The following is a security advisory for LedgerSMB 1.3.x. It includes information on vulnerable versions, and how to mitigate problems. While the security issues discovered here are minor in most cases, they can have significant impacts for some users in some environments.
Versions 1.6 and higher are under active development and are supported by the community. Planned end-of-life dates for current releases are:
- 1.6: Planned End-of-life date: 2021-06-10 (released: 2018-06-10)
- 1.7: Planned End-of-life date: 2022-10-04 (released: 2019-10-04)
- 1.8: Planned End-of-life date: 2023-09 (to be released 2020-09)
End of life
If you're looking for help on how to use EOL-ed versions, please try mailing the users mailing list.
If you're looking for someone to create bugfixes, please check with one of the parties providing commercial support or for less urgent fixes LedgerSMB Issues
Version 1.5 has been declared end-of-life on 2019-12-23. The last release in the series is 1.5.30. No further releases will be made by the community.
Version 1.4 has been declared end-fo-life on 2017-09-16. The last release in the series is 1.4.42. No further releases will be made by the community.
Version 1.3 has been declared end-of-life on 2015-12-23. The last release in the series is 1.3.47. No further releases will be made by the community.
LedgerSMB versions 1.0, 1.1 and 1.2 won't be maintained any further due to the fact that there are some known security issues which can't be fixed.
A security oversight has been discovered in LedgerSMB 1.3 which could
allow a malicious user to cause a denial of service against LedgerSMB
or otherwise affect the way in which certain forms of data would get
entered. In most cases we do not believe this to be particularly
severe in the absence of poor internal process controls. Users in
some jurisdictions however may need to take this more seriously (see
full details below).