GLPI 10.0.7 is available!

by | Mar 28, 2023 | News

New version GLPI 10.0.7: A new GLPI version is available.

This release fixes several security issues that have been recently discovered. Update is recommended!

You can download the GLPI 10.0.7 archive on GitHub.
We still maintain maintain the 9.5 branch for security fixes and we also release a new version for it: GLPI 9.5.13 archive

You will find below the list of security issues fixed in this bugfixes version:

  • SQL injection and Stored XSS via inventory agent request (CVE-2023-28849).
  • Account takeover by authenticated user (CVE-2023-28632).
  • SQL injection through dynamic reports (CVE-2023-28838).
  • Stored XSS through dashboard administration (CVE-2023-28852).
  • Stored XSS on external links (CVE-2023-28636).
  • Reflected XSS in search pages (CVE-2023-28639).
  • Privilege Escalation from technician to super-admin (CVE-2023-28634).
  • Blind Server-Side Request Forgery (SSRF) in RSS feeds (CVE-2023-28633).

Also, here is a short list of main changes done in this version:

  • Optional GLPI router to be able to use a safer web server root directory.
  • Support of SMTP OAuth authentication.
  • Improved inventory file upload feature.
  • Many fixes and improvements on native inventory.
  • Some bugs on PHP 8.2.
  • Caching issues on entities.
  • Boolean FullText operator not working on knowledge base search.
  • Unexpected search results when using negative condition on ticket actors.
  • Issues with LDAP filters/DN.
  • Unexpected results when searching on knowledge base categories.

The full changelog is available for more details.

We would like to thank all people who contributed to this new version and all those who contributes regularly to the GLPI project!

Download GLPI now: https://glpi-project.org/downloads/

Regards.

New silver parter: VBEST Technologies

by | Mar 20, 2023 | News

Silver Partner VBEST, A VISION FOR AFRICA

Founded in 2012, on the initiative of young Ivorian entrepreneurs, VBEST TECHNOLOGIES is a company specialized in design and integration of IT solutions and technologies installed in Abidjan Ivory Coast.

The VBEST team is mainly composed of certified and experienced engineers and technicians, trained to work on all the proposed technologies, whether they are whose knowledge is regularly updated in order to provide our customers with high quality services.

Today is a reference company in the business of integration of ICT solutions in Côte d’Ivoire and in West African sub-region, VBEST TECHNOLOGIES shares with its customers, partners and collaborators , values that promote exchanges, allowing everyone to find their place and express its full potential while striving to apply them in all our relationships in order to always place people at the heart of our projects.

VBEST’s clients include many national and international companies, particularly in the banking, insurance, industry and public sectors. Its activity is organized around five (5) main areas of expertise:

For more information, visit the website: http://bit.ly/42ruYFO

  • Application engineering
  • The engineering of information systems,
  • Networks and security,
  • Training and consulting,
  • Outsourcing.

We are excited that GLPI ITSM solution is becoming more and more represented all over the world and GLPI Network (our support offer for on-premises – get your IT Infrastructure secured) subscription service will be available for more customers through our new partners.

Our large partnership network is always open for new collaborations. If you are interested in representing one of our products in your country, get in touch with us: https://glpi-project.org/contact/

Being a partner means:

  • Having an a direct access to the Teclib´s tech expertise;
  • Get special discounts;
  • Access official support,
  • Many other tools which will help you to gain more customers and increase reputation on the market by adding open source ITSM to your portfolio.

Discover all benefits of being a partner here: https://glpi-project.org/partners/

Talen energy

by | Mar 15, 2023 | Success cases

Talen Energy

Interview with Thomas Novotney, senior computer systems analyst at Susquehanna Nuclear in Berwick, Pennsylvania, which is owned by Talen Energy.

About Talen Energy.

Talen Energy is one of the largest competitive power generation and infrastructure companies in North America. Susquehanna Steam Electric Station (SSES) generates clean, reliable, safe, and affordable energy to power homes, businesses, hospitals, and schools, driving regional economies. The plant has two boiling water reactors capable of generating ~2,500 MW of power, enough to power 2M homes.

1. How did you hear about GLPI?

Thomas Novotney: “I first heard about GLPI when I was searching for an inventory database for equipment at the company I was working for at the time. They wanted to have a way to show depreciation of all their equipment. So we were using a lot of the features that allowed us to calculate the pricing and depreciation value and then submit it for insurance purposes. It was probably five, six years ago. I was searching the internet and “open source” was probably a keyword – looking to see what tools were available to get the job done.”.

2. How do you use GLPI and how it helped you with the bussiness?

Thomas Novotney: “GLPI is an essential tool if you want to find out information about a device or – as we call them “CDAs” (Critical Digital Assets) –  that are in our plant. Basically, if you need to find out if a certain piece of software is on them or if you need to just know where it’s located, we have all that information in GLPI. They just go to that as their resource to pull it up and find out. 

One of the biggest things we did was (specifically since it is in the program), you have the ability to see everything that is rack mounted. 

However, some things are in panels, some things are in cabinets, some things are on tables. So right away we realized that we still wanted to have a graphical representation. When you click on racks not everything’s going to be a rack mounted device and we wanted to keep that workflow consistent for us. 

We created a plugin which allows us to use SVGs as a valid graphical representation in place of the rack display. In cases where you upload a SVG as a document and relate it to the rack, the plugin automatically uses the SVG representation which utilizes the other features within GLPI, like being able to click, add the device and relate it to the racks. When you have a rack, you get the visual representation you normally get, but again, we don’t always have it like that. 

