October 2021 - announce - lists.freelock.com

LedgerSMB 1.9.2 released
by Erik Huelsmann 12 Oct '21

12 Oct '21

The LedgerSMB development team is happy to announce yet another new version of its open source ERP and accounting application. This release contains the following fixes and improvements: Changelog for 1.9.2 * Fix sending mail with multiple Bcc addresses (#6087) * Fix manual taxes on credit invoices (#5721) * Add missing account configuration on Sales account (#6100) * Fix Update clobbering invoice header data (e.g. fx rate) (#6114) For installation instructions and system requirements, see https://github.com/ledgersmb/LedgerSMB/blob/1.9.2/README.md The release can be downloaded from our download site at https://download.ledgersmb.org/f/Releases/1.9.2 The release can be downloaded from GitHub at https://github.com/ledgersmb/LedgerSMB/releases/tag/1.9.2 Or pulled from Docker Hub using the command $ docker pull ledgersmb/ledgersmb:1.9.2 These are the sha256 checksums of the uploaded files: 73a5006669cbb177c732602ecbf9f85c3b11d8171eeecebcc0cf933eca9f7c02 ledgersmb-1.9.2.tar.gz 50c09dd7652d6054189e82d5e1f37b4b1bca19467f7a14fc54a68ff80dcb7deb ledgersmb-1.9.2.tar.gz.asc

1 0

[SECURITY] Security advisory for CVE-2021-3882 (non-Secure session cookie)
by Erik Huelsmann 12 Oct '21

12 Oct '21

On September 16th, the LedgerSMB project was advised of a security vulnerability in the code. Please see below our security advisory. Sensitive Cookie in HTTPS Session Without 'Secure' Attribute Summary: ======== LedgerSMB does not set the 'Secure' attribute on the session authorization cookie when the client uses HTTPS and the LedgerSMB server is behind a reverse proxy. By tricking a user to use an unencrypted connection (HTTP), an attacker may be able to obtain the authentication data by capturing network traffic. Known vulnerable: ================= All of: - 1.8.0 upto 1.8.21 (including) Known fixed: ============ - 1.8.22 Details: ======== LedgerSMB 1.8 and newer switched from Basic authentication to using cookie authentication with encrypted cookies. Although an attacker can't access the information inside the cookie, nor the password of the user, possession of the cookie is enough to access the application as the user from which the cookie has been obtained. In order for the attacker to obtain the cookie, first of all the server must be configured to respond to unencrypted requests, the attacker must be suitably positioned to eavesdrop on the network traffic between the client and the server *and* the user must be tricked into using unencrypted HTTP traffic. Proper audit control and separation of duties limit Integrity impact of the attack vector. Severity: ========= CVSSv3.1 Base Score: 5.9 (Medium) CVSSv3.1 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:L/A:N Recommendations: ================ Users of LedgerSMB 1.8 are urged to upgrade to known-fixed versions. Users of LedgerSMB 1.7 or 1.9 are unaffected by this vulnerability and don't need to take action. As a workaround, users may configure their Apache or Nginx reverse proxy to add the Secure attribute at the network boundary instead of relying on LedgerSMB. For Apache, please refer to the 'Header always edit' configuration command in the mod_headers module. For Nginx, please refer to the 'proxy_cookie_flags' configuration command. References: =========== CVE-2021-3882 (LedgerSMB) https://ledgersmb.org/cve-2021-3882-sensitive-non-secure-cookie https://huntr.dev/bounties/7061d97a-98a5-495a-8ba0-3a4c66091e9d/ Reported by: ============ 0xdhinu, user of the huntr.dev platform Patches: ======== index 8dbcacddd..063e44415 100644 --- a/lib/LedgerSMB/Middleware/AuthenticateSession.pm +++ b/lib/LedgerSMB/Middleware/AuthenticateSession.pm @@ -209,7 +209,7 @@ sub call { $dbh->rollback; $dbh->disconnect; - my $secure = ($env->{SERVER_PROTOCOL} eq 'https') ? '; Secure' : ''; + my $secure = ($env->{HTTPS} eq 'ON') ? '; Secure' : ''; my $path = LedgerSMB::PSGI::Util::cookie_path($env->{SCRIPT_NAME}); return Plack::Util::response_cb( $res, sub { -- Bye, Erik. http://efficito.com -- Hosted accounting and ERP. Robust and Flexible. No vendor lock-in.

