iTOP ITIL ITSM und CMDB WebTool Security und Bugfix Release

Die Open Source ITIL ITSM und CMDB Webanwendung iTop, erhielt das Update 3.2, sowie das Hotfix 3.2.0-2. Das Update behebt nicht nur Fehler, schließt Sicherheitslücken, sondern bringt auch einige Neuerungen und Verbesserungen.

iTOP 3.2 Highlights

• User – Newsroom wurde erweitert und ermöglicht News an gezielte User zu senden
• Back-office User können Notification selbst abbestellen

• der CKEditor wurde aktualisiert und sieht nun anders aus und bietet mehr nützliche Optionen
• neue Themes in hohem Kontrast und anpassend an Protanopia und Euteranopia
• Welcome Message mit gezielten User Informationen und Funktionen

• neue Suche für Enduser im User Portal zur Suche von Tickets und mehr

• neuer Zugang zum Datamodel, Verbesserungen der Notifications, neue Möglichkeiten im Newsroom, asynchrone Aktionen und mehr für Administratoren
• für Entwickler gibt es neue Events und auch entfernte, sowie neue APIs

Details zu den Highlights on iTOP 3.2 unter: https://www.itophub.io/wiki/page?id=3_2_0:release:whats_new

iTOP 3.2 Release Notes

For users

• N°6218 – 1:n & n:n – Read mode: Refresh of tab count on Add/Remove in pop-up
• N°6303 – Add a search brick on all Tickets of a User Portal
• N°6555 – Add class description in tooltip of Dashlet badge
• N°7157 – Allow users to unsubscribe from notification channels
• N°7379 – Add search criterion to Workorder and ’status‘ to Contact search
• N°7391 – Add color blind themes to iTop backoffice
• N°7392 – Add high contrast theme to iTop backoffice
• N°7484 – “solution” field of classes Incident and UserRequest is now an HTML field
• N°7644 – Add Brand logo and Model picture
• N°3767 – Impact analysis: Display filtering box on CIs list and groups
• N°4494 – Fix auto-locking on log save and transition, by waiting
• N°4511 – CKEditor : Fix links made on all the leading text in Firefox
• N°4631 – Fix a display issue when description field is fullscreen while using vertical tabs
• N°4894 – Improve AttributeDecimal validation during CSV import
• N°5136 – Relations: Fix “Select All objects” adding obsolete objects even if “show obsolete data” param. not activated
• N°5786 – Fix text color in public log and in AttributeHTML
• N°6152 – Fix criteria & object list loaded twice
• N°6438 – Fix expensive reloading of each displayed ticket when displaying a ticket list (no more highlight)
• N°6847 – Position of label in configuration of pdf export
• N°6861 – Display warning when creating/editing a mandatory blob in modal
• N°6903 – Fix crash when emptying file attribute (eg. picture of a contact)
• N°6993 – Fix bulk transition on object containing a null blob
• N°7023 – Fix check to write error when adding an item on a n:n relation (eg. contact) on a new object (eg. user request) on the end-users portal
• N°7047 – Fix unwanted Attachment on Unitary requests forms in Global Request management
• N°7122 – Portal: Hide log off button when user can’t actually log off (eg. SSO using SAML or other providers)
• N°7163 – Avoid having an empty list when “items per page” set to 0
• N°7232 – Run query : Clearer message when querying unknown class
• N°7255 – Fix misc. stylesheets not working in portal since N°7047
• N°7288 – Fix page crash due to unescaped characters in relations row actions
• N°7292 – Improve Clear function in ExtKeyWidget
• N°7302 – SetupUtils::HumanReadableSize : fix units returned
• N°7313 – Fix bad display of single quotes in charts
• N°7491 – Fix email-reply trigger not executed in some cases
• N°938 – Improve print of portal object page and portal dashboard page
• N°7397 – Update welcome popup content for iTop 3.2

