A new GLPI version is available.

This release fixes a few security issues that have been recently discovered. Update is recommended!

You can download the GLPI 10.0.11 archive on GitHub.

You will find below the list of security issues fixed in this bugfixes version:

  • Authenticated SQL Injection (CVE-2023-43813)
  • SQL injection through inventory agent request (CVE-2023-46727)
  • Remote code execution from LDAP server configuration form on PHP 7.4 (CVE-2023-46726)

On this last point, we wanted to recall the 7.4 version of PHP is very outdated and not supported anymore by the developers!
You should upgrade on a recent version, at least 8.2 (8.0 will be outdated at the end of the year and 8.1 will be only with security fixes).

Also, here is a short list of main changes done in this version:

  • Enhance pending reasons display
  • various LDAP fixes (timeout, location import, deletion/restoration scenarios)
  • several inventory fixes (unmanaged assets reconciliation, rules for phones, rules logs for discovery, Cisco stacks, removal of remote management)
  • several performance enhancements (defer entity tree loading, strong enhancement on actors loading, all assets query execution time, web cron removal, dual ajax call for tab loading)
  • highlights of security requirements on install/update page. Some options like PHP versions, web folder setup are suggested with a strong visual.

The full changelog is available for more details.

We would like to thank all people who contributed to this new version and all those who contributes regularly to the GLPI project!

Regards.