Source: ledgersmb
Version: 1.6.33+ds-2.1
Severity: important
Tags: security upstream
X-Debbugs-Cc: carnil(a)debian.org, Debian Security Team <team(a)security.debian.org>
Control: found -1 1.6.9+ds-2+deb11u3
Hi,
The following vulnerability was published for ledgersmb.
CVE-2024-23831[0]:
| LedgerSMB is a free web-based double-entry accounting system. When a
| LedgerSMB database administrator has an active session in /setup.pl,
| an attacker can trick the admin into clicking on a link which
| automatically submits a request to setup.pl without the admin's
| consent. This request can be used to create a new user account with
| full application (/login.pl) privileges, leading to privilege
| escalation. The vulnerability is patched in versions 1.10.30 and
| 1.11.9.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2024-23831https://www.cve.org/CVERecord?id=CVE-2024-23831
[1] https://github.com/ledgersmb/LedgerSMB/security/advisories/GHSA-98ff-f638-q…
[2] https://github.com/ledgersmb/LedgerSMB/commit/8c2ae5be68a782d62cb9c0e17c012…
Regards,
Salvatore
The LedgerSMB development team is happy to announce yet another new
version of its open source ERP and accounting application.
This release contains the following fixes and improvements:
Changelog for 1.9.28
* Fix deletion of parts groups (#7363)
* Align invoice/order entry between databases with and without parts (#7374)
For installation instructions and system requirements, see
https://github.com/ledgersmb/LedgerSMB/blob/1.9.28/README.md
The release can be downloaded from our download site at
https://download.ledgersmb.org/f/Releases/1.9.28
The release can be downloaded from GitHub at
https://github.com/ledgersmb/LedgerSMB/releases/tag/1.9.28
Or pulled from the GitHub Container Registry
$ docker pull ghcr.io/ledgersmb/ledgersmb:1.9.28
Or pulled from Docker Hub using the command
$ docker pull ledgersmb/ledgersmb:1.9.28
These are the sha256 checksums of the uploaded files:
4b2c0c53de2d80f5fc5ec3f8ee3bea61e5624684ebb1c2d55b2c2472c904a5b4 ledgersmb-1.9.28.tar.gz
ccad27a8f22c25bbea0c5fdef564df325e9c202bd95af5713c4f8c14038b0f49 ledgersmb-1.9.28.tar.gz.asc
The LedgerSMB development team is happy to announce yet another new
version of its open source ERP and accounting application.
This release contains the following fixes and improvements:
Changelog for 1.9.29
* Fix regression since 1.9.27 upgrading old companies while renaming setting
* Fix selection of default AR/AP accounts while importing databases (#7419)
For installation instructions and system requirements, see
https://github.com/ledgersmb/LedgerSMB/blob/1.9.29/README.md
The release can be downloaded from our download site at
https://download.ledgersmb.org/f/Releases/1.9.29
The release can be downloaded from GitHub at
https://github.com/ledgersmb/LedgerSMB/releases/tag/1.9.29
Or pulled from the GitHub Container Registry
$ docker pull ghcr.io/ledgersmb/ledgersmb:1.9.29
Or pulled from Docker Hub using the command
$ docker pull ledgersmb/ledgersmb:1.9.29
These are the sha256 checksums of the uploaded files:
feaf830ea206b8a0a20a0efab93a5c70ccf29f028bc28f7156b0484ec2f99609 ledgersmb-1.9.29.tar.gz
b49c86e9a6d37f528c4a884357bd9c4954fbdd6b7c27b41ea34c34c348d67d66 ledgersmb-1.9.29.tar.gz.asc
FYI: The status of the ledgersmb source package
in Debian's testing distribution has changed.
Previous version: 1.6.33+ds-2.1
Current version: 1.6.33+ds-2.2
--
This email is automatically generated once a day. As the installation of
new packages into testing happens multiple times a day you will receive
later changes on the next day.
See https://release.debian.org/testing-watch/ for more information.