Security advisory: Multiple Vulnerabilities

Submitted by Chris Travers on

Hi all;

It has been brought to our attention that a number of security vulnerabilities have been noted in SQL-Ledger. Several of these affect earlier versions of LedgerSMB, and three hotfixes have been released for problems that continue to affect the LedgerSMB codebase.

As always, we highly recommend testing all hotfixes before applying them to a production environment.

The CVE's mentioned here are the ones attached to SQL-Ledger. Subtle differences as to how these affect LedgerSMB are noted below.

Screenshots for 1.3

Submitted by Chris Travers on

This content is outdated and kept here for reference only!

We have been working long and hard on 1.3 for some time, so it is time we show some screenshots showing how things will be different. I have chosen three screen shots to highlight our new approach:

1) Bank Reconciliation has been entirely redesigned in 1.3 with a new workflow and it is better designed to handle large numbers of transactions. Additionally you can go back later and review a reconciliation set to see what cleared and what was outstanding. This screen shot shows a report for a work in progress.

2) The contact management section is redone. Customers/vendors can now have multiple accounts, contact information, shipping and billing info, notes, etc. This screen shot shows how this looks with Javascript enabled. Here Javascript is used to clean up the interface, and the links at the top switch between visible divs.

3) Payment screen, for single customer/vendor payments

4) Batch payment screen for paying or receiving money from several customers or vendors.

5) Order entry (in this case sales order)

1.2.16 Released

Submitted by Chris Travers on

The LedgerSMB Core Team is proud to announce the release of version 1.2.16, which corrects one issue with price matrix error handling introduced in 1.2.15 and also issues with running LedgerSMB on Perl 5.10.0. It is recommended that all users upgrade, but those using versions before 1.2.15 along with price matrix logic should put the application through some light testing before putting it into production.

The complete changelog is:
Changelog for 1.2.16

1.2.15 Released

Submitted by Chris Travers on

The LedgerSMB Team is proud to release version 1.2.15. This version
corrects a number of important bugs including two critical security
issues. We will be releasing a separate security advisory within a
week.

Additionally, several broken areas of the pricematrix logic were
corrected. Businesses using this portion of the software should spot
check results before putting this release into production.

The complete changelog is:

Does ledgersmb support SSL connection ?

Submitted by Chris Travers on

Q: How could I set it up ledgersmb to support SSL connection?

SSL support on Apache is handled by configuring Apache. For having LedgerSMB connect to PostgreSQL using SSL, you can set the PGSSLMODE environment variable to 'require' in the ledgersmb.conf. Note that by default, LedgerSMB will try to connect to PostgreSQL via SSL and fall back to unsecured connections if this is not available.

We highly recommend using SSL for any access to LedgerSMB over the network.

LedgerSMB 1.2.13 released

Submitted by Chris Travers on

The LedgerSMB team is pleased to announce the release of LedgerSMB 1.2.13 which is available from the SourceForge download page.
This release corrects all known issues with running LedgerSMB 1.2.x on PostgreSQL 8.3 and although other issues may surface, we will fix those as they are brought to our attention.

Please click 'Read more' to view the change log for 1.2.13.

Subscribe to