Aggregator

1.11.12 Released

1 week 1 day ago
1.11.12 Released Security release No LedgerSMB_Team Tue, 04/09/2024 - 12:06 Release candidate No Download https://download.ledgersmb.org/f/Releases/1.11.12/

The LedgerSMB development team is happy to announce yet another new
version of its open source ERP and accounting application.
This release contains the following fixes and improvements:

Changelog for 1.11.12

* Fix download of attachments to reconciliations (#8088)
* Fix e-mailing of AR aging statements (#8111)

For installation instructions and system requirements, see
https://github.com/ledgersmb/LedgerSMB/blob/1.11.12/README.md

The release can be downloaded from our download site at
https://download.ledgersmb.org/f/Releases/1.11.12

The release can be downloaded from GitHub at
https://github.com/ledgersmb/LedgerSMB/releases/tag/1.11.12

Or pulled from the GitHub Container Registry
$ docker pull ghcr.io/ledgersmb/ledgersmb:1.11.12

Or pulled from Docker Hub using the command
$ docker pull ledgersmb/ledgersmb:1.11.12

These are the sha256 checksums of the uploaded files:

067eaa68e6f8ea924bef5867be81ae254b2bac24943529fe7cffeaa2e8050a6c ledgersmb-1.11.12.tar.gz
c19b2b70fcdc3ebccb096c91c20c3644944143dd7367c4502b248ffd3ce8d1cf ledgersmb-1.11.12.tar.gz.asc

Release 1.11
LedgerSMB_Team

1.10.34 Released

1 week 1 day ago
1.10.34 Released Security release No LedgerSMB_Team Tue, 04/09/2024 - 10:41 Release candidate No Download https://download.ledgersmb.org/f/Releases/1.10.34/

The LedgerSMB development team is happy to announce yet another new
version of its open source ERP and accounting application.
This release contains the following fixes and improvements:

Changelog for 1.10.34

* Fix e-mailing of AR aging statements (#8111)

For installation instructions and system requirements, see
https://github.com/ledgersmb/LedgerSMB/blob/1.10.34/README.md

The release can be downloaded from our download site at
https://download.ledgersmb.org/f/Releases/1.10.34

The release can be downloaded from GitHub at
https://github.com/ledgersmb/LedgerSMB/releases/tag/1.10.34

Or pulled from the GitHub Container Registry
$ docker pull ghcr.io/ledgersmb/ledgersmb:1.10.34

Or pulled from Docker Hub using the command
$ docker pull ledgersmb/ledgersmb:1.10.34

These are the sha256 checksums of the uploaded files:

355ea0dff65a6647e3e2137a1a1fa0018d6b81c1b6d923c6282d6f0d8417e094 ledgersmb-1.10.34.tar.gz
c5e19aee6c7e341f8ca24fa5c40e391cb015af9dfecb809cbe669a09339748b1 ledgersmb-1.10.34.tar.gz.asc

Release 1.10
LedgerSMB_Team

1.11.11 Released

1 month ago
1.11.11 Released Security release No LedgerSMB_Team Fri, 03/15/2024 - 02:05 Release candidate No Download https://download.ledgersmb.org/f/Releases/1.11.11/

The LedgerSMB development team is happy to announce yet another new
version of its open source ERP and accounting application.
This release contains the following fixes and improvements:

Changelog for 1.11.11

* Fix 'not set up for hierarchy reporting' on Entity Account screen (#8065)
* Fix date format presentation misalignment with placeholder (#7983)
* Fix order of comparison periods in PNL and B/S (#7800)
* Fix handling of discounts in invoice API (#8030)
* Restore Hebrew 'nplurals' setting back to 4
* Enable scroll bars on setup(upgrade) data fix screens (#8071)

For installation instructions and system requirements, see
https://github.com/ledgersmb/LedgerSMB/blob/1.11.11/README.md

The release can be downloaded from our download site at
https://download.ledgersmb.org/f/Releases/1.11.11

The release can be downloaded from GitHub at
https://github.com/ledgersmb/LedgerSMB/releases/tag/1.11.11

