Created attachment 242022 [details] Patch 10.0.6 to 10.0.7 This is a patch release of www/glpi from 10.0.6 to 10.0.7. This is a security release (9 security fixes including 3 high severity). ChangeLog: - https://github.com/glpi-project/glpi/releases/tag/10.0.7 Also attached the Poudriere testport logs.
Created attachment 242023 [details] Poudriere logs for 10.0.7
^Triage: If there is a changelog or release notes URL available for this version, please add it to the URL field. Thanks!
(In reply to Fernando Apesteguía from comment #2) Done!
Thanks! Note to self: Add vuxml entry.
A commit in branch main references this bug: URL: https://cgit.FreeBSD.org/ports/commit/?id=6fd976d1b3a5d248248c1c44393a7c921af9caea commit 6fd976d1b3a5d248248c1c44393a7c921af9caea Author: Mathias Monnerville <mathias@monnerville.com> AuthorDate: 2023-05-08 09:38:32 +0000 Commit: Fernando Apesteguía <fernape@FreeBSD.org> CommitDate: 2023-05-08 12:59:03 +0000 www/glpi: Security Update to 10.0.7 ChangeLog: https://github.com/glpi-project/glpi/releases/tag/10.0.7 * [SECURITY - High] SQL injection and Stored XSS via inventory agent request * [SECURITY - High] Account takeover by authenticated user * [SECURITY - High] SQL injection through dynamic reports * [SECURITY - Moderate] Stored XSS through dashboard administration * [SECURITY - Moderate] Stored XSS on external links * [SECURITY - Moderate] Reflected XSS in search pages * [SECURITY - Moderate] Privilege Escalation from technician to super-admin * [SECURITY - Low] Blind Server-Side Request Forgery * [SECURITY] Optional GLPI router to be able to use a safer web server root directory. * [FEATURE] Support of SMTP OAuth authentication. * [FEATURE] Improved inventory file upload feature. * [FIX] Many fixes and improvements on native inventory. * [FIX] Some bugs on PHP 8.2. * [FIX] Caching issues on entities. * [FIX] Boolean FullText operator not working on knowledge base search. * [FIX] Unexpected search results when using negative condition on ticket actors. * [FIX] Issues with LDAP filters/DN. * [FIX] Unexpected results when searching on knowledge base categories. PR: 271286 Reported by: mathias@monnerville.com (maintainer) Security: CVE-2023-28632 CVE-2023-28633 CVE-2023-28634 CVE-2023-28636 CVE-2023-28639 CVE-2023-28838 CVE-2023-28849 CVE-2023-28852 www/glpi/Makefile | 5 +- www/glpi/distinfo | 6 +- www/glpi/pkg-plist | 170 ++++++++++++++++++++++++++++++++++++++++++++++------- 3 files changed, 156 insertions(+), 25 deletions(-)
A commit in branch 2023Q2 references this bug: URL: https://cgit.FreeBSD.org/ports/commit/?id=95e26d5f86a1277a5966a505d03cd11ac71e1875 commit 95e26d5f86a1277a5966a505d03cd11ac71e1875 Author: Mathias Monnerville <mathias@monnerville.com> AuthorDate: 2023-05-08 09:38:32 +0000 Commit: Fernando Apesteguía <fernape@FreeBSD.org> CommitDate: 2023-05-08 13:01:39 +0000 www/glpi: Security Update to 10.0.7 ChangeLog: https://github.com/glpi-project/glpi/releases/tag/10.0.7 * [SECURITY - High] SQL injection and Stored XSS via inventory agent request * [SECURITY - High] Account takeover by authenticated user * [SECURITY - High] SQL injection through dynamic reports * [SECURITY - Moderate] Stored XSS through dashboard administration * [SECURITY - Moderate] Stored XSS on external links * [SECURITY - Moderate] Reflected XSS in search pages * [SECURITY - Moderate] Privilege Escalation from technician to super-admin * [SECURITY - Low] Blind Server-Side Request Forgery * [SECURITY] Optional GLPI router to be able to use a safer web server root directory. * [FEATURE] Support of SMTP OAuth authentication. * [FEATURE] Improved inventory file upload feature. * [FIX] Many fixes and improvements on native inventory. * [FIX] Some bugs on PHP 8.2. * [FIX] Caching issues on entities. * [FIX] Boolean FullText operator not working on knowledge base search. * [FIX] Unexpected search results when using negative condition on ticket actors. * [FIX] Issues with LDAP filters/DN. * [FIX] Unexpected results when searching on knowledge base categories. PR: 271286 Reported by: mathias@monnerville.com (maintainer) Security: CVE-2023-28632 CVE-2023-28633 CVE-2023-28634 CVE-2023-28636 CVE-2023-28639 CVE-2023-28838 CVE-2023-28849 CVE-2023-28852 (cherry picked from commit 6fd976d1b3a5d248248c1c44393a7c921af9caea) www/glpi/Makefile | 7 ++- www/glpi/distinfo | 6 +- www/glpi/pkg-plist | 170 ++++++++++++++++++++++++++++++++++++++++++++++------- 3 files changed, 157 insertions(+), 26 deletions(-)
A commit in branch main references this bug: URL: https://cgit.FreeBSD.org/ports/commit/?id=ed9db3818d7f005456e6870bb3e73dacc7667c58 commit ed9db3818d7f005456e6870bb3e73dacc7667c58 Author: Fernando Apesteguía <fernape@FreeBSD.org> AuthorDate: 2023-05-08 11:55:58 +0000 Commit: Fernando Apesteguía <fernape@FreeBSD.org> CommitDate: 2023-05-08 13:03:02 +0000 security/vuxml: Multiple glpi vulnerabilities CVE-2023-28849 CVE-2023-28632 CVE-2023-28838 CVE-2023-28852 CVE-2023-28636 CVE-2023-28639 CVE-2023-28634 CVE-2023-28633 PR: 271286 Reported by: mathias@monnerville.com security/vuxml/vuln/2023.xml | 50 ++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 50 insertions(+)
Committed and merged to 2022Q3, Thanks!