Next | Query returned 25 messages, browsing 1 to 10 | Previous

History of commit frequency

CVS Commit History:


   2024-02-19 16:43:37 by Takahiro Kambe | Files touched by this commit (22)
Log message:
Bump PKGREVISION by changing default PHP's version
   2024-02-08 12:47:15 by Hauke Fath | Files touched by this commit (3) | Package updated
Log message:
Update www/php-glpi to v10.0.12

From upstream's changelog:

[10.0.12]
You will find below the list of security issues fixed in this bugfixes version:

    [SECURITY - moderate] Reflected XSS in reports pages (CVE-2024-23645)
    [SECURITY - moderate] LDAP Injection during authentication (CVE-2023-51446)

Also, here is a short list of main changes done in this version:

    [FIX] Regression with entity selector missing cache invalidation
    [FIX] Better handling of connection issues during LDAP synchronization
    [PERF] The entity selector get significant reduction of load time
    in some cases

[10.0.11]
You will find below the list of security issues fixed in this bugfixes version:

    [SECURITY - moderate] Authenticated SQL Injection (CVE-2023-43813)
    [SECURITY - high] SQL injection through inventory agent request
    (CVE-2023-46727)
    [SECURITY - high] Remote code execution from LDAP server
    configuration form on PHP 7.4 (CVE-2023-46726)

On this last point, we wanted to recall the 7.4 version of PHP is very
outdated and not supported anymore by the developers!  You should
upgrade on a recent version, at least 8.2 (8.0 will be outdated at the
end of the year and 8.1 will be only with security fixes).

Also, here is a short list of main changes done in this version:

    [UX] Enhance pending reasons display
    [FIX] various LDAP fixes (timeout, location import,
    deletion/restoration scenarios)
    [FIX] several inventory fixes (unmanaged assets reconciliation,
    rules for phones, rules logs for discovery, Cisco stacks, removal
    of remote management)
    [FIX] several performance enhancements (defer entity tree loading,
    strong enhancement on actors loading, all assets query execution
    time, web cron removal, dual ajax call for tab loading)
    [TASK] highlights of security requirements on install/update
    page. Some options like PHP versions, web folder setup are
    suggested with a strong visual.

[10.0.10]
You will find below security issues fixed in this bugfixes version:

    [SECURITY - Critical] Unallowed PHP script execution (CVE-2023-42802).
    [SECURITY - High] Account takeover via SQL Injection in UI layout
    preferences (CVE-2023-41320).
    [SECURITY - High] Account takeover via Kanban feature (CVE-2023-41326).
    [SECURITY - High] Account takeover through API (CVE-2023-41324).
    [SECURITY - High] File deletion through document upload process
    (CVE-2023-42462).
    [SECURITY - Moderate] Sensitive fields enumeration through API
    (CVE-2023-41321).
    [SECURITY - Moderate] Privilege Escalation from technician to
    super-admin (CVE-2023-41322).
    [SECURITY - Moderate] Users login enumeration by unauthenticated
    user (CVE-2023-41323).
    [SECURITY - Moderate] Phishing through a login page malicious URL
    (CVE-2023-41888).
    [SECURITY - Moderate] SQL injection in ITIL actors (CVE-2023-42461).

Also, here is a short list of main changes done in this version:

    [FEATURE] PHP 8.3 and MySQL 8.1 support.
    [FEATURE] Enable usage of images in rich text of
    followups/tasks/solution templates.
    [PERFORMANCES] Improve ticket timeline rendering performances.
    [FIX] Fix issues with usage of LDAP bind options.
    [FIX] Fix some issues on SLA/OLA escalation levels computation.
    [FIX] Fix some issues on search on numeric and dates fields.
    Several minor fixes

[10.0.9]
You will find below the security issu fixed in this bugfixes version:

    [SECURITY - Moderate] SQL injection in dashboard administration
    (CVE-2023-37278).