For administrator

• N°3465 – Fix attachment file name hardcoded to “uploaded-file” when imported from CSV import
• N°5472 – Notification action : add a last executions tab
• N°5775 – Allow configuration of OAuth client on MS Azure with single tenant
• N°6619 – Attachment: changed contact_id from an ExternalField into an ExternalKey
• N°7194 – Add link to datamodel class schema on object details
• N°7425 – Add Warning when a user has no contact or no allow org
• N°7447 – Ease User Dashboard clean-up for iTop administrator
• N°2039 – Feed Newsroom from an Action
• N°7298 – Allow each Action to be asynchronous or not
• N°7533 – Warning at setup if installed on Galera clusters
• N°1112 – DataSynchro: Replica failing to synchronize says ‚Organization‘ instead of ‚undefined‘ ???
• N°2572 – Improve error message “Nowhere to go??” with root cause
• N°2732 – DataSynchro: cap memory peak value to 2Gb before storing it in priv_sync_log field
• N°3062 – Update SetupCssIntegrityChecklistTest to fail build if setup.css wasn’t recompiled
• N°3677 – Fix AttributeImage.default_image URLs not up to date after app_root_url change
• N°3715 – Export above 1000 entries ignore obsolete data from user preference
• N°4342 – Improve generic bulk deletion function with memory limit handling
• N°5194 – Enable webhook actions to be asynchronous in order to save response callback value
• N°5218 – Fix toolkit error on enum since 3.0.0
• N°6086 – CSV import: Treat first line as a header
• N°6361 – Change query examples order to highlight the one working on an empty iTop
• N°6618 – Fix crash due to router’s cache containing an integer instead of an array
• N°6659 – Ticket: attribut “team_name” now contains the name, “team_email” attribut added.
• N°6808 – Rank management (order) in iTop actions
• N°6826 – Fix error on file attribute of DocumentFile class in Designer (No SQL value)
• N°6852 – Missing configuration ‚forgot_password_from‘
• N°6874 – Fix encoding issue in out-going emails
• N°6887 – Fix excessive OQL requests to display user’s grant matrix
• N°6889 – MariaDB >= 10.6.1 since iTop 2.7.9 Backup mysqldump call : restore ability to connect on localhost using the socket protocol
• N°7017 – Fix with a lock the fatal error occuring when rebuilding expression-cache
• N°7021 – Fix error log and useless compilation time due to SCSS file unnecessary compilation
• N°7039 – Fix regression: placeholder :current_contact→id not working in OQL in iTop 3.1
• N°7052 – Fix PHP notices in synchro_import.php (3.0.1 regression) (thanks to Gilbert Breton !)
• N°7082 – Allow to force asynchronous send of emails
• N°7085 – Fix infinite loop in login page until fatal error occurs
• N°7130 – Allows to ignore existing column field in setup’s data migration method
• N°7212 – PHP 8.1: Migrate remaining usages of strlen() with null value
• N°7213 – PHP 8.1: Migrate remaining usages of md5() with null value
• N°7217 – Fix link creation between “Audit Domain” and “Audit category” with an “Audit Manager” profile
• N°7231 – PHP 8.1: Migrate deprecated usages of rawurlencode() with null value
• N°7244 – Fix ContextTag init in setup
• N°7245 – Better log error occuring in RunTimeEnvironment::CallInstallerHandlers
• N°7312 – Fix JS crash on Windows server when creating a custom version of ‚UserRequest Overview‘ Dashboard
• N°7336 – Fix warning from \DeprecatedCallsLog::NotifyDeprecatedPhpMethod with PHP 8.3
• N°7343 – Better error message when compiling a PHP invalid dict file during setup
• N°7416 – Setup: Add warning for optionnal PHP extension “APCu”
• N°7474 – Fix setup crash when the last profile of a user is removed from the datamodel
• N°7477 – Fix DataSynchro made without administrator profile to create SynchroLog
• N°7480 – Fix test-red and light-grey css related setup warning
• N°797 – DataSynchro deletion includes replica cleaning

