Bug 272685 - www/glpi: update 10.0.7 -> 10.0.10
Summary: www/glpi: update 10.0.7 -> 10.0.10
Status: Closed Overcome By Events
Alias: None
Product: Ports & Packages
Classification: Unclassified
Component: Individual Port(s) (show other bugs)
Version: Latest
Hardware: Any Any
: --- Affects Only Me
Assignee: Kurt Jaeger
URL: https://github.com/glpi-project/glpi/...
Keywords:
Depends on:
Blocks:
 
Reported: 2023-07-23 20:49 UTC by Kurt Jaeger
Modified: 2024-04-22 05:46 UTC (History)
6 users (show)

See Also:
mathias: maintainer-feedback+

Attachments
patch (1.99 KB, patch)
2023-07-24 06:09 UTC, Kurt Jaeger 		pi: maintainer-approval?
Details | Diff
Update diff 10.0.7 --> 10.0.10 (21.14 KB, patch)
2023-10-11 09:52 UTC, Andrej Ebert 		no flags Details | Diff
portlinl log (287 bytes, text/plain)
2023-10-11 09:53 UTC, Andrej Ebert 		no flags Details
poudriere log (34.85 KB, text/plain)
2023-10-11 09:53 UTC, Andrej Ebert 		no flags Details
Update diff 10.0.7 --> 10.0.10 + vuln entries (45.51 KB, patch)
2023-10-11 13:18 UTC, Andrej Ebert 		andrej: maintainer-approval?
Details | Diff
Show Obsolete (1) View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Kurt Jaeger freebsd_committer freebsd_triage 2023-07-23 20:49:33 UTC 
Testbuild looks fine.
Comment 1 Kurt Jaeger freebsd_committer freebsd_triage 2023-07-23 20:50:21 UTC 
This is a security fix release
Comment 2 Mathias Monnerville 2023-07-24 05:50:11 UTC 
Thanks for reporting, will send a patch later today.
Comment 3 Kurt Jaeger freebsd_committer freebsd_triage 2023-07-24 06:09:31 UTC 
Created attachment 243581 [details]
patch

Ups, sorry, I had this patch already. Failed to attach it to the PR.
Comment 4 Fernando Apesteguía freebsd_committer freebsd_triage 2023-07-24 08:26:55 UTC 
(In reply to Kurt Jaeger from comment #1)
Please, remember to add a security/vuxml entry. You can try with:

cd security/vuxml && make newentry CVE_ID=CVE-2023-37278

^Triage: reporter is committer, assign accordingly.
Comment 5 Andrej Ebert 2023-10-11 09:52:24 UTC 
Update 10.0.7 -> 10.0.10

Didn't want to open a new bug...

Runs fine in production on my system, upgraded from 10.0.7

Changelogs:

10.0.8

You will find below the list of security issues fixed in this bugfixes version:

[SECURITY - High] SQL injection via inventory agent request (CVE-2023-35924).
[SECURITY - High] SQL injection through Computer Virtual Machine information (CVE-2023-36808).
[SECURITY - High] Unauthorized access to Dashboard data (CVE-2023-35939).
[SECURITY - High] Unauthenticated access to Dashboard data (CVE-2023-35940).
[SECURITY - Moderate] Reflected XSS in search pages (CVE-2023-34244).
[SECURITY - Moderate] Unauthorized access to knowledge base items (CVE-2023-34107).
[SECURITY - Moderate] Unauthorized access to user data (CVE-2023-34106).
Also, here is a short list of main changes done in this version:

[FEATURE] Improve mail grouping (#14296)
[FEATURE] Add deleted status in item's header (#14382)
[FEATURE] Add option to control the display of dropdowns labels (#14472)
[FEATURE] Permits to check DB schema from GLPI versions >= 0.80 (#14666)
[FIX] Improve performance of plugins init (#14511)
[FIX] Improve performance of kanban views (#14525, #14599, #14764)
[FIX] Ldap issues with PHP versions >= 8.1 (#14561)
[FIX] SLA waiting time duration (#14937)
[FIX] Notification encoding for MS Outlook (#14959)
A lot of fixes in native inventory

10.0.9

You will find below the security issu fixed in this bugfixes version:

[SECURITY - Moderate] SQL injection in dashboard administration (CVE-2023-37278).
Following the last releases of 10.0.8, a few annoying issues has been detected:

Update script uses a SQL function incompatible with MySQL 5.7 (#15141)
Private follow-ups and tasks are invisible to users with appropriate rights (#15128)
Several minor fixes


10.0.10

You will find below security issues fixed in this bugfixes version:

