by Flavia Calonego | Jan 24, 2023 | News
A new GLPI version is available.
This release fixes several security issues that have been recently discovered. Update is recommended!
You can download the GLPI 10.0.6 archive on GitHub.
We still maintain maintain the 9.5 branch for security fixes and we also release a new version for it: GLPI 9.5.12 archive
You will find below the list of security issues fixed in this bugfixes version:
- Unauthorized access to inventory files (CVE-2023-22500)
- XSS on browse views (CVE-2023-22722)
- XSS on external links (CVE-2023-22725)
- XSS in RSS Description Link (CVE-2023-22724)
- Unauthorized access to data export (CVE-2023-23610)
- Stored XSS inside Standard Interface Help Link href attribute (CVE-2022-41941)
Also, here is a short list of main changes done in this version:
- Unmanaged devices can be handled like a real asset.
- Handle more actions for stale inventory agents.
- Added new dictionnary rules for OS.
- Removed
glpi:
prefix on console commands. - PHP 8.2 support.
- Many fixes and improvements on native inventory.
- Reservation display on self-service profile.
- Mail collector issues with emails sent from Outlook.
- Dashboard issues on “All” tab.
- Ticket input is restored when submitted form is not complete.
- Notification was not sent when ticket status was set to “pending”.
The full changelog is available for more details.
We would like to thank all people who contributed to this new version and all those who contributes regularly to the GLPI project!
Regards.
by Daniela Buxo | Nov 3, 2022 | News
A new GLPI version is available.
This release fixes several security issues that has been recently discovered. Update is recommended!
You can download the GLPI 10.0.4 archive on GitHub.
We also provide a security release for 9.5 branch : GLPI 9.5.10 archive
You will find below the list of security issues fixed in this bugfixes version:
- Blind SSRF in RSS feeds and planning (CVE-2022-39276)
- Stored XSS in user information (CVE-2022-39372)
- Stored XSS in entity name (CVE-2022-39373)
- Improper input validation on emails links (CVE-2022-39376)
- Improper access to debug panel (CVE-2022-39370)
- User’s session persist after permanently deleting his account (CVE-2022-39234)
- Stored XSS on login page (CVE-2022-39262)
- XSS in external links (CVE-2022-39277)
- XSS through public RSS feed (CVE-2022-39375)
- SQL Injection on REST API (CVE-2022-39323)
- Stored XSS through asset inventory (CVE-2022-39371)
Also, here is a short list of main changes done in this version:
- Increase significantly dashboards performance
- Several bugs on images pasting
- Fixed and improved inventory locks management
- Display of printer cartridges
- Display and hide actors tooltips in tickets
- Improve display of headers above forms
- Move breakpoints on responsive displays
- Inventory API is now disabled by default
- Dedicated rights has been added for inventory
The full changelog is available for more details.
We would like to thank all people who contributed to this new version and all those who contributes regularly to the GLPI project!
Regards.
by Polina Marishicheva | Feb 8, 2019 | Announcements, Unclassified
Thanks all users who has downloaded and tested release candidates, helped us to find bugs, fix issues. Together we are creating better software to manage IT infrastructure easily.
Let´s have a look at the main features of GLPI 9.4:
Search engine: nested criteria.
The search engine available in all lists of items now allows to construct much complex queries.
A new group
button is available to separate a set of criteria from other ones. You can set a different operator for the entire group.
The resulting query will be surrounded by parenthesis.
We also added some minor changes to this part:
- A new type of search: notcontains.
- Changes can now be filtered with global rules.
- Review of the interface to make different actions clearer.
Note that your old saved searches (bookmarks) are still compatible with the new engine.
UX : Knowbase and FAQ.
The Browse tab in the knowbase have been revamped.
A tree is now displayed for the categories and each shows a badge counting the number of articles associated to the category.
Timeline for Changes and Problems.
Thanks to Curtis Conard, you can add followups to ITIL changes and problems and these object now have a timeline tab to regroup their followups, tasks, documents and solutions.
Followups split and Tickets merge.
Thanks to Curtis Conard, tickets now have 2 new actions:
- Split a followup: create a new ticket copying a followup (a link is kept in the old ticket)
- Merge a ticket as a new followup in an existing ticket with massive actions option.
Assets rules engine.
In this release, we provide a new rules engine to automatically update some fields when an asset is created or updated.
For example, you can assign a specific technician when a computer become a part of an entity.
Centralized command line tool.
The scripts folder provided in GLPI archives had a lot of scattered files. With this release, we started a console (available by the php bin/console command, see documentation)
centralizing old scripts. Not all scripts have been migrated but we will do the work step by step in futures releases.
Misc.
- Lock of user personalization tab.
- New action in business rules for tickets targeting the completename field (before, you can only target the short name of categories).
- New device type for assets: Modem.
- CAS 3 authentication support.
- Rich text option deleted (GLPI is now only in rich text in ITIL objects).
- A new field in user form: responsible (you can sync it with ldap server).
Under the hood.
We are working hard to have GLPI more stable and reliable.
Here is list of topics we did in this release :
- Code coverage for unit testing, since 9.2 with the addition of unit tests, we progress on the coverage of all source code.
- SQL Iterator, an old topic, GLPI framework provides a class to abstract SQL query generation. We replaced a lot of raw MySQL queries recently. The final goal is to permit the usage of others SQL engines (like Postgres). It’s not here actually, but we are on the road to do it.
- SCSS is now the official GLPI format for stylesheets. We have an automatic compiler for developers (use it, it’s css with superpowers) and also for plugins.
- Session as cache, like we did on 9.3, we store more and more in cache to provide you a speedy ITSM tool.
Download: on GitHub.