Now we can load up an SVG and then just click on the area of the SVG that would take you to the device for further information.

You probably see the color changing in the background too. We have two nuclear reactor units here on site, they’re color-coded, to help people make sure they’re looking at the correct unit.”. 

3. How do you manage cyber security using GLPI?

Thomas Novotney: “Part of the requirements for our cyber security program and the NRC is to maintain baselines so we can prove that when we go out and have to interact with a device that we can prove that it hasn’t been changed from the previous time, we’re using the XML as a way to prove that. For the most part, it was easy to get into GLPI development. Online documentation was very easy to get a hold of, and the framework is pretty straightforward. 

We have over 3000 digital assets. In addition to that, our Vulnerabilities plugin downloads from NVD (National Vulnerability Database) the CVEs and we have all of that in our GLPI system. There’s over 200,000 CVEs in the system that then get associated with all of the 3000 assets nightly. We have a process that matches them up based on how we have implemented it and makes sure there’s no new ones or changes.

The biggest things are for cyber requirements. We have to maintain a master software list, which GLPI natively does right out of the box with ease, and the inventory plugin just allows us without human error to enter that information into it. 

The fact that we could download GLPI on Linux distribution and get it running on premises is a big thing too, because it can have additional isolation and protection that the NRC and our regulations require. ”.

4. Which is your favourite thing about GLPI?

Thomas Novotney : “GLPI is extremely flexible. Even with the language files and everything else, it is easy to change things up and make things easier for people to understand, even something as simple as language, it helps big time!” .

 

                   How can you try GLPI? 

 

If you have not tried GLPI yet, you can start a free 45 day trial on GLPI Network Cloud (no credit card needed!): https://glpi-network.cloud/ 

If you want to download GLPI on-premise and need assistance, our partners-integrators can support you (you will need to have a valid GLPI Network Subscription). 

 

 

Please, fill in the form and we will contact you:

GO TO FORM

GLPI 9.5.x will be discontinued

by | Feb 27, 2023 | News

Dear GLPI Community!

We would like to announce that official support for GLPI 9.5.x will be discontinued on 30.06.2023. Starting from the 1st of July 2023 (3 years after the first launch of this version) we will have to say goodbye –  there will be no new releases 9.5.x.

It is mandatory to migrate to GLPI 10.0.x in order to be covered by official support. 

How-to MIGRATE:

—OPTION 1: You can do the migration via official partners-integrators (if you have a valid GLPI Network Subscription); or

—OPTION 2: If you choose GLPI Network Cloud, we offer a free data migration from on-premise for everyone.

We ask you to communicate the upcoming changes to your customers and finish migrations before 30.06.2023. 

Thank you! 

New Formcreator 2.13.4 is available!

by | Jan 25, 2023 | News

This version is compatible with GLPI 10.0.

Upgrade from 2.13.0 or later

A database sanity check is done before running the upgrade. If the tables of the plugin have a difference with the expected schema the upgrade will fail with a message similar to the following:

The database schema is not consistent with the installed Formcreator 2.13.0. 
To see the logs enable the plugin and run the command bin/console glpi:database:check_schema_integrity -p formcreator

It is required to fix the database, using the diff produced by the CLI command given in the message. Once done, try again to upgrade.

ℹ️ If you know what you are doing you may bypass the sanity check from CLI with the following command.

bin/console glpi:plugin:install formcreator -f -p skip-db-check

Bug Fixes

  • handle undefined setting for service catalog homepage (411ae3597)
  • typo in french locale (f61ded17a)
  • abstractitiltarget: multiple tag questions set but not displayed in designer (90f2a95d8)
  • checkboxesfield,multiselectfield: default value not displayed (8f36ab726)
  • composite: ignore link to non existing ticket (8502d4b16)
  • condition: allow longer texts (eecdf8a2a)
  • condition: display of tested question shows wrong item (5d34da8b4)
  • condition: width of question dropdown (ce0389efd)
  • dropdownfield: empty SQL IN statement when restricted tickets rights (5c5244a85)
  • form: image upload handling in header field (5dc66a5ef)
  • formanswer: default search filter hides legit access (2dc9f8e3f)
  • formanswer: malformed search option (5339b7912)
  • formanswer: missing newline between sections of fullform tag (61122bc93)
  • formanswer: temporary disable debug mode (e9e8da484)
  • formanswer, textfield, textareafield: escaping (3e0666d4d)
  • glpiselectfield: cannot set empty value by default for entity question (fe2130bbe)
  • glpiselectfield: restore entity restriction for users (e525b3a82)
  • helpdesk: better handling of users that can’t see tickets (a93f03126)
  • install: add empty schema for new version (817a9ec7e)
  • install: resync not needed in upgrade to 2.13.4 (d66a12017)
  • install: typo in method name (eac5d77ac)
  • issue: follow entity change on ticket transfer (434bd3572)
  • issues: Tooltip consistency with core (c45d21550)
  • question: subtype plural and appliance in bad group (1f780370a)
  • tagfield: php warning (cc4b673a8)
  • targetticket: allow more itemtypes to associated elements (#3155) (cee504c24)
  • textfield: useless HTML entity encode (c3d03b51e)

Features

  • drop support for GLPI 10.1 (a99a8bcb2)
  • dropdownfield: always show ticket id (0190adac9)
  • issue: access tickets from service catalog (a6b4f19d0)
  • question: add support for database sub itemtype (45126012d)
  • wizard: selectable home page in service catalog (95103fe54)

Check the changelog and download