After several weeks, Teclib’ is happy to announce the release of GLPI 9.5.6.
This release fixes several security issues that has been recently discovered. Update is strongly recommended!
You can download the GLPI 9.5.6 archive on GitHub: click.
You’ll find below the list of security issues fixed in this bugfixes version:
- [SECURITY] Disclosure of GLPI and server informations in telemetry endpoint [CVE-2021-39211]
- [SECURITY] Autologin cookie accessible by scripts [CVE-2021-39210]
- [SECURITY] Bypassable CSRF protection on ajax endpoints [CVE-2021-39209]
- [SECURITY] Bypassable IP restriction on GLPI API using custom header injection [CVE-2021-39213]
On this last issue, `HTTP_X_FORWARDED_FOR` header can be set by a client to bypass ip restriction of the REST API, we removed the parsing of this header. API Client behind proxies may be affected and loss access to API. We recommend to set the needed header (`REMOTE_ADDR`) in the web server serving GLPI.
Also, here is a short list of important bugfixes done in this version:
- FIX Mailgate “Missing type for Ticket template” warning
- FIX Display of images in tickets from collected mails
- FIX Encoding issue with emails in GB2312 containing special characters
- FIX Emails rules not working after upgrading to 9.5.5
- FIX Incorrect KPIs Dashboards compared to the GLPI filter
- FIX marking LDAP user as deleted after a failed password
- FIX Prevent usage of date filters on full LDAP sync
The full changelog is available for more details.
We would like to thank all people who contributed to this new version and all those who contributes regularly to the GLPI project!