The LedgerSMB team is proud to release version 1.3.42.  This release corrects a couple of significant issues and a number of more minor issues.

Most significantly this corrects an issue which prevented posting of foreign currency payments when certain conditions regarding rounded, converted amounts were present.  Also this corrects an issue where invoices with ship-to addresses were sometimes linked to incorrectly in the reports.

A number of more minor fixes were included as well.

The complete changelog is below:

What follows is a slightly edited version of a post to the email lists.  While LedgerSMB does not directly utilize OpenSSL, it is usually deployed on web servers that do.  No upgrades of LedgerSMB are required, but you may need to update the security libraries of your web server.  Please read further for the sorts of implications this has regarding LedgerSMB and what we would recommend about mitigating and recovering from risks.

Security Advisory: LedgerSMB < 1.3.36, Improper Logout on Some Browsers

Severity:  Low (cvssv2 base score: 3.6, total 0.5)
Remotely Exploitable: No
Complexity of Attack:  High
Impact:  Relatively low.
Prerequisite for Attack:  Physical Access to Previously Logged In Browser, so high complexity in most cases.
Attack Vector:  Physical, against client.
Impact:  The attacker may gain access unexpectedly to LedgerSMB using the client's previous credentials.

Background

This release corrects a significant issue in printing invoices with manually calculated sales tax.  This is a significant update, and anyone using 1.3.35 or manually entered sales tax should update relatively quickly.