1.8

COGS assembly fix

Submitted by ehu on

All versions from 1.3.0 to 1.11.16 are affected by a bug in Cost of Goods Sold (COGS) accounting for assemblies: Instead of accounting expenses and reducing inventory, negative expenses are posted, putting goods into inventory.

I never used assemblies; am I affected too?

No. Only if you used assemblies in combination with LedgerSMB 1.3.0 through 1.11.15, you're affected.

cve-2024-23831 (Cross Site Request Forgery)

Submitted by ehu on

Privilege escalation through CSRF attack on 'setup.pl'

Summary

When a LedgerSMB database administrator has an active session in /setup.pl,
an attacker can trick the admin into clicking on a link which automatically
submits a request to setup.pl without the admin's consent.  This request can
be used to create a new user account with full application (/login.pl)
privileges, leading to privilege escalation.


Known vulnerable

All of:

Session expired immediately after logging in

Submitted by ehu on

When I log in, LedgerSMB 1.8 or higher immediately says my session has expired. What can I do to fix this?

Short answer: add the "--preload-app" flag to the Starman command line.

Long answer: As of LedgerSMB 1.8, session information is stored in an encrypted cookie. To make sure the encryption key is unique for every installation, a new encryption secret is being generated each time LedgerSMB is started. However, Starman (without the "--preload-app" flag) loads the application in each forked worker separately, leading to different encryption secrets in each worker with the indicated behaviour as a result.

1.8.30 Released

Submitted by LedgerSMB_Team on

The LedgerSMB development team is excited to announce yet another
new version of its open source ERP and accounting application.
This release contains the following fixes and improvements:

Changelog for 1.8.30

* Fix invoices randomly being incorrectly voided (#2321)
* Fix response status code checks to correctly roll back on error (#6586)

Please note that this release fixes bug #2321 which the project
team was never able to reproduce, but has been reported by
different users many times over the past years.

1.8.29 Released

Submitted by LedgerSMB_Team on

The LedgerSMB development team is happy to announce yet another new
version of its open source ERP and accounting application.
This release contains the following fixes and improvements:

Changelog for 1.8.29

* Fix the 1.8 Changelog which had been replaced with the 1.9 Changelog

Changelog for 1.8.28
* Fix reconciliation for multiple payments with the same Source (#6526)
* Fix reconciliation for payments with GL corrections (#6533)

1.8.27 Released

Submitted by LedgerSMB_Team on

The LedgerSMB development team is happy to announce yet another new
version of its open source ERP and accounting application.
This release contains the following fixes and improvements:

Changelog for 1.8.27

* Fix tax form details reports throwing an error (#6458)
* Support PostgreSQL 14 (#6500)
* Allow deletion of transactions with shipto address (#6509)