- users - lists.freelock.com

Fwd: [CRITICAL ALERT: ACT NOW] Critical vulnerabilities in GitLab Products
by Howard Lowndes 12 Feb '24

12 Feb '24

Is this security alert of any interest. ---------- Forwarded message --------- From: ACSC Alerts <alerts.acsc(a)contact.cyber.gov.au> Date: Mon, 15 Jan 2024, 18:16 Subject: [CRITICAL ALERT: ACT NOW] Critical vulnerabilities in GitLab Products To: <howard.lowndes(a)gmail.com> [image: High Alert - Act Quickly] 15 January 2024 Dear ASD's ACSC Alert Service subscriber This Alert is relevant to Australians who use GitLab on any platform. These vulnerabilities impact the versions listed below: - 16.1 to 16.1.5 - 16.2 to 16.2.8 - 16.3 to 16.3.6 - 16.4 to 16.4.4 - 16.5 to 16.5.5 - 16.6 to 16.6.3 - 16.7 to 16.7.1 This alert is intended to be understood by all users. Customers are encouraged to patch to the latest version using the GitLab upgrade path and to enforce multi-factor authentication for all GitLab accounts*.* *Background / What’s happened?* - GitLab has posted a security advisory and patch to address several vulnerabilities, the most severe of which is CVE-2023-7028. - CVE-2023-7028 allows an account take over via the ability to have password reset emails delivered to an unauthenticated email address. - Multi-factor authentication should be enabled immediately for all GitLabs users, and self-managed instances should be upgraded to the latest version as soon as possible. - Users with multi-factor authentication already enabled may be impacted by a password reset, however an attacker would not be able to take over their account using this vulnerability. - GitLab is not aware of any active exploitation of this vulnerability which was discovered via their Bug Bounty program. *Affected versions / applications:* - CVE-2023-7028: This vulnerability impacts all versions of GitLab CC/EE from 16.1 to 16.1.6, 16.2 prior to 16.2.9, 16.3 prior to 16.3.7, 16.4 prior to 16.4.5, 16.5 prior to 16.5.6, 16.6 prior to 16.6.4, and 16.7 prior to 16.7.2 - The security release also addresses CVE-2023-5356, CVE-2023-4812, CVE2023-6955 and CVE-2023-2030. *Mitigation / How do I stay secure?* - Multi-factor authentication should be enabled immediately for all GitLabs users. - Self-managed instances should be upgraded to the latest version as soon as possible. GitLab advises managed instances have now all had the patch applied. - Further information and details to investigate potential compromise can be found in the GitLab Security release linked below: https://about.gitlab.com/releases/2024/01/11/critical-security-release-gitl… *Assistance / Where can I go for help?* Organisations or individuals that have been impacted or require assistance can contact us via 1300 CYBER1 (1300 292 371) <%201300%20292%20371>. *Read this alert on the website: https://www.cyber.gov.au/about-us/view-all-content/alerts-and-advisories/cr… <https://www.cyber.gov.au/about-us/view-all-content/alerts-and-advisories/cr…> <https://www.cyber.gov.au/about-us/view-all-content/alerts-and-advisories/ci…>* *Are you a victim of cybercrime? Visit ReportCyber <https://www.cyber.gov.au/report-and-recover/report> to take your next steps.* *We use hyperlinks to give you more information. If you don't want to click hyperlinks, you can search for the information on ASD's ACSC Website.* *CONTACT US* Web: https://www.cyber.gov.au <https://www.cyber.gov.au/about-us/about-acsc/contact-us> X (Twitter): https://twitter.com/CyberGovAU Facebook: https://www.facebook.com/cybergovau LinkedIn: https://www.linkedin.com/company/australian-cyber-security-centre [image: Facebook] <https://www.facebook.com/cybergovau> [image: Twitter] <https://twitter.com/cybergovau> [image: YouTube] <https://www.youtube.com/channel/UChO_bPg4QOWxSOzH4OYw3Tg/featured> [image: LinkedIn] <https://www.linkedin.com/company/australian-cyber-security-centre> Was this alert helpful? * Yes <https://www.cyber.gov.au/asf?alert_subject=Critical%20vulnerabilities%20in%…>* | *No <https://www.cyber.gov.au/asf?alert_subject=Critical%20vulnerabilities%20in%…>* You are receiving this message at the address howard.lowndes(a)gmail.com If you no longer wish to receive this information, you can unsubscribe <https://p-2581519.secure.force.com/dc/t/gobal-email-opt-out/cgndc6moogvrzyn…>