For iTop designers

• N°2443 – Fix AttributBoolean doesn’t accept yes/no value
• N°2909 – Fix search on Enum, Date, TagSet,… with index
• N°3236 – Fix trackinfo in CMDBChange when using core/update with REST
• N°3363 – Add three favicons in branding
• N°4314 – Uniqueness rules can report duplicates that user cannot see due to Silo
• N°6228 – Prevent removing last user Profil: AttributLinkSet property “with_php_constraint” allows to propagate CheckToWrite() to target object.
• N°6695 – Allow multilines dict entries in portal tooltips
• N°6964 – Add API to allow modules to register files to include in the backup
• N°7067 – Add setting to change the default “password change” URL
• N°7136 – Portal: Add JS API to enable attachments IDs retrieval in an object form
• N°7242 – Allow to mention new user IDs in Slack messages
• N°7243 – Add non blocking feedback/notifications (toasts) API
• N°7294 – Events when adding or removing an attachment are sent on the object instead of on the attachment
• N°7310 – New event to conditionally remove transitions on an object
• N°7345 – Allow to use a DateTime php object on Set() call on an AttributeDateTime
• N°7410 – Introduce API for Welcome Popup in the backoffice
• N°5145 – Fix attachments missing in new ticket when clone from an old ticket with object copier
• N°5170 – Fix case where in a transition DoCheckToWrite returned error
• N°5547 – Fix object deletion failing when friendlyname was too long
• N°6543 – Fix display of AttributeText with width parameter
• N°6643 – Fix \CMDBSource::LogDeadLock generating a TypeError
• N°6647 – Fix JSON validation only accepting arrays as result + replace params done after validation
• N°6660 – Fix define_if_not_exists flag not working on class nodes
• N°6733 – Fix prompting of mandatory AttributeDateTime in transition forms
• N°6766 – Fix dependent fields not updated due to WizardHelper.UpdateFields() being triggered too early
• N°6767 – Fix error in ajax request when there’s dict to load and no onready scripts
• N°6960 – Fix “Unknown class XXX” when clicking on a class external key or n:n linkset
• N°7008 – Fix missing background tasks in CRON when autoloaded and not in “developer_mode”
• N°7042 – Fix check to write error when setting a ext. key programatically on the end-users portal
• N°7046 – Fix “CAS_ServiceBaseUrl_Static” not found
• N°7055 – Apply better default value for portal copy object link
• N°7068 – Add emulation for apc_exists function
• N°7079 – Fix event not fired when creating/updating a user with profiles
• N°7133 – Fix linkset displayed as property, failing when OQL filter contains single quote or new line
• N°7134 – Fix retrieving list of changes when editing URP_UserProfile
• N°7268 – Fix method SetComputedDate failling on Date only attribute
• N°7279 – Fix compilation issue with AttributeClass field defined in XML
• N°7344 – rest.php : better error message when cannot execute OQL query (key param for core/get verb)
• N°7399 – Remove deprecated Ticket methods from iTop Datamodel
• N°7417 – Improve logged message when a Root Menu is not a MenuGroup
• N°7693 – Update polish translations thanks to @DudekArtur
• N°7687 – Update german translations thanks to @Attila0428
• N°7686 – Update dutch translations thanks to @Hipska
• N°7652 – Update italian translations thanks to @DarkNight97boss

