Skip to content

Releases: glpi-project/glpi

10.0.5

04 Nov 07:57
Compare
Choose a tag to compare

Download it

Following the last releases of 10.0.4 and 9.5.10, an annoying issue has been detected in one of the security fixes provided.
The user is logged out when he tries to switch to another entity.

So, we release new versions to address the bug, you can download them on github:

9.5.11

04 Nov 07:56
Compare
Choose a tag to compare

Download it

Following the last releases of 10.0.4 and 9.5.10, an annoying issue has been detected in one of the security fixes provided.
The user is logged out when he tries to switch to another entity.

So, we release new versions to address the bug, you can download them on github:

10.0.4

03 Nov 12:52
Compare
Choose a tag to compare

This is a security release, upgrading is recommended

Download it

This release fixes several security issues that has been recently discovered. Update is recommended!

You can download the GLPI 10.0.4 archive on GitHub.
We also provide a security release for 9.5 branch: GLPI 9.5.10 archive.

You will find below the list of security issues fixed in this bugfixes version:

  • [SECURITY - Low] Blind SSRF in RSS feeds and planning (CVE-2022-39276)
  • [SECURITY - Low] Stored XSS in user information (CVE-2022-39372)
  • [SECURITY - Low] Stored XSS in entity name (CVE-2022-39373)
  • [SECURITY - Low] Improper input validation on emails links (CVE-2022-39376)
  • [SECURITY - Moderate] Improper access to debug panel (CVE-2022-39370)
  • [SECURITY - Moderate] User's session persist after permanently deleting his account (CVE-2022-39234)
  • [SECURITY - Moderate] Stored XSS on login page (CVE-2022-39262)
  • [SECURITY - Moderate] XSS in external links (CVE-2022-39277)
  • [SECURITY - Moderate] XSS through public RSS feed (CVE-2022-39375)
  • [SECURITY - High] SQL Injection on REST API (CVE-2022-39323)
  • [SECURITY - High] Stored XSS through asset inventory (CVE-2022-39371)

Also, here is a short list of main changes done in this version:

  • [FIX] Increase significantly dashboards performance
  • [FIX] Several bugs on images pasting
  • [FIX] Fixed and improved inventory locks management
  • [FIX] Display of printer cartridges
  • [FIX] Display and hide actors tooltips in tickets
  • [FIX] Improve display of headers above forms
  • [FIX] Move breakpoints on responsive displays
  • [SECURITY] Inventory API is now disabled by default
  • [FEATURE] Dedicated rights has been added for inventory

The full changelog is available for more details.

We would like to thank all people who contributed to this new version and all those who contributes regularly to the GLPI project!

Regards.

9.5.10

03 Nov 12:52
Compare
Choose a tag to compare

This is a security release, upgrading is recommended

Download it

This release fixes several security issues that has been recently discovered. Update is recommended!

You will find below the list of security issues fixed in this bugfixes version:

  • [SECURITY - Low] Blind SSRF in RSS feeds and planning (CVE-2022-39276)
  • [SECURITY - Low] Stored XSS in user information (CVE-2022-39372)
  • [SECURITY - Low] Improper input validation on emails links (CVE-2022-39376)
  • [SECURITY - Moderate] Improper access to debug panel (CVE-2022-39370)
  • [SECURITY - Moderate] User's session persist after permanently deleting his account (CVE-2022-39234)
  • [SECURITY - Moderate] Stored XSS on login page (CVE-2022-39262)
  • [SECURITY - Moderate] XSS in external links (CVE-2022-39277)
  • [SECURITY - Moderate] XSS through public RSS feed (CVE-2022-39375)
  • [SECURITY - High] SQL Injection on REST API (CVE-2022-39323)

Regards.

10.0.3

14 Sep 12:57
Compare
Choose a tag to compare

This is a security release, upgrading is recommended

Download it

This release fixes several critical security issues that has been recently discovered. Update is strongly recommended!