2 2

LedgerSMB Community overview 2023
by Erik Huelsmann 10 Feb '24

10 Feb '24

As the year-end approaches, it's time to provide an overview of what our community has achieved over the past year. At the end of last year, I wished everybody a healthy and prosperous 2023 and now is a time to look back and see how we did. == Community interest == After years of decline in the number of hits on our website, last year saw an unexpected upswing in hits. Unfortunately, it didn't last long: this year hits dropped again. The increase in number of Stars and Forks on GitHub (Stars went up from 304 on 16 January 2022 to 348 today - in line with the increase last year), we can conclude that there is still interest in the project. This is supported by the fact that we see new people attend the ledgersmb chat channel on Matrix, with many contributing their bugs and experience. == Releases == With the release of 1.11.0 on 03 October 2023, we realized our goal to release 1.11 in the second half of the year, close to a year after 1.10. With releases in the third quarter, we aim to provide mature software before year-end -- when most companies close their books. Despite the short release cycle, we were able to include a sizeable list of new functionalities, changes and (code) cleanups through 806 commits, 711 files changed, 234,664 added lines and 162,575 removed lines of code (and comments) between 1.10.0 and 1.11.0. With 34 releases across 3 maintenance branches in 2023, the project was able to increase the pace of 2022 (which had 37 releases across *4* branches): 1.9 (8): 1.9.23 - 1.9.30 1.10 (19): 1.10.9 - 1.10.27 1.11 (7): 1.11.0 - 1.11.6 Which excludes the alpha, beta and release candidate releases. == Development progress == This year saw lower numbers of commits than last year. Although the number of commits was lower, the number of pull requests (720) is higher than last year (620) but still lower than the year before (827). The number of active developers - derived from accepted commits - went was lower than last year (7) by 1 (6 this year). This year, too, we were able to close a number of long-standing bugs/issues, continuing last year's focus to close as many issues as possible in the 7-year-and-older range: * #1346: Barcode entry on the invoice screen broken (regressed in 2016) * #2657: Upgrades may fail for 1.3."not latest" to 1.5+ * #2661: Empty inventory reports not showing in search results All from 2017 and 2016, just to name a few. Project commits on all branches (excluding merges): 672 Erik Huelsmann 72 Yves Lavoie 15 Aung Zaw Win 6 Christian Eriksson 6 Neil Tiffin 1 John Locke By comparison, these are the figures for 2022: 927 Erik Huelsmann* 132 Yves Lavoie* 10 Aung Zaw Win* 6 Neil Tiffin* 5 Jeff Shelley* 3 Hugh Esco 2 Chris Travers Please note that the number of commits is in no way a measure of time spent on the project. Also note that these numbers don't include the time spent by those taking the effort to report their problems and taking the time to respond to developer questions as well as helping to test solutions when developers think they solved the problem. Similarly, there was a lot of activity with respect to issues: Number of open issues at 2023-01-01: 148 of which remain open today: 99 Issues closed: 114 of which created before 2023-01-01: 49 Issues created: 85 of which still open: 20 Number of open issues today: 119 This amount of development activity triggers many CI/CD jobs. To run our test workloads, we have been using GitHub Actions as well as CircleCI, each set up to test different aspects. The main thing in the 1.12 Changelog that we spent time on which hasn't been released as part of 1.11 is the migration experience from 1.3 through 1.7 to 1.12. Areas that we're currently spending time on, include: * Implementation of an API to create orders along the same lines as the invoices API * Documentation of the status quo of the code base in Architecture Decision Records (ADRs) The 148 issues that are open today summarize into these statistics: * 5 bite-sized: issue ideal to start with our code base * 5 help-wanted: these are issues we need someone to get involved * 5 sponor-wanted: these will be developed when someone helps out by footing bills * 61 type:enhancement: generally requests for new or improved features (Note that an issue may fall into more than one category or none at all.) == New functionality and improvements == 1.11 improves on 1.10's use of workflows to manage invoices and orders, moving GL transactions to the same infrastructure. At the same time, it's banking on the new functionality to consistently and predictably show buttons for available actions on orders, invoices and transactions. The same functionality is what enables the higher granularity document action history that 1.11 features. == Looking forward to 2024 == In 2024, we'll likely release 1.12 around the third quarter; again in a release cycle a bit shorter than a year. This year the 1.10 release branch will reach End-Of-Life status on 08 October. And last but not least, I'm hoping for 1 or 2 new contributors (not necessarily developers; translators, testers, documentation writers or UI artists are all greatly appreciated!). If you want to contribute, but don't know where to start, please contact me. == In closing == Thanks to everybody who contributed to any of the above in any way, especially to Neil Tiffin for taking the time to discuss (and thereby sharpen) planned changes Computerisms.ca for hosting our DNS Freelock.com for hosting our website and mailing lists Efficito.com for hosting our mailing list archive, apt repository, release and download server GitHub.com, CircleCI and coveralls.io for hosting our development workflow My special personal thanks go to my GitHub Sponsors for supporting me for time, efforts and (financial) resources dedicated to the project! Leaves me only to wish everybody in our community - and their loved ones - happy holidays and a safe and productive 2024! -- Bye, Erik. http://efficito.com -- Hosted accounting and ERP. Robust and Flexible. No vendor lock-in.

