This release fixes several security issues that have been recently discovered. Update is recommended!
You can download the GLPI 10.0.6 archive on GitHub. We still maintain maintain the 9.5 branch for security fixes and we also release a new version for it: GLPI 9.5.12 archive
You will find below the list of security issues fixed in this bugfixes version:
Unauthorized access to inventory files (CVE-2023-22500)
XSS on browse views (CVE-2023-22722)
XSS on external links (CVE-2023-22725)
XSS in RSS Description Link (CVE-2023-22724)
Unauthorized access to data export (CVE-2023-23610)
Stored XSS inside Standard Interface Help Link href attribute (CVE-2022-41941)
Also, here is a short list of main changes done in this version:
Unmanaged devices can be handled like a real asset.
Handle more actions for stale inventory agents.
Added new dictionnary rules for OS.
Removed glpi: prefix on console commands.
PHP 8.2 support.
Many fixes and improvements on native inventory.
Reservation display on self-service profile.
Mail collector issues with emails sent from Outlook.
Dashboard issues on “All” tab.
Ticket input is restored when submitted form is not complete.
Notification was not sent when ticket status was set to “pending”.
The presentation is hosted by Alexandre Delaunay, in charge of the GLPI development team and the product owner for GLPI.
In this video he talks about roadmap and some features development team wants in GLPI for the next major version. Here is the transcription:
“To keep the presentation short, we will discuss only about:
– Major topics
– Or very graphical ones
And I would like to insist on the fact that there is no promises of time regarding the delivery.
We will try our best to add the features, but in function of how the year will go, some will be OK, others not.
Assets genericity.
Now, we have in our marketplace 2 plugins to address generic adds:
– Genericobject
– Fields
We want to add the possibility to let you customize each type of objects displayed in the Assets menu (at first).
The first part of that is to let you define your types.
We will provide a list of predefined types matching the current assets list and let you add new ones if you want. Like servers in addition to desktop or laptop computers. Or to do something completely different from IT management, e.g: cars, desks, etc.
Some of the current types will still be not removable like Software, Rack, Cable, Cartridge and Consumable. The reason is their behavior, or their presentation differs from other assets.
You will still be able to disable these if you want but deletion will be impossible.
So, GENERICITY covers the creation of new asset types.
Assets composition
In addition, on the same setup page, you will be able to define which capacity an asset type use.
E.g. contracts, management, etc., COMPOSITION of an asset type, with some checkboxes to select capacities.
This permits you to remove or add tabs to the object.
Or if an object can be inventoried by an agent.
GLPI Agent
Let us talk a little about features related to the GLPI inventory agent.
Remote inventory reminder.
Before talking about roadmap, let us do a quick reminder about remote inventory feature
This is a task you can set up for an agent to let it query other computers on your network to construct an inventory file for each.
The single agent will aggregate all inventory files and send them in one pass to the inventory API of GLPI.
So, the main purpose is to have only one deployed agent.
We use SSH and WinRM protocols to achieve that.
GLPI Agent – Roadmap (1/2).
The first point we want to improve is to ease the inventory process of your network.
We currently have two tasks:
– discover which “ping” addresses in an IP range
– network inventory, which takes the result of the discovery to do a full SNMP inventory for network equipment and printers.
We will change the process, by:
– adding remote inventory of COMPUTERS
– and let discovery task directly doing a FULL inventory if it knows the type of the remote device. A SNMP query for network equipment, SSH or WinRm queries for computers.
With one unified task and one setup, we aim to let you discover all your network devices.
The two last bullet points describe things required by unified discovery. The new toolbox UI will receive forms:
– to plan tasks for the agent.
– to save credentials, like SNMP community, login password couple for Windows domain or public key for a SSH connection. In summary, any information to let the agent connect to a remote device.
GLPI Agent – Roadmap (2/2)
We thought about rewriting a large part of the agents, and we shortlisted Golang for that.
The fact the agent is written with the language PERL.
Recently, finding developers comfortable with this language has been hard.
We will try a prototype within the year to measure our capacity to switch to this new language.
We plan also to enforce exchange between agents and backend by adding authentication and registration flows. This will be recommended but you will be able to do simple exchanges if you prefer.
And we still need to redo all forms to drive remotely the agent in GLPI UI.
This is still planned.
GLPI
Let us talk a bit about features related to the GLPI web application.
High-level API (1/2)
Firstly, we will add a new API, again.
We observe that, despite the old one permits more usage, due to its low-level connection with the framework, it is hard to maintain its stability and avoid regression.
We maintain an interface to address depreciation for this previous API, but it is getting harder and harder to do.