You can download the GLPI 10.0.3 archive on GitHub.
Exceptionally, as we have critical security issues that affects GLPI 9.5, we also release a GLPI 9.5.9 archive.

You will find below the list of security issues fixed in this bugfixes version:

  • [SECURITY] XSS through registration API (CVE-2022-35945)
  • [SECURITY] Leak of sensitive information through login page error (CVE-2022-31143)
  • [SECURITY] Stored XSS through global search (CVE-2022-31187)
  • [SECURITY] [critical] Command injection using a third-party library script (CVE-2022-35914)
  • [SECURITY] SQL injection through plugin controller (CVE-2022-35946)
  • [SECURITY] [critical] Authentication via SQL injection (CVE-2022-35947)
  • [SECURITY] Blind Server-Side Request Forgery (SSRF) in RSS feeds and planning (CVE-2022-36112)

Also, here is a short list of main changes done in this version:

  • [FEATURE] More precise rights checks on inventory (#12610)
  • [FEATURE] Display of last inventoried value for locked fields (#12602)
  • [FEATURE] Permit to use rules to add computers as virtual machines (#12572)
  • [SECURITY] Delegate session cookies security to sysadmin (#12302)
  • [FIX] Prevent collector failure on invalid mail header (#12232)
  • [FIX] Many fixes on network inventory

The full changelog is available for more details.

We would like to thank all people who contributed to this new version and all those who contributes regularly to the GLPI project!

Regards.

9.5.9

14 Sep 12:55
Compare
Choose a tag to compare

This is a security release, upgrading is recommended

Download it

This release fixes several critical security issues that has been recently discovered. Update is strongly recommended!

You will find below the list of security issues fixed in this bugfixes version:

  • [SECURITY] XSS through registration API (CVE-2022-35945)
  • [SECURITY] Leak of sensitive information through login page error (CVE-2022-31143)
  • [SECURITY] [critical] Command injection using a third-party library script (CVE-2022-35914)
  • [SECURITY] SQL injection through plugin controller (CVE-2022-35946)
  • [SECURITY] [critical] Authentication via SQL injection (CVE-2022-35947)
  • [SECURITY] Blind Server-Side Request Forgery (SSRF) in RSS feeds and planning (CVE-2022-36112)

Regards.

10.0.2

28 Jun 12:12
Compare
Choose a tag to compare

This is a security release, upgrading is recommended

Download it

A lot of issues have been fixed since GLPI 10.0.1 version.
Below, you'll find a short list of key points of this release:

  • [SECURITY] Unauthenticated SQL injection on login page (CVE-2022-31061)
  • [SECURITY] SQL injection on actor part in assistance forms (CVE-2022-31056)
  • [SECURITY] Unauthenticated Sensitive Data Exposure on Refused Inventory Files (CVE-2022-31068)
  • FIX adding actors to ITIL Objects (#11796, #11957)
  • FIX unwanted "promote to ticket" feature on self-service interface (#11834)
  • FIX native inventory do not inject switch information (#11864)
  • FIX entity for software creation (#11887, #11837)
  • FEAT permits global lock on entity (#11853)

The full changelog is available for more details.

We would like to thank all people who contributed to this new version and all those who contribute regularly to the GLPI project!

9.5.8

28 Jun 12:00
Compare
Choose a tag to compare

This is a security release, upgrading is recommended

Download it

Non exhaustive list of changes:

  • [SECURITY] SQL injection on login page [CVE-2022-31061]
  • [SECURITY] XSS / open redirect via SVG file upload [CVE-2022-24868]
  • [SECURITY] Cross Site CSS Injection [CVE-2022-24869]
  • and more!

See changelog for details.

10.0.1

02 Jun 12:01
Compare
Choose a tag to compare

This is a security release, upgrading is recommended

Here is the first bugfixes release for GLPI 10.

