GLPI Agent 1.7

GLPI Agent 1.7 has been released.

You’re encouraged to upgrade your GLPI agents or migrate if you’re still using FusionInventory agents.

You can download it on the GLPI Agent github project: https://github.com/glpi-project/glpi-agent/releases/tag/1.7

Here is a summary of the most important changes of the 1.7 version:

  • some important fixes have been made on ToolBox plugin in relation with NetDiscovery and RemoteInventory tasks:
    • the defined timeout will only apply on connection tries during discovery where the agent backend-collect-timeout configuration will apply on the inventory
    • a possible locking issue while running the discovery has been fixed
    • we updated the way we define the “Agent Folder” local target in inventory tasks configuration to have a more appropriate sens when the agent is running as a service
    • an issue blocking the submission of JSON remote inventory was fixed
  • for NetDiscovery and NetInventory tasks, we also have:
    • an enhanced support of Toshiba printers
    • a fix related to the support of LLDP connection datas analysis
  • for ToolBox plugin, we also fixed the export button on the results page
  • the RemoteInventory task also includes:
    • a fix for the inventory of softwares from a windows remote with a windows agent
    • a fix for computer FQDN and domain inventory
    • an update to support timezone inventory
    • an update to support printer inventory via ssh using perl mode
    • a fix for an error preventing ssh inventory because of a wrong option in the “ssh” mode
  • the ESX task has been fixed to work as expected with the GlpiInventory plugin without living the job in a “ko” status with just “n/a” as description while the inventory is still normally integrated
  • the Inventory task has received few improvements:
    • the support of SentinelOne antivirus on linux. It was implemented by a community contributor, many thanks to him !
    • the assetname-support option has been updated to authorize forcing the asset name with its FQDN on linux. Also that option also changes the computing of the agent name in the same way.
    • a fix related to the inventory of network cards on linux
    • an update to find the wifi card network speed on linux
  • the MacOSX package has been udpated to use OpenSSL 3.2.0
  • the Apple AppID for the MacOSX package has been updated
  • the 1.6 and 1.6.1 linux perl installers had a problem generating an error during agent update and this is now fixed
  • to optimize the running time while using a server url with SSL support, we decided to no more try to export the ssl key store if any of the options providing SSL server certificate authentication is still used

As always, you can check the more detailed changelog at: https://github.com/glpi-project/glpi-agent/blob/1.7/Changes

About the MSI windows installer, it appears the used perl version is now completely outdated and requires a very big update. This essentially concerns the OpenSSL and libssh2 libraries, the last been used for remote inventory. As we use StrawberryPerl and this project decided to no more support the 32 bits perl version, we decided the 1.7 version will be the last to provide GLPI Agent in 32 bits. This perl update will be the main goal of the next 1.8 version.

GLPI 10.0.7 is available!

New version GLPI 10.0.7: A new GLPI version is available.

This release fixes several security issues that have been recently discovered. Update is recommended!

You can download the GLPI 10.0.7 archive on GitHub.
We still maintain maintain the 9.5 branch for security fixes and we also release a new version for it: GLPI 9.5.13 archive

You will find below the list of security issues fixed in this bugfixes version:

  • SQL injection and Stored XSS via inventory agent request (CVE-2023-28849).
  • Account takeover by authenticated user (CVE-2023-28632).
  • SQL injection through dynamic reports (CVE-2023-28838).
  • Stored XSS through dashboard administration (CVE-2023-28852).
  • Stored XSS on external links (CVE-2023-28636).
  • Reflected XSS in search pages (CVE-2023-28639).
  • Privilege Escalation from technician to super-admin (CVE-2023-28634).
  • Blind Server-Side Request Forgery (SSRF) in RSS feeds (CVE-2023-28633).

Also, here is a short list of main changes done in this version:

  • Optional GLPI router to be able to use a safer web server root directory.
  • Support of SMTP OAuth authentication.
  • Improved inventory file upload feature.
  • Many fixes and improvements on native inventory.
  • Some bugs on PHP 8.2.
  • Caching issues on entities.
  • Boolean FullText operator not working on knowledge base search.
  • Unexpected search results when using negative condition on ticket actors.
  • Issues with LDAP filters/DN.
  • Unexpected results when searching on knowledge base categories.

