The LedgerSMB development team is happy to announce yet another new
version of its open source ERP and accounting application.
This release contains the following fixes and improvements:
Changelog for 1.9.2
* Fix sending mail with multiple Bcc addresses (#6087)
* Fix manual taxes on credit invoices (#5721)
* Add missing account configuration on Sales account (#6100)
* Fix Update clobbering invoice header data (e.g. fx rate) (#6114)
For installation instructions and system requirements, see
https://github.com/ledgersmb/LedgerSMB/blob/1.9.2/README.md
The release can be downloaded from our download site at
https://download.ledgersmb.org/f/Releases/1.9.2
The release can be downloaded from GitHub at
https://github.com/ledgersmb/LedgerSMB/releases/tag/1.9.2
Or pulled from Docker Hub using the command
$ docker pull ledgersmb/ledgersmb:1.9.2
These are the sha256 checksums of the uploaded files:
73a5006669cbb177c732602ecbf9f85c3b11d8171eeecebcc0cf933eca9f7c02 ledgersmb-1.9.2.tar.gz
50c09dd7652d6054189e82d5e1f37b4b1bca19467f7a14fc54a68ff80dcb7deb ledgersmb-1.9.2.tar.gz.asc
On September 16th, the LedgerSMB project was advised of a security
vulnerability
in the code. Please see below our security advisory.
Sensitive Cookie in HTTPS Session Without 'Secure' Attribute
Summary:
========
LedgerSMB does not set the 'Secure' attribute on the session authorization
cookie when the client uses HTTPS and the LedgerSMB server is behind a
reverse proxy. By tricking a user to use an unencrypted connection
(HTTP),
an attacker may be able to obtain the authentication data by capturing
network traffic.
Known vulnerable:
=================
All of:
- 1.8.0 upto 1.8.21 (including)
Known fixed:
============
- 1.8.22
Details:
========
LedgerSMB 1.8 and newer switched from Basic authentication to using cookie
authentication with encrypted cookies. Although an attacker can't access
the information inside the cookie, nor the password of the user,
possession
of the cookie is enough to access the application as the user from which
the
cookie has been obtained.
In order for the attacker to obtain the cookie, first of all the server
must be configured to respond to unencrypted requests, the attacker must
be
suitably positioned to eavesdrop on the network traffic between the client
and the server *and* the user must be tricked into using unencrypted HTTP
traffic.
Proper audit control and separation of duties limit Integrity impact of
the attack vector.
Severity:
=========
CVSSv3.1 Base Score: 5.9 (Medium)
CVSSv3.1 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:L/A:N
Recommendations:
================
Users of LedgerSMB 1.8 are urged to upgrade to known-fixed versions. Users
of LedgerSMB 1.7 or 1.9 are unaffected by this vulnerability and don't
need
to take action.
As a workaround, users may configure their Apache or Nginx reverse proxy
to add the Secure attribute at the network boundary instead of relying on
LedgerSMB.
For Apache, please refer to the 'Header always edit' configuration command
in the mod_headers module.
For Nginx, please refer to the 'proxy_cookie_flags' configuration command.
References:
===========
CVE-2021-3882 (LedgerSMB)
https://ledgersmb.org/cve-2021-3882-sensitive-non-secure-cookiehttps://huntr.dev/bounties/7061d97a-98a5-495a-8ba0-3a4c66091e9d/
Reported by:
============
0xdhinu, user of the huntr.dev platform
Patches:
========
index 8dbcacddd..063e44415 100644
--- a/lib/LedgerSMB/Middleware/AuthenticateSession.pm
+++ b/lib/LedgerSMB/Middleware/AuthenticateSession.pm
@@ -209,7 +209,7 @@ sub call {
$dbh->rollback;
$dbh->disconnect;
- my $secure = ($env->{SERVER_PROTOCOL} eq 'https') ? '; Secure' : '';
+ my $secure = ($env->{HTTPS} eq 'ON') ? '; Secure' : '';
my $path = LedgerSMB::PSGI::Util::cookie_path($env->{SCRIPT_NAME});
return Plack::Util::response_cb(
$res, sub {
--
Bye,
Erik.
http://efficito.com -- Hosted accounting and ERP.
Robust and Flexible. No vendor lock-in.