Download it

A lot of issues have been fixed since the first GLPI 10 version.
Below, you'll find a short list of key points of this release:

  • several fixes on inventory rules
  • several fixes for reservation feature
  • Fix status change in assistance objects when modifying actors
  • fix preselection as requester in assistance object
  • Add global locks management for inventory
  • Re-implementation of the document addition action in assistance object
  • impersonate feature now displays hints if unavailable
  • updates with GLPI console can now check integrity of the database
  • The gantt feature has been moved to a plugin
  • The GLPI licence has been moved to GPLv3+

The full changelog is available for more details.

We would like to thank all people who contributed to this new version and all those who contribute regularly to the GLPI project!

10.0.0

20 Apr 11:59
Compare
Choose a tag to compare

GLPI 10.0.0

Download it

We are happy to announce the new major release of GLPI 🥳
In a few words:

  • New Modern interface with Bootstrap + tabler.io + Twig
  • Redesign of Helpdesk objects
  • Native automatic inventory
  • and more...

image

Features

(Click to expand / see details)

New interface

  • Modern interface by Bootstrap and Tabler
  • Redesign of the timeline of ITIL objects
  • Two new menu display modes: vertical on the left / horizontal at the top
  • "Go to..." button
  • Enhanced Dark Mode
  • Add photos / images for CMDB objects
  • Saved searches: the list is displayed on the left of the search results
  • Saved search: possibility to anchor the list so it does not disappear
  • Saved search: the list is adapted to the browsing context
  • Possibility to completely hide the search criteria block
  • Dynamic refresh (AJAX) of search results
  • Possibility to classify / sort the results of several columns at the same time
  • The titles of the columns of the results remain displayed even if you scroll down the page
  • Option to choose the timeline direction: natural (last followed at bottom) or inverted (last followed at top)
  • Improve browser tab names: now starting with Itemtype and Item ID
  • Browse items by category tree (when this field exists)
  • Add emoticon picker on rich text editor

Assistance

  • Kanban view for ITIL objects
  • Linking contracts and tickets
  • Add ability to mention users in ITIL objects
  • Management of "pending status" reasons
  • "Pending status" reasons: option to automatically reissue a ticket
  • "Pending status" reasons: option to automatically close a ticket after X reminders
  • Management of recurring changes
  • New: search criteria "Myself" (assigned to technician - myself)
  • Expanded text for validations
  • Option to anonymize technicians / groups in the simplified interface
  • Observers can now add a follow-up (new right)
  • New massive action to link multiple tickets to a problem
  • Business rules: action to add a task (from a template)
  • Business rules: action to assign an “Application”
  • Business rules: action to modify the global validation status
  • Business rules: “Validation” criteria
  • Add emoticon picker on rich text editor
  • Add task promotion to ticket
  • Business rules: add Writer to RuleTicket Criteria
  • Highlight TTO/TTR only when exceeded
  • Make SolutionTemplate translatable
  • Remove global_validation field from ITIL forms
  • Knowledge base: several categories per article, target self-service users

Inventory / CMDB

  • Native dynamic inventory (retrieving data from inventory agents)
  • Support for partial inventories (an agent can send part of the inventory to GLPI)
  • New objects supported by dynamic inventory (examples: telephones, applications, racks, etc.)
  • Overhaul of import rules and equipment binding
  • Improved management of rejected equipment
  • Possibility of remaking import of refused equipment
  • Automatic action to purge refused equipment
  • Automatic action to purge inventory files
  • Possibility to add PCI / USB vendors (dropdown)
  • Adding database inventory
  • Add device "Camera"
  • Automatic action to remove software versions without installation
  • Automatic action to remove software without versions
  • Possibility to add manual links (in addition to external links)
  • Add PassiveDCEquipment to global search types
  • Add four columns to computers list "Number of [Monitor/Periph/Printer/Phone]"
  • Add problems to impact "status" badge
  • Add Color for Expiration Date field for domains & certificates
  • Supplier and contact: add administrative number