Docker images have been published for ARMv7 (32-bit),
ARM64 (also known as ARMv8, e.g. RPi 3+) and AMD64.
These can be pulled from the GitHub Container Registry
$ docker pull ghcr.io/ledgersmb/ledgersmb:1.11.11

Or pulled from Docker Hub using the command
$ docker pull ledgersmb/ledgersmb:1.11.11

These are the sha256 checksums of the uploaded files:

90d27fcff2815476a5c1c2e890f9f71c902c44d7279d7f30eee80ce1bfc4c47b ledgersmb-1.11.11.tar.gz
92f4a019079c97e0b679e0147cb9bf07ba5e776535a8dff262a32811e76048db ledgersmb-1.11.11.tar.gz.asc

Release 1.11
LedgerSMB_Team

1.10.33 Released

1 month ago
1.10.33 Released Security release No LedgerSMB_Team Fri, 03/15/2024 - 02:00 Release candidate No Download https://download.ledgersmb.org/f/Releases/1.10.33/

The LedgerSMB development team is happy to announce yet another new
version of its open source ERP and accounting application.
This release contains the following fixes and improvements:

Changelog for 1.10.33

* Enable scroll bars on setup(upgrade) data fix screens (#8071)
* Fix 'not set up for hierarchy reporting' on Entity Account screen (#8056)
* Fix order of period comparisons in PNL and B/S (#7800)
* Fix recurring transactions after setup.pl CSRF mitigation (#8042)
* Revert Hebrew 'nplurals' back to 4

For installation instructions and system requirements, see
https://github.com/ledgersmb/LedgerSMB/blob/1.10.33/README.md

The release can be downloaded from our download site at
https://download.ledgersmb.org/f/Releases/1.10.33

The release can be downloaded from GitHub at
https://github.com/ledgersmb/LedgerSMB/releases/tag/1.10.33

Docker images have been published for ARMv7 (32-bit),
ARM64 (also known as ARMv8, e.g. RPi 3+) and AMD64.
These can be pulled from the GitHub Container Registry
$ docker pull ghcr.io/ledgersmb/ledgersmb:1.10.33

Or pulled from Docker Hub using the command
$ docker pull ledgersmb/ledgersmb:1.10.33

These are the sha256 checksums of the uploaded files:

20ab27d7f8e55c60cd956cb2366428f74e7c7a3cd2d7fd96b2eefe3f72fe11b2 ledgersmb-1.10.33.tar.gz
c75769b050619102ad965233259ba0d525222736a35be55331e74297a32837ed ledgersmb-1.10.33.tar.gz.asc

Release 1.10
LedgerSMB_Team

1.11.10 Released

2 months ago
1.11.10 Released Security release No LedgerSMB_Team Thu, 02/15/2024 - 13:27 Release candidate No Download https://download.ledgersmb.org/f/Releases/1.11.10/

The LedgerSMB development team is happy to announce yet another new
version of its open source ERP and accounting application.
This release contains the following fixes and improvements:

Changelog for 1.11.10

* Fix upgrades from older Pg versions with the 'cash_impact' view (#7987)
* Fix missing locale parameter creating GL Search report (#7997)
* Fix setup.pl CSRF regressions (#8007, #8000)
* Fix date filters on Cash > Receipt/Payment (#8015)

For installation instructions and system requirements, see
https://github.com/ledgersmb/LedgerSMB/blob/1.11.10/README.md

The release can be downloaded from our download site at
https://download.ledgersmb.org/f/Releases/1.11.10

The release can be downloaded from GitHub at
https://github.com/ledgersmb/LedgerSMB/releases/tag/1.11.10

Docker images have been published for ARMv7 (32-bit),
ARM64 (also known as ARMv8, e.g. RPi 3+) and AMD64.
These can be pulled from the GitHub Container Registry
$ docker pull ghcr.io/ledgersmb/ledgersmb:1.11.10

Or pulled from Docker Hub using the command
$ docker pull ledgersmb/ledgersmb:1.11.10

These are the sha256 checksums of the uploaded files:

5c08194e794a81c81cae4f747860a09457e14331dcd1e48dc8bab991a589ab4d ledgersmb-1.11.10.tar.gz
47578b10d626b81f0dbbdf9c2cc34d2ed839586959a5c33fd8062a05e93e24cf ledgersmb-1.11.10.tar.gz.asc

Release 1.11
LedgerSMB_Team

1.10.32 Released

2 months ago
1.10.32 Released Security release No LedgerSMB_Team Thu, 02/15/2024 - 13:25 Release candidate No Download https://download.ledgersmb.org/f/Releases/1.10.32/

The LedgerSMB development team is happy to announce yet another new
version of its open source ERP and accounting application.
This release contains the following fixes and improvements:

Changelog for 1.10.32

* Fix upgrades from older Pg versions with the 'cash_impact' view (#7987)
* Fix missing locale parameter creating GL Search report (#7997)
* Fix setup.pl CSRF regressions (#8007, #8000)
* Fix date filters on Cash > Receipt/Payment (#8015)

For installation instructions and system requirements, see
https://github.com/ledgersmb/LedgerSMB/blob/1.10.32/README.md

The release can be downloaded from our download site at
https://download.ledgersmb.org/f/Releases/1.10.32

The release can be downloaded from GitHub at
https://github.com/ledgersmb/LedgerSMB/releases/tag/1.10.32

Docker images have been published for ARMv7 (32-bit),
ARM64 (also known as ARMv8, e.g. RPi 3+) and AMD64.
These can be pulled from the GitHub Container Registry
$ docker pull ghcr.io/ledgersmb/ledgersmb:1.10.32

Or pulled from Docker Hub using the command
$ docker pull ledgersmb/ledgersmb:1.10.32

These are the sha256 checksums of the uploaded files:

3695a892e6c9c4257106a03ac287fdf9af94d8d55b6036bf7acf1aa340a1cd18 ledgersmb-1.10.32.tar.gz
45cee80848ff757e885208940eb996bbaa91aa7ab6d05cd5e8cef6491d19a733 ledgersmb-1.10.32.tar.gz.asc

Release 1.10
LedgerSMB_Team

1.11.9 Released

2 months 2 weeks ago
1.11.9 Released Security release Yes LedgerSMB_Team Fri, 02/02/2024 - 10:01 Release candidate No Download https://download.ledgersmb.org/f/Releases/1.11.9/

The LedgerSMB development team is happy to announce yet another new
version of its open source ERP and accounting application.
This release contains the fix for CVE-2024-23831, a CSRF attack on
setup.pl.

Changelog for 1.11.9

* Add missing batch and entity sequences to the Defaults screen (#7965)
* Stop warning during startup without configuration file (#7928)
* CVE-2024-23831: CSRF attack on 'setup.pl'

For installation instructions and system requirements, see
https://github.com/ledgersmb/LedgerSMB/blob/1.11.9/README.md

The release can be downloaded from our download site at
https://download.ledgersmb.org/f/Releases/1.11.9

The release can be downloaded from GitHub at
https://github.com/ledgersmb/LedgerSMB/releases/tag/1.11.9

Docker images have been published for ARMv7 (32-bit),
ARM64 (also known as ARMv8, e.g. RPi 3+) and AMD64.
These can be pulled from the GitHub Container Registry
$ docker pull ghcr.io/ledgersmb/ledgersmb:1.11.9

Or pulled from Docker Hub using the command
$ docker pull ledgersmb/ledgersmb:1.11.9

These are the sha256 checksums of the uploaded files:

5c4ae06702dadd0de3f4e26727fe10ed2086cb932029714a0fdae49553025cab ledgersmb-1.11.9.tar.gz
182f21f0a2f720f2d17e812619b4109f929e3a1d5d88e4b2e459a053472c6237 ledgersmb-1.11.9.tar.gz.asc

Release 1.11
LedgerSMB_Team

1.10.31 Released

2 months 2 weeks ago
1.10.31 Released Security release Yes LedgerSMB_Team Fri, 02/02/2024 - 08:40 Release candidate No Download https://download.ledgersmb.org/f/Releases/1.10.31/

The LedgerSMB development team is happy to announce yet another new
version of its open source ERP and accounting application.
This release contains the fix for security vulnerability CVE-2024-23831
which allows an attacker to create a user by tricking a setup.pl admin
into clicking on a specifically crafted link. See more about this CVE
on https://ledgersmb.org/cve-2024-23831-setup-csrf.

