iTOP ITIL ITSM und CMDB Security und Bugfix Update 3.0.3

Die Open Source ITIL ITSM und CMDB Webanwendung iTop, erheilt das Bugfix Update 3.0.3. Das Update schließt 6 Sicherheitslücken, behebt Fehler im Webhook und bringt Änderungen für User, Administratoren und Entwickler.

Das Update kann seit iTop 2.7.0 bequem über das Menü System -> Anwendungsupgrade durchgeführt werden.

iTOP 3.0.3 Release Notes

For users

• N°5919 – Add missing linkset descriptions in french and other languages
• N°5849 – Fix wrong encoding of external keys in “Header with statstics” dashlet
• N°5317 – Handle overlapping tables when table cells have fixed widths
• N°6068 – Setup : restore formatting of error messages
• N°6023 – Restore upload of SVG file in AttributeImage
• N°5918 – Restore activity panel display when DoCheckToWrite fails
• N°5865 – Restore DoCheckToWrite error messages in portal
• N°5834 – Restore activity panel display when creating a Ticket in ‘resolved’ state
• N°5784 – PHP 8.0: restore mandatory attribute in transition form, fixing emptiness test
• N°5729 – Fix disabled button in bulk update/transition when picking a value in a drop-down list
• N°5603 – Restore autocomplete for an external key pointing to an abstract class with no friendlyname
• N°5530 – Fix list of impacted elements (Impact Analysis) due to mixup in async JS files loading
• N°5922 – Ext. key widget: Add class selection on “+” button if child classes exist
• N°2916 – Fix CSV import of IPv6 addresses failing when reconciliation is done on the IP
• N°5428 – Request template: fix autocomplete fields, which could not be master field
• N°6014 – AttributeURL : default validation pattern not handling PRTG URL (containing commas)
• N°5423 – Fix AttributeURL when changing the validation pattern, with a not compliant old value
• N°5625 – Fix dict error when opening a DocumentFile with the ES language
• N°2244 – Fix image attributes not being visible in PDF exports
• N°5588 – Improve PDF export robustness when AttributeImage dimensions cannot be determined

For administrators

• N°5553 – OAuth 2 : secure Client Secret in DB and any change force token regeneration
• N°5430 – OAuth authentication : customize redirect landing URL
• N°5333 – OAuth2: Redirect URL, Client ID or Client Secret changes trigger a message as the token must be regenerated
• N°5867 – Display binary data size in SynchroReplica details
• N°5727 – Fix REST API/get_related when using [impacts, up] with [redundancy: true]
• N°6019 – Increase PHP min version to 7.1.3 to enable dependencies update
• N°5535 – Fix PHP 8.0.x wrongly repported as not supported in iTop 3.0.2+
• N°5490 – PHP 8.0: Fix crash of bulk modify with email notification / email approval request
• N°5216 – Error “Invalid ID given” when sending ActionEmail using cron on a system with french locale
• N°4974 – Avoid session fixation in login

• N°5414 – Log invalid placeholders in Notification
• N°5893 – Log more information when a trigger fails and raises an exception
• N°5897 – Improve deprecated logs relevance for PHP “trigger_deprecation”
• N°5611 – Fix missing composer files in itop-oauth-client
• N°3805 – Fix collectors not working on itop 3.0 in seldom situations

• N°5944 – Fix error on fresh install: APPLICATION_EVENT_METAMODEL_STARTED not registered
• N°5765 – Setup: Never cache folder permissions test response
• N°6016 – Setup : improve missing dependencies log
• N°5235 – Setup : check temp dir permissions
• N°5758 – Change setup test for GDPR consent
• N°5523 – Setup wizard : use the ITOP_APPLICATION constant instead of hardcoded “iTop” string

• N°5543 – Fix Warning on empty case log
• N°5901 – Fix warnings in file system tab
• N°5797 – Use LoadConfig method in all Email children classes
• N°6020 – Decode method for \utils::EscapeHtml
• N°5608 – Reorganize tests folders for better maintenance and contribution
• N°5496 – Add <constants/> in itop-structure
• N°4660 – Fix data synchro unit test failure due to another setting incorrect permissions on iTop conf file

WebHook 1.2.0

• N°5368 – Allow all HTTP methods (not just GET / POST)
• N°5589 – Fix sent request incorrect HTTP method due to new cURL options
• N°5366 – Add “path” attribute in generic “ActionWebhook” for better compatibility with third-party webservices
• N°5796 – Fix typo in ActionWebhook::GetRemoteApplicationConnectionFromActionWebhok()
• N°5774 – De-hardcode webhooks configuration rights
• N°5252 – Added Other/Generic type of Remote Application Connection
• N°5367 – Fix non-string values (boolean, null) converted into empty string
• N°5179 – Add chinese translations (thanks to @bdejin)
• N°5266 – Add dutch translations (thanks to @jbostoen)
• N°5050 – Add spanish translations (thanks to Miguel Turrubiates)
• N°5473 – On JSON format exception, more context log and specific Exception impl (InvalidJsonValueException)

Security

• N°6017 – CVE-2021-46743: Firebase PHP-JWT key/algorithm type confusion
• N°5741 – Deny use of get_config_parameter in Twigs
• N°5725 – Prevent Twig privilege elevation to run system commands
• N°5724 – CVE-2022-31403 : XSS vulnerability via /itop/pages/ajax.render.php
• N°5722 – CVE-2022-31402 : XSS vulnerability via /itop/webservices/export-v2.php
• N°5685 – Upgrade apereo/phpcas lib to fix vulnerability

For developers

• N°3769 – Add missing HTML meta data on attributes in transition forms
• N°4947 – Fix Email always picking “production” env config file
• N°4449 – Console dashboard export : use relative path (full path disclosure)

Quelle: iTop Change Log [iTop Documentation] (itophub.io)