So, a new API connected to a higher level with stabilized endpoints and parameters.
And we took advantage to add some comfort features:
– we have a dedicated UI based on Swagger UI to ease discovering and testing endpoints and their parameters
– we also use RSQL, a common Query language for filtering API.
High-level API (2/2)
For the second slide, you can see in action a GET request to list users in GLPI database.
DCIM
We want to extend the datacenter features in the next version. Mainly about adding graphical views.
DCIM – Network equipment’s panels
The first and the simpler one is graphical panel for network ports list in equipment forms.
We will take the front and rear pictures defined in the model of the equipment and display them above the ports list.
The user will get information about each port directly on the picture panel by hovering them.
A single click on a port will scroll the page to the good line to get more information.
In the model setup, you will have a new tab to draw each port’s position.
DCIM – Graphical enclosures (1/2)
In the same way, slots of an enclosure can be drawn and indexed to indicate to GLPI where sub items can be placed.
DCIM – Graphical enclosures (2/2)
On a rack view where an enclosure is inserted, instead of a single blank rectangle, slots will be displayed and usual controls available, like hovering or clicking to get more information.
DCIM – Graphical connections
Finally, for DCIM part, we will try to add some representation for network or power connections.
The goal is to get links between equipment.
This is early to talk about this, we have short specifications for this, and it requires more research to find a library, for example.
Keep in mind the current screenshot does not represent any existing development.
Misc
Workflows – Processes
We have a functional prototype for this.
A new view to let GLPI administrator’s set up their business processes.
With steps, transitions, conditions and actions, a full toolkit to describe a full workflow.
This aims to replace legacy rules.
And for a start, it will be available for assistance objects like tickets or change.
Nutanix inventory import
Another development currently in alpha is the connector to Nutanix API to get:
– Clusters
– Hosts
– Virtual machines
– Disks
The module parses the distant API and sends them to the native inventory API of GLPI.
The merger with existing devices is done with the rule engine as usual.
SCIM
Another connector, GLPI will serve a SCIM endpoint for your Microsoft Azure instance.
This protocol pushes changes of users from the directory to connected application.
So instead of synchronizing the whole user’s database and matching everyone, any change in the directory will be immediately pushed to GLPI.
Security
Now, a security feature, two factors authentication!
Administrators can enforce users’ logins in the security setup to ask them to register an external application like Google Authenticator or Authy.
Security – 2 factors (2/2)
After a successful login, a new field will appear asking users to paste a pin code from the authentication application.
Security – Oauth Server
We will add an Oauth server to GLPI for 2 purposes:
– connect applications to GLPI to delegate the login feature and identity management
– secure our several API like inventory one or the general purpose one.
Security – misc
– Vulnerabilities management
– Scanners integration (vuls, tsunamin)
– CVE matching
Some various points:
In the management menu, a new entry to list vulnerabilities.
The goal is, with the help of external scanners, like vuls or tsnunamin, as well as some API to get CVE and match them to known software’s to see if a host has some security vulnerabilities.
Some dashboard cards and alerts will also be added to enhance reporting about this subject.
Technical changes
– Web root for the application will be `/public`
– continue work on twig (removing legacy echo)
– removal of legacy auto escaping
– modularization of critical features
– e-charts lib for dashboards
Last slide to tell you we continue to improve the core of GLPI.
The most impactful for you will be the move of the web root of the application.
Now, it will be a sub-folder named /public.
Thereby, all other sub-folders (like files for example) will not be available on the web when the webserver is not well set up.
The next point is legacy codebase we need to clean.
And to finish, we moved to a new charting library called e-charts.
It is simpler to use on our side and you appreciate the new colors and its interactivity.
Timeline?
– Currently, finish stabilize 10.0 version
– End of 2023, beta of next major version
We are still working on bugfixing the 10 version. This last brought substantial changes, especially on the assistance part.
But we aim to work on the incoming yearly results fully on the latest version.
Very soon the new major version of GLPI will be released with many new features, including a major overhaul of the interface.
Here is the quick look at automatic inventory features.
GLPI Desktop / Server Agent
Fork of the Perl FusionInventory agent, this new agent is enhanced with several new features:
A new stand-alone interface (called Toolbox) allowing the configuration of network discoveries and inventories.
An improved proxy mode to allow inventory reporting from remote networks.
Remote inventory support (agentless), currently with support for WinRM (Windows) and SSH (Linux / Unix) protocols.
Inventory of database servers.
New exchange protocol with GLPI server in JSON format supporting partial inventory.
Soon: management of remote inventory tasks, including for ESX polls.
Improved Windows support including MSI packages.
Native support for MacOSX Big Sur and the new Apple Silicon M1 chip.
