVE-2020-27663)

Note that some are present since a long time (version 0.68), but this time none of these issues was considered as high/critical.

We also fixed a lot of bugs, here are important ones:

  • we continue the work on stabilizing the usage of laminas/mail library:
    • Attachments were not imported as documents with specific content-disposition.
    • Some HTML mails were imported as text (and html was present in the description of the ticket).
  • For the dashboards:
    • Bars and lines graphs were animated not correct inn recent versions of chromium based browsers.
    • Default pages for users without dashboard were empty.
    • Adding some missing filters: tech users and tech groups.
  • Misc:
    • A new cli command to set GLPI configuration values.
    • Response time on personnal tab of index is now improved.
    • PHP8 compatibility.

The full changelog is available for more details.

We would like to thank all people who contributed to this new version and all those who contributes regularly to the GLPI project!

 

Oauth authentication for mail receivers

A while ago Microsoft and Google announced they would close basic connections for IMAP mailboxes on their services Office 365 and Google suite:

The current crisis has made them to postpone the deadlines of termination to 2021, but starting from October 2020, in particular for Azure / Office, new accounts will have the “basic” authentication disabled by default (it will be possible to re-enable it until next year).

To overcome this upcoming eol, we developed a mini plugin available for GLPI community, which allows to create an oauth connection to their services.

It lets you to declare an oauth client from a list of suppliers and then use this client in your mail collectors:

mail receiver with oauth client

You can now download this plugin via integrated marketplace of GLPI 9.5 or from the plugins catalog.

If you wish to obtain official support and want to secure your GLPI instance, don’t hesitate to contact us using this form¬† or purchase online here: Services.

GLPI 9.5.2

After several weeks, Teclib’ is happy to announce the release of GLPI 9.5.2.

This release fixes several security issues that has been recently discovered. Update is strongly recommended!

You can download the GLPI 9.5.2 archive on GitHub.

Here is the list of security flaws detected and fixed in this version:

  • SQL injection with a query parameter of user form (CVE-2020-15176)
  • Removal of¬†.htaccess¬†file in the¬†files¬†folder via a plugin endpoint (CVE-2020-15175)
  • Leakage issue with knowledge base (CVE-2020-15217)
  • Stored XSS in install script (CVE-2020-15177)
  • Minor SQL Injection in¬†Search¬†API (CVE-2020-15226)

Note, some are present since a long time (0.68).

We also fixed a lot of issues, here are important ones:

  • mailgates issues:
    • encoding errors
    • missing images in some tickets
    • exceptions for some particular messages
  • a small notice (listTables) was visible while updating to 9.5.1.
  • in some rare cases, the encryption process of passwords could fail
  • For the dashboards:
    • fix user preferences
    • fix overlap of mini dashboard above tickets list

And we worked on improving the dashboards:

  • new summary widget
  • new articles widget
  • display labels on point and bar (with a new available option)
  • cards have now a minimum size
  • we added personnal filters.¬†Toggle edit mode, and add filters on top of dashboards.

The full changelog is available for more details.

We would like to thank all people who contributed to this new version and all those who contributes regularly to the GLPI project!

Regards.

GLPI 9.5.1: bugfixes version.

After several days, Teclib’ is happy to announce the release of GLPI 9.5.1.

This release fixes a security issue that has been recently discovered. Update is strongly recommended.

You can download the GLPI 9.5.1 archive on GitHub.

You’ll find below the list of changes in this bugfixes version:

  • SQL injection on new clone feature
  • alignment of some table columns
  • added domains in global search and Assets > global
  • fixed several problems with email retrieval via email collectors
  • fixed several display problems in the planning
  • correction (and error display) of marketplace registration key input
  • and others.

The full changelog is available for more details.

We would like to thank all people who contributed to this new version and all those who contributes regularly to the GLPI project!

Regards.

GLPI 9.5: release candidate 2.

Following the publishing of the release candidate of GLPI version 9.5 15 days ago, you have reported a number of small issues that have been fixed, including:

  • Planning display was broken,
  • The warning about missing dependencies during installation or update was absent,
  • Inability to register to access the marketplace,
  • Missing translations,
  • and others

Today, we are uploading new RC version for you to test the improvements.

Unless a major problem is detected, the next version will be the final stable release.

HOW CAN YOU HELP US ?

Download the rc2 archive, test the migration and the new features (you may also test the existing ones) and report us the issues you encounter on the bug tracker (tag it as ).

Translators, please, add missing sentences for your language on transifex.