1 0

LedgerSMB 1.8.22 released
by Erik Huelsmann 12 Oct '21

12 Oct '21

The LedgerSMB development team is happy to announce yet another new version of its open source ERP and accounting application. This release contains the following fixes and improvements: Changelog for 1.8.22 * Fix sending mail with multiple Bcc addresses (#6087) * Fix manual taxes on credit invoices (#5721) * Fix 'Secure' flag on session cookie; CVE-2021-3882 * Improve configuring acceptable reverse proxy addresses For installation instructions and system requirements, see https://github.com/ledgersmb/LedgerSMB/blob/1.8.22/README.md The release can be downloaded from our download site at https://download.ledgersmb.org/f/Releases/1.8.22 The release can be downloaded from GitHub at https://github.com/ledgersmb/LedgerSMB/releases/tag/1.8.22 Or pulled from Docker Hub using the command $ docker pull ledgersmb/ledgersmb:1.8.22 These are the sha256 checksums of the uploaded files: 583f56c2d303eeb133222467d368a58b5e66ee080040335d3608dfc672aa7316 ledgersmb-1.8.22.tar.gz 15affde0f85b03dd9a1784304958a030fa9b5009df800e093f443bce55c541a0 ledgersmb-1.8.22.tar.gz.asc

1 0

LedgerSMB 1.7.36 released
by Erik Huelsmann 12 Oct '21

12 Oct '21

The LedgerSMB development team is happy to announce yet another new version of its open source ERP and accounting application. This release contains the following fixes and improvements: Changelog for 1.7.36 * Fix manual taxes on credit invoices (#5721) * Improve configuring acceptable reverse proxy addresses For installation instructions and system requirements, see https://github.com/ledgersmb/LedgerSMB/blob/1.7.36/README.md The release can be downloaded from our download site at https://download.ledgersmb.org/f/Releases/1.7.36 The release can be downloaded from GitHub at https://github.com/ledgersmb/LedgerSMB/releases/tag/1.7.36 Or pulled from Docker Hub using the command $ docker pull ledgersmb/ledgersmb:1.7.36 These are the sha256 checksums of the uploaded files: 8c638acc822a43a1ec66268f08c961f5b392b6fadd6069eb6c2462e5b2ce9030 ledgersmb-1.7.36.tar.gz d85b50e090e99f5917c6d834cb8d54360d56af9dff8b05b4ffff3d4cf9984ccb ledgersmb-1.7.36.tar.gz.asc

1 0

LedgerSMB 1.9.1 released
by Erik Huelsmann 01 Oct '21

01 Oct '21

The LedgerSMB development team is happy to announce yet another new version of its open source ERP and accounting application. Through a week of outstanding teamwork, we're able to bring 15 fixes and small changes (not all fixes for regressions) in this release. This release contains the following fixes and improvements: Changelog for 1.9.1 * Fix license declaration in package.json (gpl-v2.0-or-newer) * Fix scrollbars in the main window overlapping with real content (#5874) * Fix 'setup.pl' to work with Safari for creation of new data sets (#6016) * Fix no payment lines shown after saving invoices and transactions (#6017) * Fix e-mailed invoices not being sent to Bcc addresses * Add support for workflow overrides * Add a list of available e-mail variables for expansion * Restore e-mail body variable expansion (#6042) * Add example Chart of Accounts with hierarchy (US General based) (#6057) * Fix SQL date errors using date formats other than yyyy-mm-dd (#6040) * Fix default to/cc/bcc addresses not applied to e-mail (#6045) * Correctly present password experation in preferences (#6067) * Fix initialization of 'current earnings' setting from CoA XML * Correctly select the default country on Contact address entry (#6058) * Correctly set parent of CoA headers when loading from XML (#6068) For installation instructions and system requirements, see https://github.com/ledgersmb/LedgerSMB/blob/1.9.1/README.md The release can be downloaded from our download site at https://download.ledgersmb.org/f/Releases/1.9.1 The release can be downloaded from GitHub at https://github.com/ledgersmb/LedgerSMB/releases/tag/1.9.1 Or pulled from Docker Hub using the command $ docker pull ledgersmb/ledgersmb:1.9.1 These are the sha256 checksums of the uploaded files: a705e14658c1729e73478626fee3b7bda123e963d95b506d6a2d6ef1ac926822 ledgersmb-1.9.1.tar.gz 5873f92712243977b5ec50f44560ea89a332c618294d062e14ba888c9b73bec0 ledgersmb-1.9.1.tar.gz.asc

1 0