Security advisory for CVE-2021-3882 (non-Secure session cookie)

Submitted by ehu on

  Sensitive Cookie in HTTPS Session Without 'Secure' Attribute

Summary

  LedgerSMB does not set the 'Secure' attribute on the session authorization
  cookie when the client uses HTTPS and the LedgerSMB server is behind a
  reverse proxy.  By tricking a user to use an unencrypted connection (HTTP),
  an attacker may be able to obtain the authentication data by capturing
  network traffic.


Known vulnerable

  All of:

  - 1.8.0 upto 1.8.21 (including)

1.9.1 Released

Submitted by LedgerSMB_Team on

The LedgerSMB development team is happy to announce yet another new
version of its open source ERP and accounting application. Through
a week of outstanding teamwork, we're able to bring 15 fixes and
small changes (not all fixes for regressions) in this release.
This release contains the following fixes and improvements:

Changelog for 1.9.1

1.9.0 Released

Submitted by LedgerSMB_Team on

The LedgerSMB development team is happy to announce the first
release of a new release branch: 1.9.0. This series features
a wide variety of new features, improvements, bug fixes and
cleanup. To name a few:

1.8.21 Released

Submitted by LedgerSMB_Team on

The LedgerSMB development team is happy to announce yet another new
version of its open source ERP and accounting application.
This release contains the following fixes and improvements:

Changelog for 1.8.21

* Prevent draft approval by user without permission (#5984)
* Fix UI consistency (missing CSS class) in purchase invoice (#5988)
* Fix performance problem deleting huge draft transactions (#5993)

1.8.20 Released

Submitted by LedgerSMB_Team on

The LedgerSMB development team is happy to announce yet another new
version of its open source ERP and accounting application.
This release contains the following fixes and improvements:

Changelog for 1.8.20

* Fix for chart of accounts headings import from CSV (#5987)
* Correctly set the payment account in invoices and transactions (#5801)
* Fix regression in CVE-2021-3693 failing to show errors as popups (#5921)
* Fix regression in CVE-2021-3693 with broken downloads of backups (#5931)

1.7.35 Released

Submitted by LedgerSMB_Team on

The LedgerSMB development team is happy to announce yet another new
version of its open source ERP and accounting application.
This release contains the following fixes and improvements:

Changelog for 1.7.35

* Fix for chart of accounts headings import from CSV (#5987)
* Correctly set the payment account in invoices and transactions (#5801)
* Fix regression in CVE-2021-3693 failing to show errors as popups (#5921)
* Fix regression in CVE-2021-3693 with broken downloads of backups (#5931)

Upgrade to LedgerSMB 1.9

Submitted by ehu on

Overview

Company database upgrades are supported all the way back from 1.4 directly to 1.9, using the 1.9 software. Company database upgrades from 1.3 and 1.2 are also supported, but due to the different nature of the upgrade process are called "migrations". The important difference being that when doing a migration, a copy of the data is being created in the 1.9 structure, while upgrades adjust the existing structure for 1.9.

1.8.19 Released

Submitted by ehu on

Unfortunately, the fixes for the security vulnerabilities
released on Monday August 23 regressed some functionalities.
This release fixes those regressions:

Changelog for 1.8.19

* Follow-up for the fix to CVE-2021-3693; fix bulk-posting payments
* Follow-up for the fix to CVE-2021-3693; fix incorrectly backported change

For installation instructions and system requirements, see
https://github.com/ledgersmb/LedgerSMB/blob/1.8.19/README.md

Subscribe to