Inventory Agent

  • New inventory agent "GLPI Agent"
  • Remote inventory without agent installation: WinRM (windows), SSH (Linux/Unix)
  • Local administration interface to the agent (tools / toolbox)
  • New plugins “proxy”, “ssl”, “inventory-collector”
  • New communication protocol in JSON format supporting partial inventory
  • Soon, management of remote inventory tasks, including for ESX polls
  • Improved Windows support including MSI packages
  • Native support for MacOSX Big Sur and the new Apple Silicon M1 chip

Various

  • Add vars in templates
  • Possibility to modify the criteria of a saved search
  • Support for authentication with CERT / KEY file for LDAPS
  • Option to set the timeout for LDAP authentications
  • Report of the same modifications on the status.php page
  • Redesign of the Gantt view on Projects
  • Redesign of the “Tools> Reservations” view
  • New button to empty user's synchronization field
  • Button to copy the search results (“Name” column only) to the clipboard
  • Massive actions now are on the old plugins´ page
  • Possibility to export the results of "History" tab in CSV format
  • Improve requirements checks
  • Make rules sortable by drag&drop
  • Display avatars in user list
  • Ability to run massive actions from API
  • Possibility to choose entity / profile from the URL (force_entity, force_profile)
  • LDAP User Restoration Process
  • Added changelog icon if plugin declares any (xml:changelog_url)
  • Added rule action to skip remaining rules
  • Add ability to define From and No-Reply addresses in entity config
  • Ability to disable central warning with define variable GLPI_CENTRAL_WARNINGS
  • Add filters for Kanban
  • Drop autocomplete feature on "name" fields

Console

  • Added commands for utf8mb4 migration:
    • bin/console glpi:migration:dynamic_row_format convert database tables to "Dynamic" row format (required for "utf8mb4" character support)
    • bin/console glpi:migration:utf8mb4 convert database character set from "utf8" to "utf8mb4"
  • Added command to migrate "signed" INT keys to "unsigned" INT:
    • bin/console glpi:migration:unsigned_keys
  • Improvement of the system:status command in the CLI console to:
    • filter services to monitor (see list_services command)
    • configure the return format (plain-text format / json)
  • Added list_services command:
    • bin/console glpi:system:list_services list system services (for status command)
  • Added marketplace command in CLI console:
    • bin/console marketplace:download download plugin from the GLPI marketplace
    • bin/console marketplace:info get information about a plugin
    • bin/console marketplace:search search GLPI marketplace
  • Added Database Plugin Migration Script:
    • bin/console glpi:migration:databases_plugin_to_core
  • Added cache commands:
    • bin/console glpi:cache:clear clear GLPI cache (rename from glpi:system:clear_cache)
    • bin/console glpi:cache:configure define cache configuration
    • bin/console glpi:cache:debug debug GLPI cache
    • bin/console glpi:cache:set_namespace_prefix define cache namespace prefix
  • Added glpi:tools:check_database_* commands:
    • bin/console glpi:tools:check_database_keys check database for missing and errounous keys
    • bin/console glpi:tools:check_database_schema_consistency check database schema consistency
  • Added cleansoftware command:
    • bin/console glpi:assets:cleansoftware remove software versions with no installation and software with no version

Framework

  • Removed support for PHP versions lower than 7.3
  • Removed support for MySQL version lower than 5.7
  • Removed support for MariaDB version lower than 10.2
  • Use utf8mb4 MySQL character set
  • Use unsigned INT keys
  • PHP 8.1 compatibility
  • PHP PSR-4 autoload
  • PHP PSR-12
  • Add hook for custom debug tabs (debug_tabs)
  • Force usage of node v16 and npm v8
  • Usage of XML-RPC API is deprecated
  • Add getWebDir to twig "Plugin" extension
  • Debug mode: expose SQL warnings
  • Support 'multiple' option for item dropdowns
  • Add a new hook filter_actors
  • Add timeline hook for plugins (show_in_timeline, timeline_actions, timeline_answer_actions)
  • Hook constants / Hooks Manager classes
  • Replace TCPDF by mPDF

See full changelog for detail.