Aggregator

1.9.2 Released

1 week 3 days ago
1.9.2 Released Security release No LedgerSMB_Team Tue, 10/12/2021 - 13:53 Release candidate No Download https://download.ledgersmb.org/f/Releases/1.9.2/

The LedgerSMB development team is happy to announce yet another new
version of its open source ERP and accounting application.
This release contains the following fixes and improvements:

Changelog for 1.9.2

* Fix sending mail with multiple Bcc addresses (#6087)
* Fix manual taxes on credit invoices (#5721)
* Add missing account configuration on Sales account (#6100)
* Fix Update clobbering invoice header data (e.g. fx rate) (#6114)

For installation instructions and system requirements, see
https://github.com/ledgersmb/LedgerSMB/blob/1.9.2/README.md

The release can be downloaded from our download site at
https://download.ledgersmb.org/f/Releases/1.9.2

The release can be downloaded from GitHub at
https://github.com/ledgersmb/LedgerSMB/releases/tag/1.9.2

Or pulled from Docker Hub using the command
$ docker pull ledgersmb/ledgersmb:1.9.2

These are the sha256 checksums of the uploaded files:

73a5006669cbb177c732602ecbf9f85c3b11d8171eeecebcc0cf933eca9f7c02 ledgersmb-1.9.2.tar.gz
50c09dd7652d6054189e82d5e1f37b4b1bca19467f7a14fc54a68ff80dcb7deb ledgersmb-1.9.2.tar.gz.asc

Release 1.9
LedgerSMB_Team

1.8.22 Released

1 week 3 days ago
1.8.22 Released Security release No LedgerSMB_Team Tue, 10/12/2021 - 13:36 Release candidate No Download https://download.ledgersmb.org/f/Releases/1.8.22/

The LedgerSMB development team is happy to announce yet another new
version of its open source ERP and accounting application.
This release contains the following fixes and improvements:

Changelog for 1.8.22

* Fix sending mail with multiple Bcc addresses (#6087)
* Fix manual taxes on credit invoices (#5721)
* Fix 'Secure' flag on session cookie; CVE-2021-3882
* Improve configuring acceptable reverse proxy addresses

For installation instructions and system requirements, see
https://github.com/ledgersmb/LedgerSMB/blob/1.8.22/README.md

The release can be downloaded from our download site at
https://download.ledgersmb.org/f/Releases/1.8.22

The release can be downloaded from GitHub at
https://github.com/ledgersmb/LedgerSMB/releases/tag/1.8.22

Or pulled from Docker Hub using the command
$ docker pull ledgersmb/ledgersmb:1.8.22

These are the sha256 checksums of the uploaded files:

583f56c2d303eeb133222467d368a58b5e66ee080040335d3608dfc672aa7316 ledgersmb-1.8.22.tar.gz
15affde0f85b03dd9a1784304958a030fa9b5009df800e093f443bce55c541a0 ledgersmb-1.8.22.tar.gz.asc

Release 1.8
LedgerSMB_Team

1.7.36 Released

1 week 4 days ago
1.7.36 Released Security release No LedgerSMB_Team Tue, 10/12/2021 - 12:54 Release candidate No Download https://download.ledgersmb.org/f/Releases/1.7.36/

The LedgerSMB development team is happy to announce yet another new
version of its open source ERP and accounting application.
This release contains the following fixes and improvements:

Changelog for 1.7.36

* Fix manual taxes on credit invoices (#5721)
* Improve configuring acceptable reverse proxy addresses

For installation instructions and system requirements, see
https://github.com/ledgersmb/LedgerSMB/blob/1.7.36/README.md

The release can be downloaded from our download site at
https://download.ledgersmb.org/f/Releases/1.7.36

The release can be downloaded from GitHub at
https://github.com/ledgersmb/LedgerSMB/releases/tag/1.7.36

Or pulled from Docker Hub using the command
$ docker pull ledgersmb/ledgersmb:1.7.36

These are the sha256 checksums of the uploaded files:

8c638acc822a43a1ec66268f08c961f5b392b6fadd6069eb6c2462e5b2ce9030 ledgersmb-1.7.36.tar.gz
d85b50e090e99f5917c6d834cb8d54360d56af9dff8b05b4ffff3d4cf9984ccb ledgersmb-1.7.36.tar.gz.asc

Release 1.7
LedgerSMB_Team

Security advisory for CVE-2021-3882 (non-Secure session cookie)

1 week 4 days ago
Security advisory for CVE-2021-3882 (non-Secure session cookie) ehu Tue, 10/12/2021 - 11:41   Sensitive Cookie in HTTPS Session Without 'Secure' Attribute Summary

  LedgerSMB does not set the 'Secure' attribute on the session authorization
  cookie when the client uses HTTPS and the LedgerSMB server is behind a
  reverse proxy.  By tricking a user to use an unencrypted connection (HTTP),
  an attacker may be able to obtain the authentication data by capturing
  network traffic.


Known vulnerable

  All of:

  - 1.8.0 upto 1.8.21 (including)


Known fixed

  - 1.8.22


Details

  LedgerSMB 1.8 and newer switched from Basic authentication to using cookie
  authentication with encrypted cookies.  Although an attacker can't access
  the information inside the cookie, nor the password of the user, possession
  of the cookie is enough to access the application as the user from which the
  cookie has been obtained.

  In order for the attacker to obtain the cookie, first of all the server
  must be configured to respond to unencrypted requests, the attacker must be
  suitably positioned to eavesdrop on the network traffic between the client
  and the server *and* the user must be tricked into using unencrypted HTTP
  traffic.

  Proper audit control and separation of duties limit Integrity impact of
  the attack vector.

 

Severity

  CVSSv3.1 Base Score: 5.9 (Medium)

  CVSSv3.1 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:L/A:N


Recommendations

  Users of LedgerSMB 1.8 are urged to upgrade to known-fixed versions. Users
  of LedgerSMB 1.7 or 1.9 are unaffected by this vulnerability and don't need
  to take action.

  As a workaround, users may configure their Apache or Nginx reverse proxy
  to add the Secure attribute at the network boundary instead of relying on
  LedgerSMB.

  For Apache, please refer to the 'Header always edit' configuration command
  in the mod_headers module.
  For Nginx, please refer to the 'proxy_cookie_flags' configuration command.