The GLPI agent can advantageously replace the FusionInventory agent because it remains fully compatible with the automatic inventory of the FusionInventory.
We provide the community with a documentation detailing the installation, use and configuration of this new agent. Note that there may still be a few aspects to be completed (the missing points will be filled in the coming weeks).
We also provide a perl script (see dedicated documentation) allowing you to install agent on Linux with a suitable package (rpm, deb, snap.)
Some screenshots to illustrate the ToolBox interface of new agent:
GLPI Android Agnet
Some time ago the android agent has returned to the google play store. It supports versions 4 to 10.
For GLPI Network subscription customers, we have also added the possibility of configuring the server URL via mechanism called “Deeplink”. Using QRCode agent automatically retrieves the configuration to connect to the server.
GLPI Native Inventory
We are happy to announce we add support for automatic inventory directly to GLPI core.
New API REST (front/inventory.php) will be available to receive inventory files in historical format (OCS, fusioninventory) or via new format json.
We therefore keep compatibility with the previous agents (just it will be necessary to reconfigure the server URLs of the historical agents, or to set up a web proxy to perform a redirection to the new URL).
You can now manage with this new format most of GLPI’s inventory objects, like telephones, applications, racks, etc. This is enabled by a new rewrite of the underlying code. The interface is inspired by the community projects mentioned above, the code is new.
This code now allows you to receive partial inventories.
This consists of sending only part of the particular information related to the object, and indicating to the server – via a flag – to update only the data concerned.
Transfer, processing, insertion and update of data is done in a significantly faster way.
Advanced tasks
As seen above, GLPI now integrates the basic building block concerning automatic inventory. However we have not yet taken over the advanced tasks allowed by previous projects. Here are a few points about these tasks:
Network discovery and inventory: now independently configurable by GLPI agent via Toolbox interface.
ESX query, soon supported by same interface
Collection (WMI, files, registers): not supported.
Tele-deployment: not supported.
For these last two features several scenarios are possible:
First of all, keep the previous plugin (if this one is updated)
Use our transition package. A fork of the FusionInventory plugin (GLPI inventory plugin) will be made available. It will redirect the classic inventories to the native part and keep the advanced tasks.
In our roadmap it is planned to work on rewriting of these parts, but as long as version 10 being almost done (and this substantial work), we are postponing their availability for a few months.
GLPI v.10 includes since its latest release the native inventory feature (including GLPI agents also released during the year). Inspired by previous project: FusionInventory and OCS (and using their XML format), – it aims to be a unified entry point for the inventory (by adding greater compatibility of all GLPI objects).
A complete rewrite directive had been one of the stated objectives (without code recovery) at the beginning of the development of the project.
Recently (after the release of the stable 10.0 version), it appeared that this functionality within GLPI included pieces of code from FusionInventory. As a development team we have been patently negligent about the copyrights of the previous project. Moreover, there is an incompatibility between the license of GLPI (GPL-2.0-or-later) and FusionInventory (AGPL-3.0-or-later).
We apologize to the FusionInventory community for this situation. Teclib’ and its developers are also contributors to the project and are therefore included in this notion of copyright (mainly to the agent but also in part of the plugin).
Upcoming fixes.
A few changes will be made to address the situation:
The copyright of the Fusion Inventory project will be added to the source files concerned, GLPI license (and source file headers) will be changed to GPL-3.0-or-later. On this last point, it is possible because previous license contained “or later”. It allows us to switch from the current version 2 to later versions. Compatibility between GPL-3.0 and AGPL-3.0 (Affero) is explicitly provided in the text of both licenses.
In addition to this change, we took the opportunity to check current uses in terms of libraries. We have replaced some to resolve any incompatibilities following the switch to GPL-3.0-or-later.
DHTMLX/gantt was impossible to replace and the entire Gantt functionality was taken out of GLPI to be integrated into a dedicated plugin. There is normally no functional loss, you will simply need to install the plugin (via the Marketplace or manually) to recover previous displays.
These changes will come in effect in the next version of GLPI, which will be in a few weeks.
What is the impact of the new license?
A quick summary of the impact of these changes:
GLPI is, and will remain, completely free and open source, its code is always accessible and adaptable by everyone. All projects wishing to share or re-use GLPI code must now do so with the GPL-3.0 or compatible license. The mention “or later” of the news makes it possible to foresee the case where a version 4 of the GPL would become available. If you are a GLPI user, the impact is probably zero.
We promise to be more vigilant in the future towards the compatibility of our code and the libraries that we use.
We use cookies to ensure that we give you the best experience on our website. If you continue to use this site we will assume that you are happy with it.Ok
