LedgerSMB 1.3.28 has been released and includes two security fixes. It is a recommended upgrade for all LedgerSMB 1.3.x users. The major fixes in this area have to do with administrative password resets being ineffective, and HTTP credentials not being cleared. These fixes are available separately to any user who needs them.
However we also have a number of other fixes which are important for many users. Please see the complete changelog below for more details. Note also that apparent enhancements below are either necessary to fix existing bugs with the legacy codebase or correct missing functionality relative to 1.2.x.
Get the new version from http://ledgersmb.org/download
Best Wishes,
Chris Travers
Changelog for 1.3.28
* Added db list to setup.pl when no db is entered and credentials allow login
to "postgres" db. (Chris T)
* Added copy db utility to setup.pl for testing dbs (Chris T)
* Fixing is_zero errors on ar/ap transaction screens w/tax incldued (Chris T)
* Fixing csv ar transactions not showing taxes (Chris T, 3589640)
* Fixing demo quotations having descriptions taking too much space (Chris T)
* Moved to label/button system for deleting lines on invoices (Chris T)
* Fixing extra blank lines showing up on ar/ap trans screen on save (Chris T)
* Changing xetex demos to use Liberation font (Chris T, h/t Erik H)
* Better appearance of customer history report filter screen (Chris T)
* Fixed new Dynatable.tex not handling col ids with underscores (Chris T)
* Fixed admin passwd reset directing to showing new user screen (Chris T)
* Fixed admin passwd reset ineffective (Chris T, bug 3599803)
* Fixed stylesheet cannot be set on preferences screen (Chris T, 3599804)
* Moved Fixes.sql to top of LOADORDER to fix some upgrade issues (Chris T)
* Fixing handling of unknown browsers in logout (Chris T, 3599930)
* Fixed error generating invoice when mintax threshhold not met Chris T)