References

  CVE-2021-3882  (LedgerSMB)

  https://ledgersmb.org/cve-2021-3882-sensitive-non-secure-cookie

  https://huntr.dev/bounties/7061d97a-98a5-495a-8ba0-3a4c66091e9d/

 

Reported by

  0xdhinu, user of the huntr.dev platform

 

Attachments File CVE-2021-3882.patch_.txt Topic Security advisory Release 1.8
ehu

1.9.1 Released

3 weeks 1 day ago
1.9.1 Released Security release No LedgerSMB_Team Fri, 10/01/2021 - 04:39 Release candidate No Download https://download.ledgersmb.org/f/Releases/1.9.1/

The LedgerSMB development team is happy to announce yet another new
version of its open source ERP and accounting application. Through
a week of outstanding teamwork, we're able to bring 15 fixes and
small changes (not all fixes for regressions) in this release.
This release contains the following fixes and improvements:

Changelog for 1.9.1

* Fix license declaration in package.json (gpl-v2.0-or-newer)
* Fix scrollbars in the main window overlapping with real content (#5874)
* Fix 'setup.pl' to work with Safari for creation of new data sets (#6016)
* Fix no payment lines shown after saving invoices and transactions (#6017)
* Fix e-mailed invoices not being sent to Bcc addresses
* Add support for workflow overrides
* Add a list of available e-mail variables for expansion
* Restore e-mail body variable expansion (#6042)
* Add example Chart of Accounts with hierarchy (US General based) (#6057)
* Fix SQL date errors using date formats other than yyyy-mm-dd (#6040)
* Fix default to/cc/bcc addresses not applied to e-mail (#6045)
* Correctly present password experation in preferences (#6067)
* Fix initialization of 'current earnings' setting from CoA XML
* Correctly select the default country on Contact address entry (#6058)
* Correctly set parent of CoA headers when loading from XML (#6068)

For installation instructions and system requirements, see
https://github.com/ledgersmb/LedgerSMB/blob/1.9.1/README.md

The release can be downloaded from our download site at
https://download.ledgersmb.org/f/Releases/1.9.1

The release can be downloaded from GitHub at
https://github.com/ledgersmb/LedgerSMB/releases/tag/1.9.1

Or pulled from Docker Hub using the command
$ docker pull ledgersmb/ledgersmb:1.9.1

These are the sha256 checksums of the uploaded files:

a705e14658c1729e73478626fee3b7bda123e963d95b506d6a2d6ef1ac926822 ledgersmb-1.9.1.tar.gz
5873f92712243977b5ec50f44560ea89a332c618294d062e14ba888c9b73bec0 ledgersmb-1.9.1.tar.gz.asc

Release 1.9
LedgerSMB_Team

1.9.0 Released

4 weeks ago
1.9.0 Released Security release No LedgerSMB_Team Fri, 09/24/2021 - 23:55 Release candidate No Download https://download.ledgersmb.org/f/Releases/1.9.0/

The LedgerSMB development team is happy to announce the first
release of a new release branch: 1.9.0. This series features
a wide variety of new features, improvements, bug fixes and
cleanup. To name a few:

* Emailed documents are added to the database as attachments
* Orders and invoices show change history
* Command line application for administrative tasks (bin/ledgersmb-admin)
* Faster HTML response generation (optimized HTML preprocessing)
* Report filters and account settings hide GIFI when not configured
* Configuration setting 'Only Timeout Locks' removed
* Clicking 'Update' no longer clobbers saved invoices and transactions
* Fixed mailing of aging reports (regression since 1.3.42)
* Optimize balance sheet report (use balance snapshots from period closing)
* Reformat UI HTML templates & HTML5 upgrade (from 4.01 Transitional)
* Code cleanup reducing the number of warnings in the server logs
* JavaScript now built using WebPack (no longer using Dojo's build only)
* Removal of licence-incompatible code in utils/lib/
* Performance tuning of UI template handling code

For the full changelog see https://github.com/ledgersmb/LedgerSMB/blob/1.9/Changelog

For a more in-depth coverage of notable changes in this release, please consult the
release notes at https://ledgersmb.org/content/19-release-notes

For installation instructions and system requirements, see
https://github.com/ledgersmb/LedgerSMB/blob/1.9.0/README.md

The release can be downloaded from our download site at
https://download.ledgersmb.org/f/Releases/1.9.0

The release can be downloaded from GitHub at
https://github.com/ledgersmb/LedgerSMB/releases/tag/1.9.0

Or pulled from Docker Hub using the command
$ docker pull ledgersmb/ledgersmb:1.9.0

These are the sha256 checksums of the uploaded files:

7892ceab986c80ccaf4d5722096c21bac2ff9cfdfc240e9681326fb033c50b11 ledgersmb-1.9.0.tar.gz
6d9985c146bb992ba97c3b5bb31e37dbc47204d7011f84dc21c81abb9ed98498 ledgersmb-1.9.0.tar.gz.asc

Release 1.9
LedgerSMB_Team

1.8.21 Released

1 month ago
1.8.21 Released Security release No LedgerSMB_Team Sat, 09/18/2021 - 14:12 Release candidate No Download https://download.ledgersmb.org/f/Releases/1.8.21/

The LedgerSMB development team is happy to announce yet another new
version of its open source ERP and accounting application.
This release contains the following fixes and improvements:

Changelog for 1.8.21

* Prevent draft approval by user without permission (#5984)
* Fix UI consistency (missing CSS class) in purchase invoice (#5988)
* Fix performance problem deleting huge draft transactions (#5993)

For installation instructions and system requirements, see
https://github.com/ledgersmb/LedgerSMB/blob/1.8.21/README.md

The release can be downloaded from our download site at
https://download.ledgersmb.org/f/Releases/1.8.21

The release can be downloaded from GitHub at
https://github.com/ledgersmb/LedgerSMB/releases/tag/1.8.21

Or pulled from Docker Hub using the command
$ docker pull ledgersmb/ledgersmb:1.8.21

These are the sha256 checksums of the uploaded files:

d75d9d4dfbc4dadf02f0a25d3c64a22c348802ca3d926a8c550af4d705d90027 ledgersmb-1.8.21.tar.gz
6659d193b4922d6c11b8c09162484e15bd019e502aebc29faf4942809a997679 ledgersmb-1.8.21.tar.gz.asc

Release 1.8
LedgerSMB_Team

1.8.20 Released

1 month 2 weeks ago
1.8.20 Released Security release No LedgerSMB_Team Fri, 09/03/2021 - 11:32 Release candidate No Download https://download.ledgersmb.org/f/Releases/1.8.20/

