Bug 272685
| Summary: | www/glpi: update 10.0.7 -> 10.0.10 | ||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Product: | Ports & Packages | Reporter: | Kurt Jaeger <pi> | ||||||||||||
| Component: | Individual Port(s) | Assignee: | Kurt Jaeger <pi> | ||||||||||||
| Status: | Closed Overcome By Events | ||||||||||||||
| Severity: | Affects Only Me | CC: | andrej, fernape, mathias, philip, pi, tomas | ||||||||||||
| Priority: | --- | Flags: | mathias:
maintainer-feedback+
|
||||||||||||
| Version: | Latest | ||||||||||||||
| Hardware: | Any | ||||||||||||||
| OS: | Any | ||||||||||||||
| URL: | https://github.com/glpi-project/glpi/releases | ||||||||||||||
| Attachments: |
|
||||||||||||||
|
Description
Kurt Jaeger
2023-07-23 20:49:33 UTC
This is a security fix release Thanks for reporting, will send a patch later today. Created attachment 243581 [details]
patch
Ups, sorry, I had this patch already. Failed to attach it to the PR.
(In reply to Kurt Jaeger from comment #1) Please, remember to add a security/vuxml entry. You can try with: cd security/vuxml && make newentry CVE_ID=CVE-2023-37278 ^Triage: reporter is committer, assign accordingly. Update 10.0.7 -> 10.0.10 Didn't want to open a new bug... Runs fine in production on my system, upgraded from 10.0.7 Changelogs: 10.0.8 You will find below the list of security issues fixed in this bugfixes version: [SECURITY - High] SQL injection via inventory agent request (CVE-2023-35924). [SECURITY - High] SQL injection through Computer Virtual Machine information (CVE-2023-36808). [SECURITY - High] Unauthorized access to Dashboard data (CVE-2023-35939). [SECURITY - High] Unauthenticated access to Dashboard data (CVE-2023-35940). [SECURITY - Moderate] Reflected XSS in search pages (CVE-2023-34244). [SECURITY - Moderate] Unauthorized access to knowledge base items (CVE-2023-34107). [SECURITY - Moderate] Unauthorized access to user data (CVE-2023-34106). Also, here is a short list of main changes done in this version: [FEATURE] Improve mail grouping (#14296) [FEATURE] Add deleted status in item's header (#14382) [FEATURE] Add option to control the display of dropdowns labels (#14472) [FEATURE] Permits to check DB schema from GLPI versions >= 0.80 (#14666) [FIX] Improve performance of plugins init (#14511) [FIX] Improve performance of kanban views (#14525, #14599, #14764) [FIX] Ldap issues with PHP versions >= 8.1 (#14561) [FIX] SLA waiting time duration (#14937) [FIX] Notification encoding for MS Outlook (#14959) A lot of fixes in native inventory 10.0.9 You will find below the security issu fixed in this bugfixes version: [SECURITY - Moderate] SQL injection in dashboard administration (CVE-2023-37278). Following the last releases of 10.0.8, a few annoying issues has been detected: Update script uses a SQL function incompatible with MySQL 5.7 (#15141) Private follow-ups and tasks are invisible to users with appropriate rights (#15128) Several minor fixes 10.0.10 You will find below security issues fixed in this bugfixes version: [SECURITY - Critical] Unallowed PHP script execution (CVE-2023-42802). [SECURITY - High] Account takeover via SQL Injection in UI layout preferences (CVE-2023-41320). [SECURITY - High] Account takeover via Kanban feature (CVE-2023-41326). [SECURITY - High] Account takeover through API (CVE-2023-41324). [SECURITY - High] File deletion through document upload process (CVE-2023-42462). [SECURITY - Moderate] Sensitive fields enumeration through API (CVE-2023-41321). [SECURITY - Moderate] Privilege Escalation from technician to super-admin (CVE-2023-41322). [SECURITY - Moderate] Users login enumeration by unauthenticated user (CVE-2023-41323). [SECURITY - Moderate] Phishing through a login page malicious URL (CVE-2023-41888). [SECURITY - Moderate] SQL injection in ITIL actors (CVE-2023-42461). Also, here is a short list of main changes done in this version: [FEATURE] PHP 8.3 and MySQL 8.1 support. [FEATURE] Enable usage of images in rich text of followups/tasks/solution templates. [PERFORMANCES] Improve ticket timeline rendering performances. [FIX] Fix issues with usage of LDAP bind options. [FIX] Fix some issues on SLA/OLA escalation levels computation. [FIX] Fix some issues on search on numeric and dates fields. Several minor fixes Created attachment 245561 [details]
Update diff 10.0.7 --> 10.0.10
Created attachment 245562 [details]
portlinl log
Created attachment 245563 [details]
poudriere log
Created attachment 245565 [details]
Update diff 10.0.7 --> 10.0.10 + vuln entries
Removed the Ignore line for php83, added vuxml entried, fixed ranges for entries from 2020
testbuilds@work A commit in branch main references this bug: URL: https://cgit.FreeBSD.org/ports/commit/?id=bfbac64ead7739a1c54d29a6f920f960ec5eaed4 commit bfbac64ead7739a1c54d29a6f920f960ec5eaed4 Author: Andrej Ebert <andrej@ebert.su> AuthorDate: 2023-10-12 06:17:28 +0000 Commit: Kurt Jaeger <pi@FreeBSD.org> CommitDate: 2023-10-12 06:17:28 +0000 www/glpi: update 10.0.7 -> 10.0.10 - Several security fixes are included, upgrade is recommended Changes: https://github.com/glpi-project/glpi/releases PR: 272685 Approved-by: mathias@monnerville.com (maintainer) Author: Andrej Ebert <andrej@ebert.su> www/glpi/Makefile | 3 +- www/glpi/distinfo | 6 +- www/glpi/pkg-plist | 194 +++++++++++++++++++++++++++++++++++++++-------------- 3 files changed, 146 insertions(+), 57 deletions(-) TODO: add vuxml patch (In reply to Kurt Jaeger from comment #12) Thanks for commiting. Don't know if you've seen it, but there's a bug open for the vuxml entries: bug #255948 (In reply to Andrej Ebert from comment #13) Yes, I'll have a look at the vuxml patch this weekend. (In reply to Kurt Jaeger from comment #14) Hello, any chance to get it done? glpi 10.0.10 on its way, yuri@ has committed today in the ports tree. Overcome by events: glpi 10.0.14 was committed today. |