1 0

LedgerSMB 1.10.29 released
by Erik Huelsmann 05 Feb '24

05 Feb '24

The LedgerSMB development team is happy to announce yet another new version of its open source ERP and accounting application. This release contains the following fixes and improvements: Changelog for 1.10.29 * Fix formatting of amounts in AR/AP search results (#7896) * Explicitly set foreground color on dark backgrounds in blue theme (#7875) For installation instructions and system requirements, see https://github.com/ledgersmb/LedgerSMB/blob/1.10.29/README.md The release can be downloaded from our download site at https://download.ledgersmb.org/f/Releases/1.10.29 The release can be downloaded from GitHub at https://github.com/ledgersmb/LedgerSMB/releases/tag/1.10.29 Docker images have been published for ARMv7 (32-bit), ARM64 (also known as ARMv8, e.g. RPi 3+) and AMD64. These can be pulled from the GitHub Container Registry $ docker pull ghcr.io/ledgersmb/ledgersmb:1.10.29 Or pulled from Docker Hub using the command $ docker pull ledgersmb/ledgersmb:1.10.29 These are the sha256 checksums of the uploaded files: 16ea9b92f180fa6be32b9c64e33506322582bfb64352d5cde73675ae91a61ec9 ledgersmb-1.10.29.tar.gz b179b2468fafdeb3127a440e281c0515788973321f031f89105ce30cfebbbb23 ledgersmb-1.10.29.tar.gz.asc

