GLPI 10.0.11
13 December 2023
GLPI version 10.0.11 is now available (security release).
Upgrading to GLPI 10.0.11
GLPI 10.0.11 can be upgraded to (or installed) using any of Installatron's products. Use Installatron's optional Automatic Update feature to automatically apply GLPI updates as new versions are released, or use Installatron's Clone feature to duplicate an existing GLPI install to test the 10.0.11 upgrade prior to applying it live. Get started managing your GLPI installations with Installatron
What's New in GLPI 10.0.11
Security
- Authenticated SQL Injection (CVE-2023-43813)
- SQL injection through inventory agent request (CVE-2023-46727)
- Remote code execution from LDAP server configuration form on PHP 7.4 (CVE-2023-46726)
Bug Fixes and Changes
- Enhance pending reasons display
- various LDAP fixes (timeout, location import, deletion/restoration scenarios)
- several inventory fixes (unmanaged assets reconciliation, rules for phones, rules logs for discovery, Cisco stacks, removal of remote management)
- several performance enhancements (defer entity tree loading, strong enhancement on actors loading, all assets query execution time, web cron removal, dual ajax call for tab loading)
- highlights of security requirements on install/update page. Some options like PHP versions, web folder setup are suggested with a strong visual.
- dozens of bug fixes
Deprecated
- Usage of the `DBmysql::query()` method is deprecated, for security reasons, as it is most of the time used in an insecure way. To execute DB queries, either `DBmysql::request()` can be used to craft query using the GLPI query builder, either `DBmysql::doQuery()` can be used for safe queries to execute DB query using a self-crafted SQL string. This deprecation will not trigger any error, unless the `GLPI_STRICT_DEPRECATED` constant is set to `true`, to avoid cluttering error logs.