Changelog for 1.10.31

* Fix GL transaction entry regressed from 1.10.29 (#7984)

Changelog for 1.10.30
* Add missing batch and entity sequences to the Defaults screen (#7965)
* Stop warning during startup without configuration file (#7928)
* CVE-2024-23831: CSRF attack on 'setup.pl'

For installation instructions and system requirements, see
https://github.com/ledgersmb/LedgerSMB/blob/1.10.31/README.md

The release can be downloaded from our download site at
https://download.ledgersmb.org/f/Releases/1.10.31

The release can be downloaded from GitHub at
https://github.com/ledgersmb/LedgerSMB/releases/tag/1.10.31

Docker images have been published for ARMv7 (32-bit),
ARM64 (also known as ARMv8, e.g. RPi 3+) and AMD64.
These can be pulled from the GitHub Container Registry
$ docker pull ghcr.io/ledgersmb/ledgersmb:1.10.31

Or pulled from Docker Hub using the command
$ docker pull ledgersmb/ledgersmb:1.10.31

These are the sha256 checksums of the uploaded files:

15920bbe05a6e37ee9f4d7fe408adb587a20ae0e8c052f20df1e2909b4c7bc51 ledgersmb-1.10.31.tar.gz
e03aeecd9087bbc25673bd13ec78962509f3b265886bb0a44949bde311cb06bc ledgersmb-1.10.31.tar.gz.asc

Release 1.10
LedgerSMB_Team

cve-2024-23831 (Cross Site Request Forgery)

2 months 2 weeks ago
cve-2024-23831 (Cross Site Request Forgery) ehu Mon, 01/29/2024 - 12:51 Privilege escalation through CSRF attack on 'setup.pl' Summary

When a LedgerSMB database administrator has an active session in /setup.pl,
an attacker can trick the admin into clicking on a link which automatically
submits a request to setup.pl without the admin's consent.  This request can
be used to create a new user account with full application (/login.pl)
privileges, leading to privilege escalation.


Known vulnerable

All of:

- 1.3.0 up to 1.3.47 (including)
- 1.4.0 up to 1.4.42 (including)
- 1.5.0 up to 1.5.30 (including)
- 1.6.0 up to 1.6.33 (including)
- 1.7.0 up to 1.7.32 (including)
- 1.8.0 up to 1.8.31 (including)
- 1.9.0 up to 1.9.30 (including)
- 1.10.0 up to 1.10.29 (including)
- 1.11.0 up to 1.11.8 (including)


Known fixed

- 1.10.30
- 1.11.9


Details

CSRF is an attack that tricks the victim into submitting a malicious request. It
inherits the identity and privileges of the victim to perform an undesired function
on the victim’s behalf [^1].

To successfully perform the attack, an attacker needs to know the name of the database
for which they want to create a user.  That is: in case LedgerSMB is used to maintain
multiple company administrations, multiple attacks need to be performed to gain access
to all of them.  A single attack will gain access to a single company only, however, if
companies share users, the attacker can use those to gain access to the other companies
with the rights of the affected user accounts.

In this specific attack, the victim must be an administrator of /setup.pl with an
active session.  It should be noted that the resulting user does *not* have full
access to /setup.pl, but *does* have full access to /login.pl for a single company.
This means that the resulting user can therefore *not* be used to create database backups,
however the attack itself can be used by the attacker to perform any action supported
by setup.pl.