The LedgerSMB development team is happy to announce yet another new
version of its open source ERP and accounting application.
This release contains the following fixes and improvements:

Changelog for 1.8.20

* Fix for chart of accounts headings import from CSV (#5987)
* Correctly set the payment account in invoices and transactions (#5801)
* Fix regression in CVE-2021-3693 failing to show errors as popups (#5921)
* Fix regression in CVE-2021-3693 with broken downloads of backups (#5931)

In addition to the above, it should be noted that the Docker images
have been built with a new build procedure which provides better mapping
of Perl dependencies to Debian packages. Due to this change, dependencies
will be updated automatically. Should there be any issues with the images
despite this improvement, please report to the GitHub issue tracker for the
Docker images at: https://github.com/ledgersmb/ledgersmb-docker/issues

For installation instructions and system requirements, see
https://github.com/ledgersmb/LedgerSMB/blob/1.8.20/README.md

The release can be downloaded from our download site at
https://download.ledgersmb.org/f/Releases/1.8.20

The release can be downloaded from GitHub at
https://github.com/ledgersmb/LedgerSMB/releases/tag/1.8.20

Or pulled from Docker Hub using the command
$ docker pull ledgersmb/ledgersmb:1.8.20

These are the sha256 checksums of the uploaded files:

fd9c6dd36e656df592a2a241d1d3c1296e9fc45eb94610beccf5e0eab7db6541 ledgersmb-1.8.20.tar.gz
870128cf20b30f3b17d6d57ccbebd1769190ad72994ad28cd69e869b807d717e ledgersmb-1.8.20.tar.gz.asc

Release 1.8
LedgerSMB_Team

1.7.35 Released

1 month 2 weeks ago
1.7.35 Released Security release No LedgerSMB_Team Fri, 09/03/2021 - 11:30 Release candidate No Download https://download.ledgersmb.org/f/Releases/1.7.35/

The LedgerSMB development team is happy to announce yet another new
version of its open source ERP and accounting application.
This release contains the following fixes and improvements:

Changelog for 1.7.35

* Fix for chart of accounts headings import from CSV (#5987)
* Correctly set the payment account in invoices and transactions (#5801)
* Fix regression in CVE-2021-3693 failing to show errors as popups (#5921)
* Fix regression in CVE-2021-3693 with broken downloads of backups (#5931)

In addition to the above, it should be noted that the Docker images
have been built with a new build procedure which provides better mapping
of Perl dependencies to Debian packages. Due to this change, dependencies
will be updated automatically. Should there be any issues with the images
despite this improvement, please report to the GitHub issue tracker for the
Docker images at: https://github.com/ledgersmb/ledgersmb-docker/issues

For installation instructions and system requirements, see
https://github.com/ledgersmb/LedgerSMB/blob/1.7.35/README.md

The release can be downloaded from our download site at
https://download.ledgersmb.org/f/Releases/1.7.35

The release can be downloaded from GitHub at
https://github.com/ledgersmb/LedgerSMB/releases/tag/1.7.35

Or pulled from Docker Hub using the command
$ docker pull ledgersmb/ledgersmb:1.7.35

These are the sha256 checksums of the uploaded files:

ea291741c44c228b8a07e0bd738ada754457af5d9bee861e54057a42a5cd4512 ledgersmb-1.7.35.tar.gz
78e49149a015ac311d75367d88f23083da9648619f976bc17d3acbf165d8e5ce ledgersmb-1.7.35.tar.gz.asc

Release 1.7
LedgerSMB_Team

Upgrade to LedgerSMB 1.9

1 month 3 weeks ago
Upgrade to LedgerSMB 1.9 Overview

Company database upgrades are supported all the way back from 1.4 directly to 1.9, using the 1.9 software. Company database upgrades from 1.3 and 1.2 are also supported, but due to the different nature of the upgrade process are called "migrations". The important difference being that when doing a migration, a copy of the data is being created in the 1.9 structure, while upgrades adjust the existing structure for 1.9. When upgrading from versions earlier than 1.8, please read the release notes and upgrade instructions and release notes of all the intermediate versions: these still apply but are not repeated here.

Before starting, please remember:

  • Create a backup
  • Don't do this when you're in a hurry
  • When running into problems, check out the "Support" page
Technical upgrade

Upgrading the software works the same as with prior versions. Please refer to the procedure to upgrade a tarball installation for 1.7 for the 1.9 upgrade. Be sure to install the new and updated Perl module dependencies listed in the Changelog. Also note that the Docker image definition contains a comprehensive list of Debian Buster package dependencies.

Especially note that the minimum versions for Perl and PostgreSQL have been updated. The minimum required Perl version is now 5.24 and the minimum required PostgreSQL version is now 10. (If you run Docker images, the Perl dependency is taken care of for you. The PostgreSQL dependency needs your attention.)

Prior versions of LedgerSMB run fine against PostgreSQL, so there is no reason to combine the 1.9 upgrade with the upgrade of PostgreSQL: you could upgrade to PostgreSQL 10+ before upgrading LedgerSMB to 1.9.

Docker Compose upgrade

The docker compose infrastructure for all versions prior to 1.9 all used PostgreSQL 9.6. Since 1.9 requires at least PostgreSQL 10, the docker compose infrastructure has been upgraded to use PostgreSQL 12. Unfortunately, the docker container does not upgrade the database itself -- meaning you'll need to export your PostgreSQL databases using pg_dumpall and restore it into the new database using psql as per the example.

(More comprehensive upgrade instructions are solicited; i.e. "help wanted".)

Company database upgrade

Technically, this process hasn't changed since 1.7 and the instructions for 1.7 still apply.

Each new LedgerSMB release has tightened the checks on validity of the data stored in the database. 1.9 continues on that path and adds yet more checks - this helps us find bugs and prevents undesirable data entering into the ledger. During the upgrade, existing data is checked against these new quality criteria and optionally offered for correction (or deletion, depending on the type of inconsistency).

Before you begin
  • Verify that all Reconciliation Reports have been either approved or deleted
    If you forget this step, the migration will offer to delete it for you; approval isn't supported during migration. Note that this does not refer to transactions; unapproved transactions can safely exist during upgrade.
  • Create a backup
  • Tell users not to use your system during upgrade
After the upgrade

ehu Sat, 08/28/2021 - 07:51 Topic Upgrade Installation Release 1.9
ehu

Installing LedgerSMB 1.9

1 month 3 weeks ago
Installing LedgerSMB 1.9 Installation from tarballs

This page contains the comprehensive version with the installation instructions for LedgerSMB 1.8 targetting a production installation from release tarballs and deals with these steps:

  • Installing the LedgerSMB Perl module dependencies
  • Configuring the PostgreSQL server
  • Configuring a webserver
  • Configuring LedgerSMB

If you already have all of the above, please proceed to the "Preparing for first use" guide.

