News

Security advisory for CVE-2021-3882 (non-Secure session cookie)

Submitted by ehu on

  Sensitive Cookie in HTTPS Session Without 'Secure' Attribute

Summary

  LedgerSMB does not set the 'Secure' attribute on the session authorization
  cookie when the client uses HTTPS and the LedgerSMB server is behind a
  reverse proxy.  By tricking a user to use an unencrypted connection (HTTP),
  an attacker may be able to obtain the authentication data by capturing
  network traffic.


Known vulnerable

  All of:

  - 1.8.0 upto 1.8.21 (including)

1.9.1 Released

Submitted by LedgerSMB_Team on

The LedgerSMB development team is happy to announce yet another new
version of its open source ERP and accounting application. Through
a week of outstanding teamwork, we're able to bring 15 fixes and
small changes (not all fixes for regressions) in this release.
This release contains the following fixes and improvements:

Changelog for 1.9.1

1.9.0 Released

Submitted by LedgerSMB_Team on

The LedgerSMB development team is happy to announce the first
release of a new release branch: 1.9.0. This series features
a wide variety of new features, improvements, bug fixes and
cleanup. To name a few:

1.8.21 Released

Submitted by LedgerSMB_Team on

The LedgerSMB development team is happy to announce yet another new
version of its open source ERP and accounting application.
This release contains the following fixes and improvements:

Changelog for 1.8.21

1.8.20 Released

Submitted by LedgerSMB_Team on

The LedgerSMB development team is happy to announce yet another new
version of its open source ERP and accounting application.
This release contains the following fixes and improvements:

Changelog for 1.8.20

1.7.35 Released

Submitted by LedgerSMB_Team on

The LedgerSMB development team is happy to announce yet another new
version of its open source ERP and accounting application.
This release contains the following fixes and improvements:

Changelog for 1.7.35

1.8.19 Released

Submitted by ehu on

Unfortunately, the fixes for the security vulnerabilities
released on Monday August 23 regressed some functionalities.
This release fixes those regressions:

Changelog for 1.8.19

  • Follow-up for the fix to CVE-2021-3693; fix bulk-posting payments
  • Follow-up for the fix to CVE-2021-3693; fix incorrectly backported change

For installation instructions and system requirements, see
https://github.com/ledgersmb/LedgerSMB/blob/1.8.19/README.md

1.7.34 Released

Submitted by ehu on

Unfortunately, the fixes for the security vulnerabilities
released on Monday August 23 regressed some functionalities.
This release fixes those regressions:

Changelog for 1.7.34

  • Follow-up to fix for CVE-2021-3693 to fix display of search results
  • Follow-up for the fix to CVE-2021-3693; fix bulk-posting payments

For installation instructions and system requirements, see
https://github.com/ledgersmb/LedgerSMB/blob/1.7.34/README.md

1.8.18 Released

Submitted by ehu on

The LedgerSMB development team is happy to announce yet another new
version of its open source ERP and accounting application. This
release contains three fixes for security vulnerabilities. Users are
urged to upgrade as soon as possible. Special thanks go to "ranjit-git",
and sudheendra17, users of the https://huntr.dev/ platform, for disclosing
these issues responsibly to the development team. And to the platform
itself for sponsoring the work of these researchers.
This release contains the following fixes and improvements:

1.7.33 Released

Submitted by ehu on

The LedgerSMB development team is happy to announce yet another new
version of its open source ERP and accounting application. This
release contains three fixes for security vulnerabilities. Users are
urged to upgrade as soon as possible. Special thanks go to "ranjit-git",
and sudheendra17, users of the https://huntr.dev/ platform, for disclosing
these issues responsibly to the development team. And to the platform
itself for sponsoring the work of these researchers.
This release contains the following fixes and improvements:

Subscribe to News