The LedgerSMB development team is happy to announce yet another new
version of its open source ERP and accounting application.
This release contains the following fixes and improvements:
Changelog for 1.8.22
* Fix sending mail with multiple Bcc addresses (#6087)
* Fix manual taxes on credit invoices (#5721)
* Fix 'Secure' flag on session cookie; CVE-2021-3882
* Improve configuring acceptable reverse proxy addresses
For installation instructions and system requirements, see
https://github.com/ledgersmb/LedgerSMB/blob/1.8.22/README.md
The release can be downloaded from our download site at
https://download.ledgersmb.org/f/Releases/1.8.22
The release can be downloaded from GitHub at
https://github.com/ledgersmb/LedgerSMB/releases/tag/1.8.22
Or pulled from Docker Hub using the command
$ docker pull ledgersmb/ledgersmb:1.8.22
These are the sha256 checksums of the uploaded files:
583f56c2d303eeb133222467d368a58b5e66ee080040335d3608dfc672aa7316 ledgersmb-1.8.22.tar.gz
15affde0f85b03dd9a1784304958a030fa9b5009df800e093f443bce55c541a0 ledgersmb-1.8.22.tar.gz.asc
The LedgerSMB development team is happy to announce yet another new
version of its open source ERP and accounting application.
This release contains the following fixes and improvements:
Changelog for 1.7.36
* Fix manual taxes on credit invoices (#5721)
* Improve configuring acceptable reverse proxy addresses
For installation instructions and system requirements, see
https://github.com/ledgersmb/LedgerSMB/blob/1.7.36/README.md
The release can be downloaded from our download site at
https://download.ledgersmb.org/f/Releases/1.7.36
The release can be downloaded from GitHub at
https://github.com/ledgersmb/LedgerSMB/releases/tag/1.7.36
Or pulled from Docker Hub using the command
$ docker pull ledgersmb/ledgersmb:1.7.36
These are the sha256 checksums of the uploaded files:
8c638acc822a43a1ec66268f08c961f5b392b6fadd6069eb6c2462e5b2ce9030 ledgersmb-1.7.36.tar.gz
d85b50e090e99f5917c6d834cb8d54360d56af9dff8b05b4ffff3d4cf9984ccb ledgersmb-1.7.36.tar.gz.asc
The LedgerSMB development team is happy to announce yet another new
version of its open source ERP and accounting application. Through
a week of outstanding teamwork, we're able to bring 15 fixes and
small changes (not all fixes for regressions) in this release.
This release contains the following fixes and improvements:
Changelog for 1.9.1
* Fix license declaration in package.json (gpl-v2.0-or-newer)
* Fix scrollbars in the main window overlapping with real content (#5874)
* Fix 'setup.pl' to work with Safari for creation of new data sets (#6016)
* Fix no payment lines shown after saving invoices and transactions (#6017)
* Fix e-mailed invoices not being sent to Bcc addresses
* Add support for workflow overrides
* Add a list of available e-mail variables for expansion
* Restore e-mail body variable expansion (#6042)
* Add example Chart of Accounts with hierarchy (US General based) (#6057)
* Fix SQL date errors using date formats other than yyyy-mm-dd (#6040)
* Fix default to/cc/bcc addresses not applied to e-mail (#6045)
* Correctly present password experation in preferences (#6067)
* Fix initialization of 'current earnings' setting from CoA XML
* Correctly select the default country on Contact address entry (#6058)
* Correctly set parent of CoA headers when loading from XML (#6068)
For installation instructions and system requirements, see
https://github.com/ledgersmb/LedgerSMB/blob/1.9.1/README.md
The release can be downloaded from our download site at
https://download.ledgersmb.org/f/Releases/1.9.1
The release can be downloaded from GitHub at
https://github.com/ledgersmb/LedgerSMB/releases/tag/1.9.1
Or pulled from Docker Hub using the command
$ docker pull ledgersmb/ledgersmb:1.9.1
These are the sha256 checksums of the uploaded files:
a705e14658c1729e73478626fee3b7bda123e963d95b506d6a2d6ef1ac926822 ledgersmb-1.9.1.tar.gz
5873f92712243977b5ec50f44560ea89a332c618294d062e14ba888c9b73bec0 ledgersmb-1.9.1.tar.gz.asc