These are not the Quick start instructions, but instructions for setting up a full production system. Also, please note that if you're in a position to use LedgerSMB's Docker images, or packages for your Unix/Linux distribution, using those will be far quicker and easier than following the instructions below.

Please note that installation of version 1.5 and up is completely different from the installation of versions 1.4 or earlier: This version uses Plack to handle integration with front-end web servers. This means LedgerSMB can now be run in combination with many web servers, including (but not limited to):

It's no longer possible to run LedgerSMB as set of CGI scripts. This should not be a big concern, since Plack allows plugging LedgerSMB into Apache using mod_fcgid, mod_fastcgi or mod_proxy all of which have been available for versions 2.0 and up.

Feel free to log in and share your experiences in the comments at the end of the article.

System requirements

Requirements are documented on the system requirements page.

Client

There are no specific requirements for LedgerSMB clients (web browsers) other than that they should have JavaScript enabled and be able to run Dojo 1.16.

A broad range of browsers is supported (Chrome, FireFox, Opera, ...), including Microsoft Internet Explorer (10 or newer) and Microsoft Edge.

Browsers explicitly not supported are:

  • Lynx
  • w3m
  • IE9 or earlier
Unpacking the release tarball

According to the Filesystem Hierarchy Standard, both /usr/local/ledgersmb and /opt/ledgersmb could be chosen as install locations. Unpack the tarball by running (as "root" user):

# tar xf ledgersmb-1.8.x.tar.gz --directory /usr/local/ Installing the LedgerSMB Perl module dependencies

Please note that some distributions (e.g. Fedora) do not by default install all core modules, but rather, install a subset. LedgerSMB doesn't list core modules as dependencies as they should be available.

The instructions below assume all dependencies will be installed from CPAN. It is however possible to install most modules from distribution repositories. The Docker image can be consulted for an example.

# Installation of LedgerSMB Perl dependencies from CPAN
cpanm --quiet --notest --with-feature=starman --installdeps /usr/local/ledgersmb/

Then, there are a number of features which need additional modules.
The above command includes the Starman Feature which is required for most installations.
The modules required for each feature can be installed by appending "--with-feature=" to the above command line.

These features are supported:

Feature Description latex-pdf-ps Enable PDF and PostScript output
Note: In order to make use of this functionality, the server must also have 'latex' or 'xelatex' installed. On many distributions, these packages are called 'texlive-latex' and 'texlive-tetex' respectively. latex-pdf-images Image size detection for PDF output starman Starman Perl/PSGI (standalone) web server openoffice OpenOffice.org document output edi (EXPERIMENTAL) X12 EDI support

 

# Installation of LedgerSMB Perl dependencies directly from CPAN
# With Starman and PDF & Postscript output

cpanm --quiet --notest --with-feature=starman --with-feature=latex-pdf-ps \
--installdeps /usr/local/ledgersmb/

Configuring the PostgreSQL server

There are only two requirements for the PostgreSQL database server. This section instructs how to configure an pre-installed PostgreSQL installation to meet those requirements. It's assumed that the LedgerSMB server and PostgreSQL are being run on the same system. The requirements to meet are:

  1. A database administrator user (in PostgreSQL called a 'role') for creation and administration of LedgerSMB company databases
  2. Authorization setup so the database administrator can log into the database through LedgerSMB's 'setup.pl' program
Creating the company database administrator account

The database administrator user account needs to have at the bare minimum:

  • The right to create databases (CREATEDB)
  • The right to create roles (CREATEROLE)
  • The right to log in (LOGIN)
  • A password to authenticate logins

The following command issued as root user, creates a user named "lsmb_dbadmin" (which isn't a super user):

# su - postgres -c 'createuser -S -d -r -l -P lsmb_dbadmin'
Enter password for new role: ************
Enter it again: ************

Configuring database access rights

PostgreSQL takes its access configuration through a file called 'pg_hba.conf'. The location of this file may differ per distribution:

  • Debian derivatives: /etc/postgresql///pg_hba.conf
  • RedHat derivatives: /var/lib/pgsql//data/pg_hba.conf

On most systems, this file has four effective lines:

local   all             postgres                                peer
local   all             all                                     peer
host    all             all             127.0.0.1/32            peer
host    all             all             ::1/128                 peer

These lines mean that each system user can connect to the database system with an equally named database user; the connecting source doesn't make a difference: unix and TCP/IP sockets have the same configuration.

The LedgerSMB software needs to be able to connect to the database system as 'lsmb_dbadmin' or as a LedgerSMB user, not as the user that runs the server process. The new content should look like:

local   all             postgres                         peer
local   all             all                              peer
host    all             postgres         127.0.0.1/32     reject
host    all             postgres        ::1/128      reject
host    postgres,template0,template1   lsmb_dbadmin         127.0.0.1/32     md5
host    postgres,template0,template1   lsmb_dbadmin         ::1/128      md5
host    postgres,template0,template1   all          127.0.0.1/32     reject
host    postgres,template0,template1   all          ::1/128      reject
host    all             all             127.0.0.1/32     md5
host    all             all             ::1/128          md5

This configuration takes advantage of the fact that each connection method (unix sockets vs TCP/IP sockets/addresses) can be separately configured. While the default connection method of the 'psql' tool is to connect over the 'local' (unix socket method), the default connection method for LedgerSMB is to use 'localhost' (127.0.0.1/32 or ::1/128).

The above configuration means that the user 'postgres' can't be used any longer to connect from 'localhost', no user can connect to the 'postgres' database through 'localhost' [reject] and all other combinations of users and database names need password authentication [md5].

Notes:

  1. PostgreSQL matches the lines first to last and uses the first matching line, so the order of the lines is very importance.
  2. For more information about the pg_hba.conf configuration options, see the PostgreSQL pg_hba.conf documentation
  3. The databases 'template1' and 'template0' are system databases available in every cluster; this configuration blocks those for access from LedgerSMB as well.