Following the last releases of 10.0.8, a few annoying issues has been detected:

    Update script uses a SQL function incompatible with MySQL 5.7 (#15141)
    Private follow-ups and tasks are invisible to users with
    appropriate rights (#15128)
    Several minor fixes

[10.0.8]
You will find below the list of security issues fixed in this bugfixes version:

    [SECURITY - High] SQL injection via inventory agent request (CVE-2023-35924).
    [SECURITY - High] SQL injection through Computer Virtual Machine
    information (CVE-2023-36808).
    [SECURITY - High] Unauthorized access to Dashboard data (CVE-2023-35939).
    [SECURITY - High] Unauthenticated access to Dashboard data (CVE-2023-35940).
    [SECURITY - Moderate] Reflected XSS in search pages (CVE-2023-34244).
    [SECURITY - Moderate] Unauthorized access to knowledge base items
    (CVE-2023-34107).
    [SECURITY - Moderate] Unauthorized access to user data (CVE-2023-34106).

Also, here is a short list of main changes done in this version:

    [FEATURE] Improve mail grouping (#14296)
    [FEATURE] Add deleted status in item's header (#14382)
    [FEATURE] Add option to control the display of dropdowns labels (#14472)
    [FEATURE] Permits to check DB schema from GLPI versions >= 0.80 (#14666)
    [FIX] Improve performance of plugins init (#14511)
    [FIX] Improve performance of kanban views (#14525, #14599, #14764)
    [FIX] Ldap issues with PHP versions >= 8.1 (#14561)
    [FIX] SLA waiting time duration (#14937)
    [FIX] Notification encoding for MS Outlook (#14959)
    A lot of fixes in native inventory

[10.0.7]
You will find below the list of security issues fixed in this bugfixes version:

    [SECURITY - High] SQL injection and Stored XSS via inventory agent
    request (CVE-2023-28849).
    [SECURITY - High] Account takeover by authenticated user (CVE-2023-28632).
    [SECURITY - High] SQL injection through dynamic reports (CVE-2023-28838).
    [SECURITY - Moderate] Stored XSS through dashboard administration
    (CVE-2023-28852).
    [SECURITY - Moderate] Stored XSS on external links (CVE-2023-28636).
    [SECURITY - Moderate] Reflected XSS in search pages (CVE-2023-28639).
    [SECURITY - Moderate] Privilege Escalation from technician to
    super-admin (CVE-2023-28634).
    [SECURITY - Low] Blind Server-Side Request Forgery (SSRF) in RSS
    feeds (CVE-2023-28633).

Also, here is a short list of main changes done in this version:

    [SECURITY] Optional GLPI router to be able to use a safer web
    server root directory.
    [FEATURE] Support of SMTP OAuth authentication.
    [FEATURE] Improved inventory file upload feature.
    [FIX] Many fixes and improvements on native inventory.
    [FIX] Some bugs on PHP 8.2.
    [FIX] Caching issues on entities.
    [FIX] Boolean FullText operator not working on knowledge base search.
    [FIX] Unexpected search results when using negative condition on
    ticket actors.
    [FIX] Issues with LDAP filters/DN.
    [FIX] Unexpected results when searching on knowledge base categories.

[10.0.6]
You will find below the list of security issues fixed in this bugfixes version:

    [SECURITY - High] Unauthorized access to inventory files (CVE-2023-22500)
    [SECURITY - Moderate] XSS on browse views (CVE-2023-22722)
    [SECURITY - Moderate] XSS on external links (CVE-2023-22725)
    [SECURITY - Moderate] XSS in RSS Description Link (CVE-2023-22724)
    [SECURITY - Moderate] Unauthorized access to data export (CVE-2023-23610)
    [SECURITY - Low] Stored XSS inside Standard Interface Help Link
    href attribute (CVE-2022-41941)

Also, here is a short list of main changes done in this version:

    [FEATURE] Unmanaged devices can be handled like a real asset.
    [FEATURE] Handle more actions for stale inventory agents.
    [FEATURE] Added new dictionnary rules for OS.
    [CHANGED] Removed glpi: prefix on console commands.
    [FIX] PHP 8.2 support.
    [FIX] Many fixes and improvements on native inventory.
    [FIX] Reservation display on self-service profile.
    [FIX] Mail collector issues with emails sent from Outlook.
    [FIX] Dashboard issues on "All" tab.
    [FIX] Ticket input is restored when submitted form is not complete.
    [FIX] Notification was not sent when ticket status was set to \ 
"pending".

[10.0.5]
Following the last releases of 10.0.4 and 9.5.10, an annoying issue
has been detected in one of the security fixes provided.  The user is
logged out when he tries to switch to another entity.

[10.0.4]
You will find below the list of security issues fixed in this bugfixes version:

    [SECURITY - Low] Blind SSRF in RSS feeds and planning (CVE-2022-39276)
    [SECURITY - Low] Stored XSS in user information (CVE-2022-39372)
    [SECURITY - Low] Stored XSS in entity name (CVE-2022-39373)
    [SECURITY - Low] Improper input validation on emails links (CVE-2022-39376)
    [SECURITY - Moderate] Improper access to debug panel (CVE-2022-39370)
    [SECURITY - Moderate] User's session persist after permanently
    deleting his account (CVE-2022-39234)
    [SECURITY - Moderate] Stored XSS on login page (CVE-2022-39262)
    [SECURITY - Moderate] XSS in external links (CVE-2022-39277)
    [SECURITY - Moderate] XSS through public RSS feed (CVE-2022-39375)
    [SECURITY - High] SQL Injection on REST API (CVE-2022-39323)
    [SECURITY - High] Stored XSS through asset inventory (CVE-2022-39371)

Also, here is a short list of main changes done in this version:

    [FIX] Increase significantly dashboards performance
    [FIX] Several bugs on images pasting
    [FIX] Fixed and improved inventory locks management
    [FIX] Display of printer cartridges
    [FIX] Display and hide actors tooltips in tickets
    [FIX] Improve display of headers above forms
    [FIX] Move breakpoints on responsive displays
    [SECURITY] Inventory API is now disabled by default
    [FEATURE] Dedicated rights has been added for inventory

[10.0.3]
You will find below the list of security issues fixed in this bugfixes version:

    [SECURITY] XSS through registration API (CVE-2022-35945)
    [SECURITY] Leak of sensitive information through login page error
    (CVE-2022-31143)
    [SECURITY] Stored XSS through global search (CVE-2022-31187)
    [SECURITY] [critical] Command injection using a third-party
    library script (CVE-2022-35914)
    [SECURITY] SQL injection through plugin controller (CVE-2022-35946)
    [SECURITY] [critical] Authentication via SQL injection (CVE-2022-35947)
    [SECURITY] Blind Server-Side Request Forgery (SSRF) in RSS feeds
    and planning (CVE-2022-36112)

Also, here is a short list of main changes done in this version:

    [FEATURE] More precise rights checks on inventory (#12610)
    [FEATURE] Display of last inventoried value for locked fields (#12602)
    [FEATURE] Permit to use rules to add computers as virtual machines (#12572)
    [SECURITY] Delegate session cookies security to sysadmin (#12302)
    [FIX] Prevent collector failure on invalid mail header (#12232)
    [FIX] Many fixes on network inventory
   2023-11-13 17:34:04 by Takahiro Kambe | Files touched by this commit (20)
Log message:
Bump PKGREVISION by PHP_VERSION_DEFAULT change.
   2022-08-16 15:52:48 by Hauke Fath | Files touched by this commit (4) | Package updated
Log message:
Upgrade www/php-glpi from 9.4.6 to 10.0.2