The full changelog is available for more details.

We would like to thank all people who contributed to this new version and all those who contributes regularly to the GLPI project!

Download GLPI now: https://glpi-project.org/downloads/

Regards.

New version 10.0.6 of GLPI!

A new GLPI version is available.

This release fixes several security issues that have been recently discovered. Update is recommended!

You can download the GLPI 10.0.6 archive on GitHub.
We still maintain maintain the 9.5 branch for security fixes and we also release a new version for it: GLPI 9.5.12 archive

You will find below the list of security issues fixed in this bugfixes version:

  • Unauthorized access to inventory files (CVE-2023-22500)
  • XSS on browse views (CVE-2023-22722)
  • XSS on external links (CVE-2023-22725)
  • XSS in RSS Description Link (CVE-2023-22724)
  • Unauthorized access to data export (CVE-2023-23610)
  • Stored XSS inside Standard Interface Help Link href attribute (CVE-2022-41941)

Also, here is a short list of main changes done in this version:

  • Unmanaged devices can be handled like a real asset.
  • Handle more actions for stale inventory agents.
  • Added new dictionnary rules for OS.
  • Removed glpi: prefix on console commands.
  • PHP 8.2 support.
  • Many fixes and improvements on native inventory.
  • Reservation display on self-service profile.
  • Mail collector issues with emails sent from Outlook.
  • Dashboard issues on “All” tab.
  • Ticket input is restored when submitted form is not complete.
  • Notification was not sent when ticket status was set to “pending”.

The full changelog is available for more details.

We would like to thank all people who contributed to this new version and all those who contributes regularly to the GLPI project!

Regards.

New GLPI version 10.0.4

A new GLPI version is available.

This release fixes several security issues that has been recently discovered. Update is recommended!

You can download the GLPI 10.0.4 archive on GitHub.
We also provide a security release for 9.5 branch : GLPI 9.5.10 archive

You will find below the list of security issues fixed in this bugfixes version:

  • Blind SSRF in RSS feeds and planning (CVE-2022-39276)
  • Stored XSS in user information (CVE-2022-39372)
  • Stored XSS in entity name (CVE-2022-39373)
  • Improper input validation on emails links (CVE-2022-39376)
  • Improper access to debug panel (CVE-2022-39370)
  • User’s session persist after permanently deleting his account (CVE-2022-39234)
  • Stored XSS on login page (CVE-2022-39262)
  • XSS in external links (CVE-2022-39277)
  • XSS through public RSS feed (CVE-2022-39375)
  • SQL Injection on REST API (CVE-2022-39323)
  • Stored XSS through asset inventory (CVE-2022-39371)

Also, here is a short list of main changes done in this version:

  • Increase significantly dashboards performance
  • Several bugs on images pasting
  • Fixed and improved inventory locks management
  • Display of printer cartridges
  • Display and hide actors tooltips in tickets
  • Improve display of headers above forms
  • Move breakpoints on responsive displays
  • Inventory API is now disabled by default
  • Dedicated rights has been added for inventory

The full changelog is available for more details.

We would like to thank all people who contributed to this new version and all those who contributes regularly to the GLPI project!

Regards.

New GLPI version 10.0.2

A new GLPI version is available.

This release fixes several critical security issues that has been recently discovered. Update is strongly recommended!

You can download the GLPI 10.0.2 archive on GitHub.
Exceptionally, as we have a critical security issue on an unauthenticated page, we also release a GLPI 9.5.8 archive.

You’ll find below the list of security issues fixed in this bugfixes version:

  • Unauthenticated SQL injection on login page (CVE-2022-31061)
  • SQL injection on actor part in assistance forms (CVE-2022-31056)
  • Unauthenticated Sensitive Data Exposure on Refused Inventory Files (CVE-2022-31068)

Also, here is a short list of important bugfixes done in this version:

  • FIX adding actors to ITIL Objects (#11796, #11957)
  • FIX unwanted “promote to ticket” feature on self-service interface (#11834)
  • FIX native inventory do not inject switch information (#11864)
  • FIX entity for software creation (#11887, #11837)
  • FEAT permits global lock on entity (#11853)

The full changelog is available for more details.

We would like to thank all people who contributed to this new version and all those who contributes regularly to the GLPI project!

Regards.