[^1]: https://owasp.org/www-community/attacks/csrf


Severity

CVSSv3.1 Base Score: 7.5 (HIGH)

CVSSv3.1 Vector: AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H

CVSSv3.1 Base Score & Vector (with temporal score): 6.7 (MEDIUM)
  CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C


https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C&version=3.1


Recommendations

We recommend all users to upgrade to known-fixed versions.  Versions
prior to 1.10 are end-of-life and will not receive security fixes from
the LedgerSMB project.

Users who cannot upgrade, may apply the included patches or are advised
to contact a vendor for custom support.

As a workaround, installations may choose not to expose and use /setup.pl,
instead using the command line application "ledgersmb-admin" to perform
administrative tasks.  Password resets can be performed with regular
/login.pl functionality or through PostgreSQL's "psql" command line tool.


References


CVE-2024-23831  (LedgerSMB)

https://ledgersmb.org/cve-2024-23831-setup-csrf

https://twelvesec.com/2024/02/02/cve-2024-23831

 

Reported by


Georgios Roumeliotis (TwelveSec [twelvesec.com])

 

Attachments File 1.10-setup-csrf.patch_.txt File 1.11-setup-csrf.patch_.txt Topic Security advisory Release 1.3 1.4 1.5 1.6 1.7 1.8 1.9 1.10 1.11
ehu

1.11.8 Released

3 months ago
1.11.8 Released Security release No LedgerSMB_Team Sat, 01/13/2024 - 13:51 Release candidate No Download https://download.ledgersmb.org/f/Releases/1.11.8/

The LedgerSMB development team is happy to announce yet another new
version of its open source ERP and accounting application.
This release contains the following fixes and improvements:

Changelog for 1.11.8

* Fix changing Taxform checkmark after posting AR/AP transactions (#7894)
* Restore customer/vendor name on PNL drilldown after GL column change (#7895)
* Fix formatting of amounts on AR/AP search results (#7896)
* Fix import of CoA csv with non-empty 'links' field (#7912)
* Explicitly set foreground color on dark backgrounds in blue theme (#7875)
* Fix screens, e.g. contacts, impacted by rename of 'action' parameter (#7918)

For installation instructions and system requirements, see
https://github.com/ledgersmb/LedgerSMB/blob/1.11.8/README.md

The release can be downloaded from our download site at
https://download.ledgersmb.org/f/Releases/1.11.8

The release can be downloaded from GitHub at
https://github.com/ledgersmb/LedgerSMB/releases/tag/1.11.8

Docker images have been published for ARMv7 (32-bit),
ARM64 (also known as ARMv8, e.g. RPi 3+) and AMD64.
These can be pulled from the GitHub Container Registry
$ docker pull ghcr.io/ledgersmb/ledgersmb:1.11.8

Or pulled from Docker Hub using the command
$ docker pull ledgersmb/ledgersmb:1.11.8

These are the sha256 checksums of the uploaded files:

3a89187095ea6909c55d546776c25dacdbf63b980c43832c17031ac6dfea9c37 ledgersmb-1.11.8.tar.gz
d832600caebe88b5dc39d4220e10e25ad912c037d7305d486ffa2e37f0e3d9a6 ledgersmb-1.11.8.tar.gz.asc

Release 1.11
LedgerSMB_Team

1.10.29 Released

3 months ago
1.10.29 Released Security release No LedgerSMB_Team Sat, 01/13/2024 - 13:50 Release candidate No Download https://download.ledgersmb.org/f/Releases/1.10.29/

The LedgerSMB development team is happy to announce yet another new
version of its open source ERP and accounting application.
This release contains the following fixes and improvements:

Changelog for 1.10.29

* Fix formatting of amounts in AR/AP search results (#7896)
* Explicitly set foreground color on dark backgrounds in blue theme (#7875)

For installation instructions and system requirements, see
https://github.com/ledgersmb/LedgerSMB/blob/1.10.29/README.md

The release can be downloaded from our download site at
https://download.ledgersmb.org/f/Releases/1.10.29

The release can be downloaded from GitHub at
https://github.com/ledgersmb/LedgerSMB/releases/tag/1.10.29