This is a major update, providing fixes to multiple security
vulnerabilities, compatibility with current PHP and MySQL/Mariadb
versions. An extensive changelog is at
<https://github.com/glpi-project/glpi/blob/10.0/bugfixes/CHANGELOG.md>.
   2021-12-29 07:05:19 by Takahiro Kambe | Files touched by this commit (16)
Log message:
Retire of php73, PHP 7.3.x.
   2021-10-26 13:31:15 by Nia Alarie | Files touched by this commit (1030)
Log message:
www: Replace RMD160 checksums with BLAKE2s checksums

All checksums have been double-checked against existing RMD160 and
SHA512 hashes

Not committed (merge conflicts):
www/nghttp2/distinfo

Unfetchable distfiles (almost certainly fetched conditionally...):
./www/nginx-devel/distinfo array-var-nginx-module-0.05.tar.gz
./www/nginx-devel/distinfo echo-nginx-module-0.62.tar.gz
./www/nginx-devel/distinfo encrypted-session-nginx-module-0.08.tar.gz
./www/nginx-devel/distinfo form-input-nginx-module-0.12.tar.gz
./www/nginx-devel/distinfo headers-more-nginx-module-0.33.tar.gz
./www/nginx-devel/distinfo lua-nginx-module-0.10.19.tar.gz
./www/nginx-devel/distinfo naxsi-1.3.tar.gz
./www/nginx-devel/distinfo nginx-dav-ext-module-3.0.0.tar.gz
./www/nginx-devel/distinfo nginx-rtmp-module-1.2.2.tar.gz
./www/nginx-devel/distinfo nginx_http_push_module-1.2.10.tar.gz
./www/nginx-devel/distinfo ngx_cache_purge-2.5.1.tar.gz
./www/nginx-devel/distinfo ngx_devel_kit-0.3.1.tar.gz
./www/nginx-devel/distinfo ngx_http_geoip2_module-3.3.tar.gz
./www/nginx-devel/distinfo njs-0.5.0.tar.gz
./www/nginx-devel/distinfo set-misc-nginx-module-0.32.tar.gz
./www/nginx/distinfo array-var-nginx-module-0.05.tar.gz
./www/nginx/distinfo echo-nginx-module-0.62.tar.gz
./www/nginx/distinfo encrypted-session-nginx-module-0.08.tar.gz
./www/nginx/distinfo form-input-nginx-module-0.12.tar.gz
./www/nginx/distinfo headers-more-nginx-module-0.33.tar.gz
./www/nginx/distinfo lua-nginx-module-0.10.19.tar.gz
./www/nginx/distinfo naxsi-1.3.tar.gz
./www/nginx/distinfo nginx-dav-ext-module-3.0.0.tar.gz
./www/nginx/distinfo nginx-rtmp-module-1.2.2.tar.gz
./www/nginx/distinfo nginx_http_push_module-1.2.10.tar.gz
./www/nginx/distinfo ngx_cache_purge-2.5.1.tar.gz
./www/nginx/distinfo ngx_devel_kit-0.3.1.tar.gz
./www/nginx/distinfo ngx_http_geoip2_module-3.3.tar.gz
./www/nginx/distinfo njs-0.5.0.tar.gz
./www/nginx/distinfo set-misc-nginx-module-0.32.tar.gz
   2021-10-07 17:09:00 by Nia Alarie | Files touched by this commit (1033)
Log message:
www: Remove SHA1 hashes for distfiles
   2021-06-23 22:33:18 by Nia Alarie | Files touched by this commit (103)
Log message:
Revbump for MySQL default change
   2021-03-07 14:37:28 by Takahiro Kambe | Files touched by this commit (2)
Log message:
Mark these pacakge not for php80.
   2020-05-19 16:39:56 by Hauke Fath | Files touched by this commit (1)
Log message:
Clarifications.

Next | Query returned 25 messages, browsing 1 to 10 | Previous