1 0

LedgerSMB 1.10.31 released
by Erik Huelsmann 02 Feb '24

02 Feb '24

The LedgerSMB development team is happy to announce yet another new version of its open source ERP and accounting application. This release contains the fix for security vulnerability CVE-2024-23831 which allows an attacker to create a user by tricking a setup.pl admin into clicking on a specifically crafted link. See more about this CVE on https://ledgersmb.org/cve-2024-23831-setup-csrf. Changelog for 1.10.31 * Fix GL transaction entry regressed from 1.10.29 (#7984) Changelog for 1.10.30 * Add missing batch and entity sequences to the Defaults screen (#7965) * Stop warning during startup without configuration file (#7928) * CVE-2024-23831: CSRF attack on 'setup.pl' For installation instructions and system requirements, see https://github.com/ledgersmb/LedgerSMB/blob/1.10.31/README.md The release can be downloaded from our download site at https://download.ledgersmb.org/f/Releases/1.10.31 The release can be downloaded from GitHub at https://github.com/ledgersmb/LedgerSMB/releases/tag/1.10.31 Docker images have been published for ARMv7 (32-bit), ARM64 (also known as ARMv8, e.g. RPi 3+) and AMD64. These can be pulled from the GitHub Container Registry $ docker pull ghcr.io/ledgersmb/ledgersmb:1.10.31 Or pulled from Docker Hub using the command $ docker pull ledgersmb/ledgersmb:1.10.31 These are the sha256 checksums of the uploaded files: 15920bbe05a6e37ee9f4d7fe408adb587a20ae0e8c052f20df1e2909b4c7bc51 ledgersmb-1.10.31.tar.gz e03aeecd9087bbc25673bd13ec78962509f3b265886bb0a44949bde311cb06bc ledgersmb-1.10.31.tar.gz.asc

1 0

[SECURITY] Security advisory for CVE-2024-23831 (CSRF attack on setup.pl)
by Erik Huelsmann 02 Feb '24

02 Feb '24

On January 18 2024, the LedgerSMB project was advised of a security vulnerability in the code. Please see below our security advisory. Privilege escalation through CSRF attack on 'setup.pl' Summary: ======== When a LedgerSMB database administrator has an active session in /setup.pl, an attacker can trick the admin into clicking on a link which automatically submits a request to setup.pl without the admin's consent. This request can be used to create a new user account with full application (/login.pl) privileges, leading to privilege escalation. Known vulnerable: ================= All of: - 1.3.0 up to 1.3.47 (including) - 1.4.0 up to 1.4.42 (including) - 1.5.0 up to 1.5.30 (including) - 1.6.0 up to 1.6.33 (including) - 1.7.0 up to 1.7.32 (including) - 1.8.0 up to 1.8.31 (including) - 1.9.0 up to 1.9.30 (including) - 1.10.0 up to 1.10.29 (including) - 1.11.0 up to 1.11.8 (including) Known fixed: ============ - 1.10.30 - 1.11.9 Details: ======== CSRF is an attack that tricks the victim into submitting a malicious request. It inherits the identity and privileges of the victim to perform an undesired function on the victim’s behalf [^1]. To successfully perform the attack, an attacker needs to know the name of the database for which they want to create a user. That is: in case LedgerSMB is used to maintain multiple company administrations, multiple attacks need to be performed to gain access to all of them. A single attack will gain access to a single company only, however, if companies share users, the attacker can use those to gain access to the other companies with the rights of the affected user accounts. In this specific attack, the victim must be an administrator of /setup.pl with an active session. It should be noted that the resulting user does *not* have full access to /setup.pl, but *does* have full access to /login.pl for a single company. This means that the resulting user can therefore *not* be used to create database backups, however the attack itself can be used by the attacker to perform any action supported by setup.pl. [^1]: https://owasp.org/www-community/attacks/csrf Severity: ========= CVSSv3.1 Base Score: 7.5 (HIGH) CVSSv3.1 Vector: AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H CVSSv3.1 Base Score & Vector (with temporal score): 6.7 (MEDIUM) CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=AV:N/AC:H/PR:N/… Recommendations: ================ We recommend all users to upgrade to known-fixed versions. Versions prior to 1.10 are end-of-life and will not receive security fixes from the LedgerSMB project. Users who cannot upgrade their 1.10 and 1.11 versions, may apply the included patches or are advised to contact a vendor for custom support. As a workaround, installations may choose not to expose and use /setup.pl, instead using the command line application "ledgersmb-admin" to perform administrative tasks. Password resets can be performed with regular /login.pl functionality or through PostgreSQL's "psql" command line tool. References: =========== CVE-2024-23831 (LedgerSMB) https://ledgersmb.org/cve-2024-23831-setup-csrf https://twelvesec.com/2024/02/02/cve-2024-23831 Reported by: ============ Georgios Roumeliotis (TwelveSec [twelvesec.com] -- Bye, Erik. http://efficito.com -- Hosted accounting and ERP. Robust and Flexible. No vendor lock-in.

