The following is a security advisory for LedgerSMB 1.3.x. It includes information on vulnerable versions, and how to mitigate problems. While the security issues discovered here are minor in most cases, they can have significant impacts for some users in some environments.
LedgerSMB 1.3.27 has been released. This version includes a number of enhancements to the migration process, creating new user accounts for 1.2 users (passwords must still be set by an administrator), and a number of minor bug fixes that will improve the user experience. While this is not a drastic improvement on previous versions it is an incremental one.
Get the new version from http://ledgersmb.org/download
The best way to get (free) help is to join one of the LedgerSMB mailing lists or browse the mailing list archives for past advice:
LedgerSMB 1.3.26 has been released with minor usability enhancements for the database update routines and a number of minor bugfixes. While this release does not have a massive number of fixes of general applicability it does contain a number of fixes that people in specific environments may find helpful.
The major fixes involve the handling of the fs_cssdir configuration setting which was causing problems when trying to edit the stylesheet, and fixes for including parts images in pdf invoices. See the changelog below for a complete list of fixes and enhancements.
The LedgerSMB team is pleased to announce the release of LedgerSMB 1.3.25. With this release we mostly have focused on cosmetic changes for the software, thus reducing the sorts of user interface issues that are likely to cause minor headaches for users of the software.
There are, however, three significant issues that have been corrected in this release which make an upgrade recommended for everyone:
1: In previous versions, term of payment on sales orders and purchase orders were not properly respected.
The LedgerSMB development team is proud to release 1.3.24. This release contains a fairly large number of polishing bug-fixes, but also important Plack-related fixes for folks wanting to use LedgerSMB in FCGI and PSGI environments. These fixes ensure that LedgerSMB can be run caching some of the dependencies and thus will be far more responsive than when run as a simple CGI application.
LedgerSMB 1.3.23 has been released. This release includes a number of bugfixes, some of which affect the ability to deploy LedgerSMB in new environments. Most of these bugfixes are relatively minor but they do impact upgrades from 1.2.x for some users. Additionally most of the changes are ones which allow us to present a more polished product to the user.
This also corrects some i18n issues and a few other issues. The complete changelog is below.
NP Broadcast Limited is a UK-registered Limited Company with a yearly turnover of approximately GBP 150,000, VAT registered with 2 LedgerSMB users. We are mainly a services company providing studio and outside broadcast engineering support to broadcasters.
We have released LedgerSMB 1.3.22 in response to significant installation issues with new databases under 1.3.21. If you are planning on setting up additional companies, you should probably upgrade.
This release also corrects an issue with midsized databases where certain screens are slow. This was caused by the selection for all years being slow due to a missing index. If the AR/AP transaction screens are very slow, try upgrading here.
The complete changelog is below.
Best Wishes,
Chris Travers
A security oversight has been discovered in LedgerSMB 1.3 which could allow a malicious user to cause a denial of service against LedgerSMB or otherwise affect the way in which certain forms of data would get entered. In most cases we do not believe this to be particularly severe in the presence of internal process controls. Users in some jurisdictions however may need to take this more seriously (see full details below).
Basic vulnerability characteristics