9.5.6

This is a security release, upgrading is recommended

Non exhaustive list of changes:

• [SECURITY] Disclosure of GLPI and server informations in telemetry endpoint [CVE-2021-39211]
• [SECURITY] Autologin cookie accessible by scripts [CVE-2021-39210]
• [SECURITY] Bypassable CSRF protection on ajax endpoints [CVE-2021-39209]
• [SECURITY] Bypassable IP restriction on GLPI API using custom header injection [CVE-2021-39213]
• FIX Mailgate "Missing type for Ticket template" warning
• FIX Display of images in tickets from collected mails
• FIX Encoding issue with emails in GB2312 containing special characters
• FIX Emails rules not working after upgrading to 9.5.5
• FIX Incorrect KPIs Dashboards compared to the GLPI filter
• FIX marking LDAP user as deleted after a failed password
• FIX Prevent usage of date filters on full LDAP sync
• and more!

See changelog for details.

9.5.5

This is a security release, upgrading is recommended

Non exhaustive list of changes:

• [security] Stored XSS in plugins information (CVE-2021-3486)
• fix entity creation
• removal of raw html in massive actions list
• fix issue with date_creation fields updated with older instances of MySQL servers
• fix wrong count of software counts in assets
• Fix Core API errors on deprecation checks
• and more!

See changelog for details.

9.5.4

This is a security release, upgrading is recommended

Note: those are medium security issues.
Some are present since a long time (version 0.68), but this time none of these issues were considered as high/critical.

Non exhaustive list of changes:

• [security] Horizontal Privilege Escalation (CVE-2021-21326)
• [security] entities switch IDOR (CVE-2021-21255)
• [security] XSS injection in ajax/kanban (CVE-2021-21258)
• [security] XSS injection on ticket update (CVE-2021-21314)
• [security] Stored XSS on documents (CVE-2021-21312)
• [security] XSS on tabs (CVE-2021-21313)
• [security] Stored XSS in budget type (CVE-2021-21325)
• [security] Unsafe Reflection in getItemForItemtype() (CVE-2021-21327)
• [security] Insecure Direct Object Reference (IDOR) on "Solutions" (CVE-2021-21324)
• Handle RFC5987 format in Content-Disposition header
• Fix email attachement decoding logic
• Fix tickets ID fetching from email headers
• Fix graph counts
• Add search filter criteria for widget by year
• New filter ‘my groups’
• Populate meta criteria in a generic way
• Make custom css from entity inheritables
• and more!

See changelog for details.

9.5.3

This is a security release, upgrading is recommended

Note: those are medium security issues.

Non exhaustive list of changes:

• [security] Insecure Direct Object Reference on ajax/comments.php and ajax/getDropdownValue.php (CVE-2020-27662 and CVE-2020-27663)
• [security] Any CalDAV calendars is read-only for every authenticated user (CVE-2020-26212)
• several dashboards issues
• several fixes and enhancements with mail collector
• new dashboard filters on tech users and tech groups
• PHP8 compatibility
• and more!

See changelog for details.

9.5.2

This is a security release, upgrading is highly recommended

Note: some of fixed vulnerabilities are present since a long time (0.68).

Non exhaustive list of changes:

• [security] SQL injection with a query parameter of user form (CVE-2020-15176)
• [security] Removal of .htaccess file in the files folder via a plugin endpoint (CVE-2020-15175)
• [security] Leakage issue with knowledge base (CVE-2020-15217)
• [security] Stored XSS in install script (CVE-2020-15177)
• [security] Minor SQL Injection in Search API (CVE-2020-15226)
• several mailgate issues
• several dashboards issues
• dashboards improvements: personnal filters, new summary and articles widgets, ...
• and more!

See changelog for details.

9.5.1

This is a security release, upgrading is highly recommended

Non exhaustive list of changes:

• (security) SQL injection on new clone feature
• alignment of some table columns
• added domains in global search and Assets > global
• fixed several problems with email retrieval via email collectors
• fixed several display problems in the planning
• correction (and error display) of marketplace registration key input
• and more!

See changelog for details.

9.5.0

Official announcement / Annonce officielle / Anuncio oficial

Major features:

• Marketplace,
• Impact and relationship management,
• Dashboards,
• Follow-up templates,
• Kanban for projects,
• Timezones,
• Impersonate,
• Password security policy,
• and more!

See changelog for details.

9.5.0-rc2

Second look at GLPI 9.5

Following the publishing of the Release Candidate of GLPI version 9.5 15 days ago, you have reported a number of small issues that have been fixed, including:

• Planning display was broken,
• The warning about missing dependencies during installation or update was absent,
• Inability to register to access the marketplace,
• Missing translations,
• and others

Today, we are releasing new RC version for you to test the improvements.

Unless a major problem is detected, the next version will be the final stable release.

How can you help us ?

Download the rc archive, test the migration and the new features (you may also test the existing ones) and report us the issues you encounter on the bug tracker (tag it as [RC feedback]).

Translators, please, add missing sentences for your language on transifex.

9.5.0-rc1

First look at GLPI 9.5

In some weeks we will launch the new major version of GLPI: 9.5.
A lot of new features will be available, here is a short list:

• New marketplace for plugins.
• Impacts and dependencies vizualisation for assets.
• New graphical and customizable dashboards.
• New canned responses for follow-up form.
• Support for field templates for Problems and Changes.
• Kanban board for project management.
• Enhanced planning view and a new full caldav server.
• Timezones support.
• Impersonate function for super-admins.
• Various improvements in UI and UX.

Consult the full changelog for a more complete list.

Please note, we dropped Kerberos support in mail collector setup as we needed to move to another library for mail support that does not provide this option. Please contact us if it's an issue for you.

Today, we release a release candidate archive for this version.

How can you help us ?

Download the rc archive, test the migration and the new features (you may also test the existing ones) and report us the issues you encounter on the bug tracker (tag it as [RC feedback]).

Translators, please, add missing sentences for your language on transifex.

9.4.6

This is a security release, upgrading is highly recommended

Non exhaustive list of changes:

• (security) Prevent execution of SQL injection while assigning a technician,
• (security) Permit to change key used to store passwords,
• (security) Improve CSRF token,
• (security) Fix several possible XSS,
• (security) Fix a few possible SQL injections,
• Fix SCSS caching issues,
• Fix inline images handling on item update,
• Fix PHP 7.4 compatibility,
• Connect to database using socket,
• and more!

See changelog for details.