Technical changes

• N°4897 – Add method to improve deprecated PHP API logs (eg. for \iPageUIExtension)
• N°5298 – Upgrade CKEditor to version 5
• N°5580 – Audit JS libs and see if they are available on NPM
• N°5621 – Add not managed JS dependencies to NPM to get updates on vulnerabilities
• N°5808 – Update symfony version to next Symfony LTS 6.4
• N°5809 – Update PHP libraries versions
• N°5810 – Update JS librairies (iTop 3.2)
• N°6050 – Add compatibility with MariaDB 10.11
• N°6097 – Enable PHP unit tests on a custom DataModel
• N°6103 – Remove jQuery Hotkeys plugin
• N°6558 – Add test to check iTopDesignFormat::$aVersions consistency
• N°6599 – Update moment.js (known vulnerabilities with high CVSS scores)
• N°6632 – ItopDataTestCase : replace annotations by setting options in PHP
• N°6658 – Boost PHPUnit tests execution
• N°6752 – PHP unit tests: Migrate usages of unitestautoload.php to composer autoloader in the core
• N°6754 – PHP unit tests: Add local PHPUnit XML files to .gitignore
• N°6805 – Add reference to classes implementing \iWorkingTimeComputer in the datamodel (meta tag)
• N°6886 – Add OAuth tests folder to removable directories list
• N°6937 – Symfony 6.4 – Handle Symfony configuration files
• N°6967 – Deprecated \cmdbAbstractObject::DBDeleteTracked_Internal
• N°7044 – Move language attribute from ActionEmail to ActionNotification
• N°7054 – Rework the UpdateImpactedItems calls on Tickets
• N°7062 – Add unit test to ensure that setup SCSS is compiled correctly
• N°7170 – PHP 8.3: Fix usages of get_class() without argument
• N°7179 – Remove unused code in Action
• N°7246 – New dict tests on duplicate definitions in same file + translated keys with tildes
• N°7251 – Deprecate unused JS libs (iTop 3.2)
• N°7264 – Update unmaintained JS libs to their latest versions (iTop 3.2)
• N°7297 – Doing npm install removes web.config file and changes package name
• N°7314 – Add Symfony Response alternative to Webpage::output()
• N°7315 – Add new predictible API to add JS / CSS files to a \WebPage
• N°7328 – Deprecate js/jquery.autocomplete.js
• N°7331 – Add cleanup script for NPM dependencies
• N°7355 – Update JS libraries managed via NPM (iTop 3.2)
• N°7407 – Ease iTop installation via unattended CLI by using installation.xml choices
• N°7494 – Select languages that “highlightjs” supports
• N°7697 – Add method to rename DB table during setup
• N°7619 – Restore cascading in object deletion for legacy extensions
• N°7588 – Fix .env.local not working for the portal since Symfony 5.4 migration
• N°7146 – Fix style not applied in list in the end-users portal in iTop 3.0+
• N°7142 – Compiler issue – enum value modification : …DOMNode::removeChild() …
• N°7131 – Changing the Org of a Person having User with Allowed Orgs, breaks with Synchro LDAP
• N°7127 – Upgrade handlebars.js to v4.7.8
• N°7024 – Fix opening an object with abstract class indirect linked set in Portal
• N°6992 – Fix “add lnk” popup title: replaced class name by its label
• N°4342 – Improve generic bulk deletion function with memory limit handling
• N°7410 – Introduce a new welcome popup API

Security

• N°7423 – Align UserTokens to PersonalToken with allowed contexts
• N°7075 – Add check for Content Security Policies (CSP) in the setup
• N°7364 – Full path disclosure when graphviz is not installed
• N°4368 – iTop pages include security X-Content-Type-Options HTTP header
• N°6455 – Update JQuery UI from 1.12.1 to 1.13.2 (fixes vulnerabilities)
• N°6600 – Portal attachment download : whole SQL query displayed on non existing attachment id error
• N°6777 – Fix XSS vulnerability in dashboard title
• N°6948 – CVE-2023-46734: Potential XSS vulnerabilities in TWIG CodeExtension filters
• N°6458 – CVE-2023-45808 Can create objects in non allowed org by forging http query in both Console and Portal
• N°6560 – CVE-2023-43790 XSS in friendlyname in object details
• N°6606 – CVE-2023-44396 XSS vulnerabilities in dashlet ajax operations
• N°6800 – CVE-2023-47626 Fix stored XSS in authent token
• N°6951 – CVE-2023-48709 Fix CSV injection in Excel from an iTop CSV export file
• N°6989 – CVE-2023-48710 Limit pages/exec.php script to PHP files
• N°7124 – Fix Cross-Site Request Forgery (CSRF) in several iTop pages
• N°7374 – CVE-2024-31448 – Fix XSS vulnerability in link CSV import
• N°7448 – Forbid user enumeration through Rest API
• N°7455 – Fix SSRF through arbitrary PHP class instantiation
• N°7542 – Security hardening: only route if no operation is present.
• N°7603 – Fix XSS injection in run queries page
• N°7124 – Applied OWASP recommendations on Ajax calls against CSRF

Localization

• N°6641 – Update czech translations (thanks to @Stetinac !)
• N°6869 – Update chinese translations for ProfilesMenu thanks to @chileeb
• N°6954 – Update english translations thanks to @jkoch22
• N°7077 – iTop hungarian translations
• N°7143 – Fix inconsistencies in datamodels/2.x dictionaries
• N°7247 – Update italian translations thanks to @DarkNight97boss
• N°7428 – Fix spelling typo in FR dictionary on lnkxxxToFunctionalCI classes

iTop 3.2.0-2 Hotfix Release Notes

• N°7801 – Fix erratic behavior on organization filter
• N°7803 – Fix MTP from iTop Hub and Designer failing with warnings