After reconfiguring pg_hba.conf, the PostgreSQL service needs to be restarted. this works with one of the following commands (depending on your distribution):

# restarting postgresql service (as root)
# service postgresql restart
# - or -:
$ service postgresql- restart

Verifying database access

To verify access for the database admin user 'lsmb_dbadmin', an accessible database - not named 'postgres', 'template0' or 'template1' - is required. On new installs, these are the only databases. So the next example creates one. Here's how to verify the setup:

# Verify access configuration (run as root)
$ su - postgres -c 'createdb lsmb_access_test_db'
$ psql -h localhost -U lsmb_dbadmin -d lsmb_access_test_db -c "select version()"
PostgreSQL 9.6.3 <--- this line indicates success("9.6.3" is just an example version number)
$ su - postgres -c 'dropdb lsmb_access_test_db'

Configuring a web server

Regardless of your web server setup, configuration of an "application server" is required. The application server used with LedgerSMB can be any PSGI compatible server. The default application server is Starman, which is widely considered the fastest available. The Starman server process lives behind a reverse proxy. While Starman deals specifically with those HTTP requests which require "application logic", all other requests (mostly static content, such as images or CSS) are dealt with by the proxy.

Configuring the Starman application server

Depending on the distribution, a startup method must be installed; this can be one of:

  • SysV init script
  • Upstart configuration
  • Systemd configuration

At the time of writing, the only configuration that comes with LedgerSMB's tarball is the systemd configuration. The following common setup is required regardless of the system used to manage services on the target system.

To support priviledge separation, the Starman server should be running as a user which meets these criteria:

  • Not the same user as the web server
  • Does not have write access to the LedgerSMB directories

To that extent, identify an existing (unused) system user, or create one with this command:

# create 'ledgersmb' user for Starman server to run
$ useradd -d /non-existent -r -U -c "LedgerSMB/Starman service system user" ledgersmb

Configuring systemd for Starman

In the directory conf/systemd/ from the tarbal, there is a preconfigured systemd service file, which needs to be copied into place. In case you decided to install dependencies into a local::lib, the service file needs to be edited to set a PERL5LIB environment variable before you can succesfully start the service.

# 'copy' systemd service configuration, enable and start
$ sed -e "s#WORKING_DIR#$PWD#" conf/systemd/ledgersmb_starman.service \
| sudo tee /etc/systemd/system/ledgersmb-starman.service
$ systemctl enable ledgersmb-starman
$ service ledgersmb-starman start

Note that the above assumes that the commands are being run from the root of the unpacked tarball. It also assumes that the tarball has been unpacked at its installation path.

To verify that the service started up correctly, run:

# verify that the Starman/LedgerSMB server started correctly
$ journalctl -u ledgersmb-starman.service --since="today" -l -e

Configuring a reverse proxy

For a quick test-run or demo setup running on localhost only, configuration of a proxy isn't mandatory. However, for a production setup with LedgerSMB being network or even web-exposed, it's ill-advised to run without the reverse proxy for - at least - the following reasons:

  • The proxy can serve static content [much] more efficiently (performance)
  • The proxy can support HTTP/2 which multiplexes requests (performance)
  • The proxy guards Starman against public exposure (security)
  • The proxy adds TLS (security)

With TLS certificates being completely free these days through Let's Encrypt, and only a few dollars for the simplest of certificates from commercial vendors, there's really no reason not to secure traffic to the server. Further documentation below assumes you have such a certificate. As for getting Let's Encrypt certificates, use their Getting Started guide.

For simplicity, only the configuration of nginx as a reverse proxy is documented here.

Configuring nginx

The tarball contains an example virtual host configuration file to set up a reverse proxy with nginx. It needs to be included in the 'http { }' block in your nginx configuration. On Debian derived systems, this is done by copying the file to /etc/nginx/sites-available/ledgersmb.conf. On RedHat/Fedora derivatives, the copying goes to /etc/nginx/conf.d/ledgersmb.conf. After editing the file, replacing the following variables:

  • Same replacement as before
  • SSL_CERT_FILE
    Should be where your certificate file is stored; probably /etc/certs/your_host.example.com.pem
  • SSL_KEY_FILE
    Probably the same as the SSL_CERT_FILE, but with '.key' extension
  • YOUR_SERVER_NAME
    If nothing else, should be replaced by the output of the command 'hostname -f'

NOTE: by default snakeoil certificates will be used by at least our nginx sample config files.
These certificates are locally created and will normally require your browser clients to override something before they can be used.

On Debian derivatives, activate this file after it has been edited, using:

# On Debian/Ubuntu/Mint activate the virtual host
$ ln -s /etc/nginx/sites-available/ledgersmb.conf /etc/nginx/sites-enabled/

On RedHat/Fedora derivatives, no symlinking is necessary: the configuration is active immediately. Now, verify that the configuration is acceptable:

# (Re)start nginx service to make nginx reconfigure itself and validate configuration
$ service nginx restart

Configuring LedgerSMB

The tarball has a default LedgerSMB configuration file conf/ledgersmb.conf.default. Install the configuration file with:

# Install the default ledgersmb.conf configuration file
$ cp conf/ledgersmb.conf.default ledgersmb.conf

That is it.

In case the in-app e-mail feature is going to be used, check the values in the [mail] section and optionally adjust for the mail setup of the target system.

Next steps

Now follow the instructions in the "Prepare LedgerSMB for first use" guide.

ehu Sat, 08/28/2021 - 07:47 Topic Installation Release 1.9
ehu

Preparing LedgerSMB 1.9 for first use

1 month 3 weeks ago
Preparing LedgerSMB 1.9 for first use

  

This page explains how to set up LedgerSMB's first company after having completed installation, e.g. through the docker-compose.yml file. Please note that your full URL may differ depending on your installation method.

In case you just completed the quick-start instructions, the base URL at which LedgerSMB is accessible is http://localhost:5762 (If you have a full production setup, you shouldn't need the port indicator [the ":5762" part]). There are two URLs (entry-points) you can use to access the application:

  • /setup.pl [full URL: http://localhost:5762/setup.pl ]
  • /login.pl [full URL: http://localhost:5762/login.pl ]

The two entry points each serve their own purpose: setup.pl is the main tool for the database admin (lsmb_dbadmin); it serves to create new companies, create copies of companies, add users to companies and reset user's passwords. login.pl provides access to all other types of users.

Creating the first company

After browsing to setup.pl, the browser should show:

In case the screen only shows the "Database" field, this indicates problems with JavaScript not having loaded correctly. Fill out the fields as follows:

  • Super-user login: lsmb_dbadmin
  • Password:
  • Database: testcompany

Confirm the screen by clicking "Create". When the server is done creating the database for the company, a new screen will be returned. This can take up to 20 seconds.