[SECURITY - Critical] Unallowed PHP script execution (CVE-2023-42802).
[SECURITY - High] Account takeover via SQL Injection in UI layout preferences (CVE-2023-41320).
[SECURITY - High] Account takeover via Kanban feature (CVE-2023-41326).
[SECURITY - High] Account takeover through API (CVE-2023-41324).
[SECURITY - High] File deletion through document upload process (CVE-2023-42462).
[SECURITY - Moderate] Sensitive fields enumeration through API (CVE-2023-41321).
[SECURITY - Moderate] Privilege Escalation from technician to super-admin (CVE-2023-41322).
[SECURITY - Moderate] Users login enumeration by unauthenticated user (CVE-2023-41323).
[SECURITY - Moderate] Phishing through a login page malicious URL (CVE-2023-41888).
[SECURITY - Moderate] SQL injection in ITIL actors (CVE-2023-42461).
Also, here is a short list of main changes done in this version:

[FEATURE] PHP 8.3 and MySQL 8.1 support.
[FEATURE] Enable usage of images in rich text of followups/tasks/solution templates.
[PERFORMANCES] Improve ticket timeline rendering performances.
[FIX] Fix issues with usage of LDAP bind options.
[FIX] Fix some issues on SLA/OLA escalation levels computation.
[FIX] Fix some issues on search on numeric and dates fields.
Several minor fixes
Comment 6 Andrej Ebert 2023-10-11 09:52:54 UTC 
Created attachment 245561 [details]
Update diff 10.0.7 --> 10.0.10
Comment 7 Andrej Ebert 2023-10-11 09:53:22 UTC 
Created attachment 245562 [details]
portlinl log
Comment 8 Andrej Ebert 2023-10-11 09:53:37 UTC 
Created attachment 245563 [details]
poudriere log
Comment 9 Andrej Ebert 2023-10-11 13:18:40 UTC 
Created attachment 245565 [details]
Update diff 10.0.7 --> 10.0.10 + vuln entries

Removed the Ignore line for php83, added vuxml entried, fixed ranges for entries from 2020
Comment 10 Kurt Jaeger freebsd_committer freebsd_triage 2023-10-12 05:39:43 UTC 
testbuilds@work
Comment 11 commit-hook freebsd_committer freebsd_triage 2023-10-12 06:20:58 UTC 
A commit in branch main references this bug:

URL: https://cgit.FreeBSD.org/ports/commit/?id=bfbac64ead7739a1c54d29a6f920f960ec5eaed4

commit bfbac64ead7739a1c54d29a6f920f960ec5eaed4
Author:     Andrej Ebert <andrej@ebert.su>
AuthorDate: 2023-10-12 06:17:28 +0000
Commit:     Kurt Jaeger <pi@FreeBSD.org>
CommitDate: 2023-10-12 06:17:28 +0000

    www/glpi: update 10.0.7 -> 10.0.10

    - Several security fixes are included, upgrade is recommended

    Changes:        https://github.com/glpi-project/glpi/releases
    PR:             272685
    Approved-by:    mathias@monnerville.com (maintainer)
    Author:         Andrej Ebert <andrej@ebert.su>

 www/glpi/Makefile  |   3 +-
 www/glpi/distinfo  |   6 +-
 www/glpi/pkg-plist | 194 +++++++++++++++++++++++++++++++++++++++--------------
 3 files changed, 146 insertions(+), 57 deletions(-)
Comment 12 Kurt Jaeger freebsd_committer freebsd_triage 2023-10-12 06:22:38 UTC 
TODO: add vuxml patch
Comment 13 Andrej Ebert 2023-10-12 17:25:44 UTC 
(In reply to Kurt Jaeger from comment #12)

Thanks for commiting. Don't know if you've seen it, but there's a bug open for the vuxml entries: bug #255948
Comment 14 Kurt Jaeger freebsd_committer freebsd_triage 2023-10-13 20:18:51 UTC 
(In reply to Andrej Ebert from comment #13)
Yes, I'll have a look at the vuxml patch this weekend.
Comment 15 Tomáš Čiernik 2024-03-19 11:59:04 UTC 
(In reply to Kurt Jaeger from comment #14)
Hello, any chance to get it done?
Comment 16 Mathias Monnerville 2024-03-20 16:11:20 UTC 
glpi 10.0.10 on its way, yuri@ has committed today in the ports tree.
Comment 17 Philip Paeps freebsd_committer freebsd_triage 2024-04-22 05:46:45 UTC 
Overcome by events: glpi 10.0.14 was committed today.