Source: ledgersmb
Version: 1.6.9+ds-1
Severity: wishlist
Hi,
Upstream has made numerous new upstream releases since 1.6.9. From
what I can tell there's an 1.8.x branch already.
Please consider packaging new versions.
Chris
Hi all,
Yesterday, I've uploaded the first beta for LedgerSMB 1.9.0
(ledgersmb-1.9.0-beta1). This release is available for download from
https://download.ledgersmb.org/f/Beta%20Releases/1.9.0-beta1/
Or as a docker image with the command
$ docker pull ledgersmb/ledgersmb:1.9.0-beta1
This beta is a feature complete version of ledgersmb-1.9.0 made available
for testing and evaluation. Please send any bug reports, questions or
surprises to the developers mailing list at devel(a)lists.ledgersmb.org or
create an issue in the GitHub Issue tracker at
https://github.com/ledgersmb/LedgerSMB/issues
The 1.9.0 release has an impressive list of changes, available in the
Changelog file at
https://github.com/ledgersmb/LedgerSMB/blob/master/Changelog#L6-L90 ; if
you have any questions regarding the items listed, please feel free to join
the LedgerSMB chat channel at
https://app.element.io/#/room/#ledgersmb:matrix.org or post your question
to the developers mailing list.
--
Bye,
Erik.
http://efficito.com -- Hosted accounting and ERP.
Robust and Flexible. No vendor lock-in.
Source: ledgersmb
Version: 1.6.9+ds-2
Severity: grave
Tags: security upstream
Justification: user security hole
X-Debbugs-Cc: carnil(a)debian.org, Debian Security Team <team(a)security.debian.org>
Control: found -1 1.6.9+ds-1
Control: fixed -1 1.6.9+ds-1+deb10u2
Control: fixed -1 1.6.9+ds-2+deb11u2
Hi,
The following vulnerabilities were published for ledgersmb.
CVE-2021-3693[0]:
| LedgerSMB does not check the origin of HTML fragments merged into the
| browser's DOM. By sending a specially crafted URL to an authenticated
| user, this flaw can be abused for remote code execution and
| information disclosure.
CVE-2021-3694[1]:
| LedgerSMB does not sufficiently HTML-encode error messages sent to the
| browser. By sending a specially crafted URL to an authenticated user,
| this flaw can be abused for remote code execution and information
| disclosure.
CVE-2021-3731[2]:
| LedgerSMB does not sufficiently guard against being wrapped by other
| sites, making it vulnerable to 'clickjacking'. This allows an attacker
| to trick a targetted user to execute unintended actions.
If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2021-3693https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3693
[1] https://security-tracker.debian.org/tracker/CVE-2021-3694https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3694
[2] https://security-tracker.debian.org/tracker/CVE-2021-3731https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3731
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
Unfortunately, the fixes for the security vulnerabilities
released on Monday August 23 regressed some functionalities.
This release fixes those regressions:
Changelog for 1.8.19
* Follow-up for the fix to CVE-2021-3693; fix bulk-posting payments
* Follow-up for the fix to CVE-2021-3693; fix incorrectly backported change
For installation instructions and system requirements, see
https://github.com/ledgersmb/LedgerSMB/blob/1.8.19/README.md
The release can be downloaded from our download site at
https://download.ledgersmb.org/f/Releases/1.8.19
The release can be downloaded from GitHub at
https://github.com/ledgersmb/LedgerSMB/releases/tag/1.8.19
Or pulled from Docker Hub using the command
$ docker pull ledgersmb/ledgersmb:1.8.19
These are the sha256 checksums of the uploaded files:
4f818690b39a974680c6264727ddf3ab445a5db780294cad407869d54ed1fb0c ledgersmb-1.8.19.tar.gz
ffc79cb40181b2cf94fcda63afdfaa2b63fd1703502a86f4bbb76a7bfdcb37a0 ledgersmb-1.8.19.tar.gz.asc