The resulting screen shows:

Click "Skip" in order to skip loading a pre-defined Chart of Accounts. Select a country code and click Next to list the pre-defined charts of accounts.

The resulting screen then shows a list of available Charts of Accounts:

The screen above isn't shown when "Skip" was selected in the step before. Clicking "Skip" in this screen skips loading a pre-defined chart of accounts.

Regardless of whether CoA loading was skipped or performed, the following screen will be presented:

Select 'demo' templates for use with LaTeX; select 'xedemo' templates for use with XeLaTeX (which has better support for UTF-8 / accented characters and non-latin character sets). The exact choice made in this step is not highly important: templates can later be changed by loading new ones into the database. After confirming the selection by clicking "Load Templates", the following screen shows:

With this screen, the first user for this company gets created. There are two modes:

  • Import (Yes): Assumes the username already exists in the database (e.g. because it is already used for another company; re-uses the existing username+password)
  • Create (No): Assumes the username does not already exist; will create a new username

The "Assign Permissions" selection determines the rights assigned to the user:

  • "Full Permissions": The user may perform any task in the application
  • "Manage Users": The user has just enough rights to create new users who have appropriate rights

For the purpose of this quick-start guide, enter the following details:

  • Username: first_user
  • Password: first_user
  • Import: No
  • Salutation: Mr
  • First Name: First
  • Last Name: User
  • Employee Number: 1
  • Date of Birth: (today's date)
  • Tax ID/SSN: 1
  • Country: (your country)
  • Assign Permissions: Full Permissions

After confirming these data by clicking the "Create User" button, the following screen shows:

First user login

The "Start Using LedgerSMB" link opens the main application login screen, which can be used to log in using the initial user created above:

Confirming login results in the following page*:

* Note that the picture shows company name "test", but when succinctly following the instructions, it should show "testcompany".

Database administration of first company

Once the testcompany has been created, it can be logged into through setup.pl as well as through login.pl. When logging in through setup.pl, the following screen with database administration functions shows:

What's next?

The system is now set up for evaluation and testing. The project has multiple channels to contact other users or the developers. Read all about that on the community project resources page.

Any comments as to this specific article? Please sign up to the site and leave your comments below!

ehu Sat, 08/28/2021 - 06:59 Topic Draft (148 Release 1.9
ehu

1.8.19 Released

1 month 4 weeks ago
1.8.19 Released Security release No ehu Wed, 08/25/2021 - 14:38 Release candidate No Download https://github.com/ledgersmb/LedgerSMB/releases/tag/1.8.19

Unfortunately, the fixes for the security vulnerabilities
released on Monday August 23 regressed some functionalities.
This release fixes those regressions:

Changelog for 1.8.19

* Follow-up for the fix to CVE-2021-3693; fix bulk-posting payments
* Follow-up for the fix to CVE-2021-3693; fix incorrectly backported change

For installation instructions and system requirements, see
https://github.com/ledgersmb/LedgerSMB/blob/1.8.19/README.md

The release can be downloaded from our download site at
https://download.ledgersmb.org/f/Releases/1.8.19

The release can be downloaded from GitHub at
https://github.com/ledgersmb/LedgerSMB/releases/tag/1.8.19

Or pulled from Docker Hub using the command
$ docker pull ledgersmb/ledgersmb:1.8.19

These are the sha256 checksums of the uploaded files:

4f818690b39a974680c6264727ddf3ab445a5db780294cad407869d54ed1fb0c ledgersmb-1.8.19.tar.gz
ffc79cb40181b2cf94fcda63afdfaa2b63fd1703502a86f4bbb76a7bfdcb37a0 ledgersmb-1.8.19.tar.gz.asc

Release 1.8
ehu

1.7.34 Released

1 month 4 weeks ago
1.7.34 Released Security release No ehu Wed, 08/25/2021 - 14:36 Release candidate No Download https://download.ledgersmb.org/f/Releases/1.7.34

Unfortunately, the fixes for the security vulnerabilities
released on Monday August 23 regressed some functionalities.
This release fixes those regressions:

Changelog for 1.7.34

* Follow-up to fix for CVE-2021-3693 to fix display of search results
* Follow-up for the fix to CVE-2021-3693; fix bulk-posting payments

For installation instructions and system requirements, see
https://github.com/ledgersmb/LedgerSMB/blob/1.7.34/README.md

The release can be downloaded from our download site at
https://download.ledgersmb.org/f/Releases/1.7.34

The release can be downloaded from GitHub at
https://github.com/ledgersmb/LedgerSMB/releases/tag/1.7.34

Or pulled from Docker Hub using the command
$ docker pull ledgersmb/ledgersmb:1.7.34

These are the sha256 checksums of the uploaded files:

729ad60745bb3af14249d5ed952ed8d0110788fd7ed444de1bab61a81c2b9450 ledgersmb-1.7.34.tar.gz
e2beddf724b41603162c0263e24944bafeb2231917aeb094173274ee3671b6b1 ledgersmb-1.7.34.tar.gz.asc
_______________________________________________

Release 1.7
ehu

1.8.18 Released

1 month 4 weeks ago
1.8.18 Released Security release Yes ehu Mon, 08/23/2021 - 14:26 Release candidate No Download https://github.com/ledgersmb/LedgerSMB/releases/tag/1.8.18

The LedgerSMB development team is happy to announce yet another new
version of its open source ERP and accounting application. This
release contains three fixes for security vulnerabilities. Users are
urged to upgrade as soon as possible. Special thanks go to "ranjit-git",
and sudheendra17, users of the https://huntr.dev/ platform, for disclosing
these issues responsibly to the development team. And to the platform
itself for sponsoring the work of these researchers.
This release contains the following fixes and improvements:

Changelog for 1.8.18

* Check whether HTML comes from a valid source; CVE-2021-3693
* Apply HTML escaping on error messages; CVE-2021-3694 (#5754)
* Fix several issues in `bin/prepare-company-database` (#5769)
* Prevent the application being wrapped in a frame; CVE-2021-3731

For installation instructions and system requirements, see
https://github.com/ledgersmb/LedgerSMB/blob/1.8.18/README.md

The release can be downloaded from our download site at
https://download.ledgersmb.org/f/Releases/1.8.18

The release can be downloaded from GitHub at
https://github.com/ledgersmb/LedgerSMB/releases/tag/1.8.18

Or pulled from Docker Hub using the command
$ docker pull ledgersmb/ledgersmb:1.8.18