Docker images have been published for ARMv7 (32-bit),
ARM64 (also known as ARMv8, e.g. RPi 3+) and AMD64.
These can be pulled from the GitHub Container Registry
$ docker pull ghcr.io/ledgersmb/ledgersmb:1.10.29

Or pulled from Docker Hub using the command
$ docker pull ledgersmb/ledgersmb:1.10.29

These are the sha256 checksums of the uploaded files:

16ea9b92f180fa6be32b9c64e33506322582bfb64352d5cde73675ae91a61ec9 ledgersmb-1.10.29.tar.gz
b179b2468fafdeb3127a440e281c0515788973321f031f89105ce30cfebbbb23 ledgersmb-1.10.29.tar.gz.asc

Release 1.10
LedgerSMB_Team

1.11.7 Released

3 months 2 weeks ago
1.11.7 Released Security release No LedgerSMB_Team Sun, 12/31/2023 - 06:58 Release candidate No Download https://download.ledgersmb.org/f/Releases/1.11.7/

The LedgerSMB development team is happy to announce yet another new
version of its open source ERP and accounting application.
This release contains the following fixes and improvements:

Changelog for 1.11.7

* Fix creating an invoice from an order (#7855)
* Retain partsgroup selection on Update in parts screen (#7848)
* Fix missing columns on trial balance 'Ending' report type (#7870)

For installation instructions and system requirements, see
https://github.com/ledgersmb/LedgerSMB/blob/1.11.7/README.md

The release can be downloaded from our download site at
https://download.ledgersmb.org/f/Releases/1.11.7

The release can be downloaded from GitHub at
https://github.com/ledgersmb/LedgerSMB/releases/tag/1.11.7

Docker images have been published for ARMv7 (32-bit, e.g.
Raspberry Pi (RPi) 3 and 400), ARM64 (e.g. RPi 4) and AMD64.
These can be pulled from the GitHub Container Registry
$ docker pull ghcr.io/ledgersmb/ledgersmb:1.11.7

Or pulled from Docker Hub using the command
$ docker pull ledgersmb/ledgersmb:1.11.7

These are the sha256 checksums of the uploaded files:

d8086fff0340440ff022f455af8ee9486590a6c0b3db2262c4752bd1cc0384c0 ledgersmb-1.11.7.tar.gz
df75cb6e6eb80843bf7c933581e72f28db86343817de743be62b4651b4c6227e ledgersmb-1.11.7.tar.gz.asc

Release 1.11
LedgerSMB_Team

1.10.28 Released

3 months 2 weeks ago
1.10.28 Released Security release No LedgerSMB_Team Sun, 12/31/2023 - 06:12 Release candidate No Download https://download.ledgersmb.org/f/Releases/1.10.28/

The LedgerSMB development team is happy to announce yet another new
version of its open source ERP and accounting application.
This release contains the following fixes and improvements:

Changelog for 1.10.28

* Retain partsgroup selection on Update in parts screen (#7848)
* Fix missing columns on trial balance 'Ending' report type (#7870)

For installation instructions and system requirements, see
https://github.com/ledgersmb/LedgerSMB/blob/1.10.28/README.md

The release can be downloaded from our download site at
https://download.ledgersmb.org/f/Releases/1.10.28

The release can be downloaded from GitHub at
https://github.com/ledgersmb/LedgerSMB/releases/tag/1.10.28

Docker images have been published for ARMv7 (32-bit, e.g.
Raspberry Pi (RPi) 3 and 400), ARM64 (e.g. RPi 4) and AMD64.
These can be pulled from the GitHub Container Registry:
$ docker pull ghcr.io/ledgersmb/ledgersmb:1.10.28

Or pulled from Docker Hub using the command
$ docker pull ledgersmb/ledgersmb:1.10.28

These are the sha256 checksums of the uploaded files:

27d784cfb109ade19011297771a3a1143c97e132acc36f60421f2bd2ece646d0 ledgersmb-1.10.28.tar.gz
ccd33e5c7feb59544a4c24754a0c7c764e7eb42b20ef13536e90f9f33749020c ledgersmb-1.10.28.tar.gz.asc

Release 1.10
LedgerSMB_Team