Security advisory (fixed in 1.3.37)

Security Advisory: LedgerSMB < 1.3.36, Improper Logout on Some Browsers

Severity:  Low (cvssv2 base score: 3.6, total 0.5)
Remotely Exploitable: No
Complexity of Attack:  High
Impact:  Relatively low.
Prerequisite for Attack:  Physical Access to Previously Logged In Browser, so high complexity in most cases.
Attack Vector:  Physical, against client.
Impact:  The attacker may gain access unexpectedly to LedgerSMB using the client's previous credentials.


1.3.37 released

LedgerSMB 1.3.37 has been released. This is a significant release with a number of important fixes including two security fixes (please stay tuned for security advisories on these two usually-minor security issues). The two security fixes address client handling of authentication credentials and the possibility of someone with physical access to the same browser session having an unexpected amount of access after logout (to a varying degree on different browsers). Usually this is not an issue. In a few cases, though, it may be.

New Core Committee Members


I would like to take the opportunity to welcome Pongracz Istvan, John Locke, and Herman Vierendeels to the core committee.  They have contributed significantly to the shape of the project over a period of time.

Welcoming more members to the LedgerSMB core committee continues to further our goals of offering a true multi-vendor high quality accounting and ERP product for the open source world.

The LedgerSMB Core Team is proud to release 1.3.36.

This release corrects a significant issue in printing invoices with manually calculated sales tax. This is a significant update, and anyone using 1.3.35 or manually entered sales tax should update relatively quickly.

LedgerSMB 1.3.35 released


 LedgerSMB 1.3.35 has been released.  This release includes a fairly large number of relatively minor fixes, as well as the addition of invoice creation date tracking and a number of fixes for locale-specific requirements.  If you are having any issues with the bugs fixed, you should upgrade immediately.  

LedgerSMB 1.3.34 released

he LedgerSMB team has released 1.3.34.  Although this is a bugfix release with some significant fixes in it, it also includes a few minor enhancements, such as the ability to search for drafts and batches without specifying a type.
The complete changelog is as follows:

LedgerSMB 1.3.33 released

LedgerSMB 1.3.33 has been released.  This release corrects a number of minor issues, the most major one is that format_amount() was not working on the check printing workflows.

A fairly large number of other minor bugs were also fixed.  Those who are wondering whether to upgrade probably should do so, as the issues fixed are all relatively minor.  The complete changelog is below.

LedgerSMB 1.3.32 released

LedgerSMB 1.3.32 has been released.  This release adds overlooked functionality, and corrects a number of minor to moderate problems with previous releases.  Those who are running 1.3.31 should upgrade sooner rather than later.  Others should upgrade after reviewing the 1.3.31 inventory changes.

LedgerSMB 1.3.31 released, significant Inventory changes

LedgerSMB 1.3.31 has been release and includes a rather deep fix to our onhand numbers. We recommend that anyone who is shipping or receiving inventory upgrade when you are able, but also direct questions too us if there are questions or concerns about the upgrade process.

LedgerSMB 1.3.30 released

LedgerSMB 1.3.30 has been released. This release includes a number of additional CSS hooks, some fixes to database-level interfaces for re-opening books, and a number of other minor changes. Unless you have specific need for any of the fixes, this is a fairly minor release and is not normally required as an upgrade. The complete changelog is below.

Best wishes,
Chris Travers


Subscribe to LedgerSMB RSS