These are the sha256 checksums of the uploaded files:

c3ed50b78a0cebc6ef7edfab6a5b1c7b6b5b2f5545bf2d680ad6c3f6cbca5be2 ledgersmb-1.8.18.tar.gz
133fae3563fa1be3eb4cd48ec06347187ba165bbeeb854c92ed03d9c08111ae0 ledgersmb-1.8.18.tar.gz.asc

Release 1.8
ehu

1.7.33 Released

1 month 4 weeks ago
1.7.33 Released Security release Yes ehu Mon, 08/23/2021 - 14:23 Release candidate No Download https://github.com/ledgersmb/LedgerSMB/releases/tag/1.7.33

The LedgerSMB development team is happy to announce yet another new
version of its open source ERP and accounting application. This
release contains three fixes for security vulnerabilities. Users are
urged to upgrade as soon as possible. Special thanks go to "ranjit-git",
and sudheendra17, users of the https://huntr.dev/ platform, for disclosing
these issues responsibly to the development team. And to the platform
itself for sponsoring the work of these researchers.
This release contains the following fixes and improvements:

Changelog for 1.7.33

* Check whether HTML comes from a valid source; CVE-2021-3693
* Apply HTML escaping on error messages; CVE-2021-3694 (#5766)
* Prevent the application being wrapped in a frame; CVE-2021-3731
* Align filters between UI and the database on draft transaction search (#5693)
* Correctly present manual tax and invoice total on reversing invoice (#5721)
* Repeatedly saving a draft invoice pops up an SQL error (#5679)

For installation instructions and system requirements, see
https://github.com/ledgersmb/LedgerSMB/blob/1.7.33/README.md

The release can be downloaded from our download site at
https://download.ledgersmb.org/f/Releases/1.7.33

The release can be downloaded from GitHub at
https://github.com/ledgersmb/LedgerSMB/releases/tag/1.7.33

Or pulled from Docker Hub using the command
$ docker pull ledgersmb/ledgersmb:1.7.33

These are the sha256 checksums of the uploaded files:

15dcc79a42fd17f12d01e1cc4b36ddd25e8dbe776ffe1b9867a1ad9e42bfabc0 ledgersmb-1.7.33.tar.gz
73eadc3bf2c2b3d2abeabe52ccc3db03dd5e46599d4a84a3a72ef10105d6ab36 ledgersmb-1.7.33.tar.gz.asc

Release 1.7
ehu

1.9 release notes

2 months ago
1.9 release notes What's new and notable in LedgerSMB 1.9
  • Customer/Vendor drop-down on invoices searchable
  • E-mailed documents stored in the database
  • Searching open invoices for payment by customer/vendor name
  • A new command line application for administrative tasks and automation
  • "GIFI" selections are now hidden when no GIFI is configured
  • Option to create opening or closing balance report
  • Mailing of aging reports
  • 'Update' no longer clobbers saved invoices and transactions
  • Optimized HTML and JavaScript responses for faster page loading
New features Mailing of aging reports

Versions of LedgerSMB up to and including 1.4 had a function to mail aging reports to customers. With the release of 1.5, this functionality was accidentally removed: forgotten to be implemented in the refactoring of the last reporting functionalities being moved to "the new reporting framework". This was in 2016. Finally, this function has been added back into LedgerSMB as of the 1.9 release.

Customer/Vendor drop-down on invoices (and transactions) searchable

The customer/vendor selection drop-down on AR/AP transactions and invoices has been replaced with an input element which filters available names based on input entered. Before, there was a regular drop-down listing a fixed list of choices. However, when the number of customers gets too big, that's an impractical way of selecting a customer or vendor. Therefore, another input selection mechanism was available where a regular textbox was used to search the desired customer/vendor on 'Update'. This new feature provides good middle ground. If your database is configured to use the regular textbox, entering a high enough number in the "Max per drop-down" setting in the "System > Defaults" screen enables this new functionality (for drop-downs no larger than the specified number of items).

E-mailed documents stored in the database

Invoices and aging reports, when mailed, are now stored in the database. This provides the opportunity to download the documents for inspection from the e-mail entry screen as well as that it serves as an archive of what has been sent to whom. In the past, there was no way to check emails having been sent, other than by including oneself as a Bcc recipient.

Searching open invoices for bulk payment by customer/vendor name

This release adds the option to select invoices offered for payment in the bulk-payment screen by vendor/customer name in addition to the (existing) option to select invoices by vendor/customer number.

A new command line application for administrative tasks and automation

A new command line application "ledgersmb-admin" offers the ability to run a number of administrative commands from the command line (instead of from "setup.pl"). The following commands have been implemented so far:

  • Database management commands
    • backup
      creates backups of a database
    • copy
      creates copies of a database
    • create
      creates a new database, optionally with configuration and a user
    • destroy
      removes a database
    • rename
      renames a database, while retaining access rights for existing users
    • restore
      restores a database from a backup file created with the "backup" command
    • upgrade
      upgrades a database's schema and stored procedures for a new application version
  • Company management commands
    • template
      imports, exports and lists templates in a company

More commands are expected to be available on 1.10 or later.

Option to create opening or closing balance report

Before this release, there was an option to either include or ignore "year ends" when running the balance sheet report. This type of input was deemed too technical: the actual question the application was trying to ask was whether the user is trying to run an opening or a closing balance at the given date. Exactly how the application achieves that, is an implementation detail that involves date calculus and in-/exclusion of "year ends". These technicalities have now been hidden from the user.

Notable changes 'Update' no longer clobbers saved invoices and transactions

For a long time the function has existed in LedgerSMB whereby a user can save a transaction in order to store it and either work on it later, or post it later. The function has been broken for quite a while due to the fact that clicking "Update" on a saved transaction (or invoice) would restore the transaction to its saved state - undoing all work done on the saved transaction to prepare it for posting. Technically, it was a complex task to prevent the entered data from being reverted to the original state, but the 1.9 release finally fixes this issue which was filed in 2015.

Optimized HTML and JavaScript responses for faster page loading

Extensive research has been performed on what determined the response times for HTML pages. Many small code changes were implemented to speed up page response times, shaving off some 30% of the response time of a huge GL search report.

Additionally, a lot of research went into finding ways to reduce the size of the JavaScript files being used by the application as well as reducing the number of requests to load these files into the browser. As a result, LedgerSMB now uses Webpack to process JavaScript source files from our own project, Dojo Toolkit and JS dependencies from NPM. Further research to increase JS performance is on-going, even after the 1.9 release, all in terms of number of dependencies, code size and execution speed.

"GIFI" selections are now hidden when no GIFI is configured

Most installations don't need GIFI codes for their accounts: it's a canadian coding system required by law to support government reporting. Often, it's being used for alternative reporting classifications for companies outside of Canada. When neither is the case, GIFI would be offered as a search delimiter in many places. Now, GIFI input boxes are being suppressed when no GIFI is configured for the company. As soon as a single GIFI code is configured, the codes will show in the UI again.

Other user-visible changes
  • The list of country names in the preferences screen is now translated to the selected language
  • The invoice entry screen now links to the customer/vendor screen with the customer/vendor preselected
  • Faster calculation of the balance sheet report
  • Faster population of the list of currencies (applies to all screens with a currency drop-down)
  • All non-required drop-downs now contain an empty value that can be selected to undo the selection of a non-empty value
  • Orders and invoices show history: e.g. saving, posting, printing and mailing
  • Improved error reporting and handling on failure with Print buttons
  • E-mailed invoices generated based on the data in the database instead of the data visible (and editable!) on-screen ensuring consistency between invoice and stored data
Known problems

 

ehu Sun, 08/22/2021 - 06:58 Topic Draft Release notes Release 1.9
ehu

Upgrading LedgerSMB 1.8.x to 1.8.y

2 months ago
Upgrading LedgerSMB 1.8.x to 1.8.y

There are two steps to upgrading a LedgerSMB 1.8.x installation to 1.8.y (x smaller than y):

  1. Upgrade the software
  2. Upgrade the company database

The second step has to be executed for each company database that's set up.

Upgrade the software

The steps to upgrade the software differ between Docker or tarball (from source) installations.

Upgrading Docker installations

In case the installation was created using the docker-compose infrastructure provided by the project, the upgrade should be as simple as running

$ docker-compose pull $ docker-compose up -d

in the directory where you initially ran the "docker-compose up -d" command. The above commands should produce this output:

Recreating ledgersmb-docker_postgres_1 ... done Recreating ledgersmb-docker_lsmb_1 ... done

Note that the "ledgersmb-docker" prefix may differ, depending on the name of the directory your docker-compose.yml file is stored in (in this case it was called "ledgersmb-docker/").

Upgrading tarball installations

Note that all the steps below are prefixed with the 'sudo' command, but these can be executed as 'root' directly as well.

# Stop the LedgerSMB application server (e.g. Starman) $ sudo service starman-ledgersmb stop   # Back up the old software by moving it out of the way (assuming you installed in /usr/local/ledgersmb): $ sudo mv /usr/local/ledgersmb /usr/local/ledgersmb.backup   # Untar the tarball into /usr/local/ledgersmb: $ sudo tar xf ledgersmb-1.6.y.tar.gz --directory /usr/local   # Copy the configuration file from the old installation: $ sudo cp /usr/local/ledgersmb.backup/ledgersmb.conf /usr/local/ledgersmb/   # Start the LedgerSMB application server again (Starman example given, as before): $ sudo service starman-ledgersmb start Upgrading the company database

After the software has been upgraded, the company database(s) have to be upgraded. When a user logs in on a database which is of a version different from the software that's used to access the database, a "Database version mismatch" error will be generated.

To upgrade the company database from the Web UI, navigate to the setup.pl page (e.g. when you're hosting your LedgerSMB on https://localhost/ and normally log in through https://localhost/login.pl, now you need to navigate to https://localhost/setup.pl). Log into setup.pl with the database admin credentials (the "lsmb_dbadmin" user, if you followed the installation instructions).

After login, setup.pl will show a sccreen with the following at the top:

 

Logged in as lsmb_dbadmin
LedgerSMB 1.8 db found
Rebuild/Upgrade?

By clicking the "Yes" button, the company database upgrade process will be executed.

Repeat this process for all company databases.

ehu Sun, 08/22/2021 - 03:10 Topic Upgrade Installation Release 1.8 FAQ Category Installation
ehu

Security advisory for CVE-2021-3731 (Clickjacking)

2 months ago
Security advisory for CVE-2021-3731 (Clickjacking) ehu Fri, 08/20/2021 - 14:22 Insufficient protection against 'clickjacking' Summary

  LedgerSMB does not sufficiently guard against being wrapped by
  other sites, making it vulnerable to 'clickjacking. This allows
  an attacker to trick a targetted user to execute unintended actions.

Known vulnerable

  All of:

  - 1.1.0 upto 1.1.12 (including)
  - 1.2.0 upto 1.2.26 (including)
  - 1.3.0 upto 1.3.47 (including)
  - 1.4.0 upto 1.4.42 (including)
  - 1.5.0 upto 1.5.30 (including)
  - 1.6.0 upto 1.6.33 (including)
  - 1.7.0 upto 1.7.32 (including)
  - 1.8.0 upto 1.8.17 (including)

Known fixed

  - 1.7.33
  - 1.8.18


Details

  In a clickjacking attack, an attacker (invisibly) wraps the vulnerable
  site in his own site, carefully placing elements of his own site over
  elements of the wrapped site, tricking the user into performing unintended
  actions on the vulnerable site. More information on clickjacking is on the
  OWASP page at https://owasp.org/www-community/attacks/Clickjacking

  The lack of protection dates back to version 1.0, although it must
  be noted that mitigation measures were first available in browsers
  as of 2011 -- the year of the release of 1.3.0.

Severity

  CVSSv3.1 Base Score: 5.9 (Medium)

  CVSSv3.1 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:L/A:N

Recommendations

  We recommend all users to upgrade to known-fixed versions. Versions prior
  to 1.7 are end-of-life and will not receive security fixes from the
  LedgerSMB project.

  Users who cannot upgrade, may apply the included patches or are advised
  to contact a vendor for custom support.

  As a workaround, administrators may configure their webservers to add
  the Content-Security-Policy header as documented in the content
  security policy site at https://content-security-policy.com/#server.

References

  CVE-2021-3731  (LedgerSMB)

  https://ledgersmb.org/cve-2021-3731-clickjacking

  https://huntr.dev/bounties/5664331d-f5f8-4412-8566-408f8655888a/

Reported by

  sudheendra17, user of the huntr.dev platform

 

Attachments File 1.7-cve-3731.patch_.txt File 1.8-cve-3731.patch_.txt Topic Security advisory Release 1.1 1.2 1.3 1.4 1.5 1.6 1.7 1.8
ehu