1 0

LedgerSMB 1.11.8 released
by Erik Huelsmann 29 Jan '24

29 Jan '24

The LedgerSMB development team is happy to announce yet another new version of its open source ERP and accounting application. This release contains the following fixes and improvements: Changelog for 1.11.8 * Fix changing Taxform checkmark after posting AR/AP transactions (#7894) * Restore customer/vendor name on PNL drilldown after GL column change (#7895) * Fix formatting of amounts on AR/AP search results (#7896) * Fix import of CoA csv with non-empty 'links' field (#7912) * Explicitly set foreground color on dark backgrounds in blue theme (#7875) * Fix screens, e.g. contacts, impacted by rename of 'action' parameter (#7918) For installation instructions and system requirements, see https://github.com/ledgersmb/LedgerSMB/blob/1.11.8/README.md The release can be downloaded from our download site at https://download.ledgersmb.org/f/Releases/1.11.8 The release can be downloaded from GitHub at https://github.com/ledgersmb/LedgerSMB/releases/tag/1.11.8 Docker images have been published for ARMv7 (32-bit), ARM64 (also known as ARMv8, e.g. RPi 3+) and AMD64. These can be pulled from the GitHub Container Registry $ docker pull ghcr.io/ledgersmb/ledgersmb:1.11.8 Or pulled from Docker Hub using the command $ docker pull ledgersmb/ledgersmb:1.11.8 These are the sha256 checksums of the uploaded files: 3a89187095ea6909c55d546776c25dacdbf63b980c43832c17031ac6dfea9c37 ledgersmb-1.11.8.tar.gz d832600caebe88b5dc39d4220e10e25ad912c037d7305d486ffa2e37f0e3d9a6 ledgersmb-1.11.8.tar.gz.asc

1 0

Fwd: "Create new work flow"
by Howard Lowndes 24 Jan '24

24 Jan '24

---------- Forwarded message --------- From: Howard Lowndes <howard.lowndes(a)gmail.com> Date: Wed, 13 Dec 2023, 21:45 Subject: "Create new work flow" To: LedgerSMB <users(a)lists.ledgersmb.org> Version 1.11.4 On Sales Invoice, Credit Invoice, Vendor Invoice, Debit Invoice, in the lower part of the screen there is a small section "Create new workflow". One of the preset items is the date and time. I notice that it is putting in the UTC date and time and not the locale date and time. Is there a system setting that I have missed or should I be reporting this as a bug along with Issue #7801? Regards, -- Howard. -- When you want a computer system that works, just choose Linux; When you want a computer system that works, just, choose Microsoft.

1 0

Fwd: Setting up Inventory and Services in 1.11.4
by Howard Lowndes 12 Jan '24

12 Jan '24

---------- Forwarded message --------- From: Howard Lowndes <howard.lowndes(a)gmail.com> Date: Wed, 13 Dec 2023, 17:06 Subject: Setting up Inventory and Services in 1.11.4 To: LedgerSMB <users(a)lists.ledgersmb.org> Ref the subject, there is quite apparently a hierarchy involved in structuring the Chart of Accounts prior to being permitted to input actual parts or services. So the questions are: What is the hierarchy? Is there any doco I should be looking for? TIA, -- Howard. -- When you want a computer system that works, just choose Linux; When you want a computer system that works, just, choose Microsoft.

1 0

LedgerSMB 1.10.28 released
by Erik Huelsmann 31 Dec '23

31 Dec '23

The LedgerSMB development team is happy to announce yet another new version of its open source ERP and accounting application. This release contains the following fixes and improvements: Changelog for 1.10.28 * Retain partsgroup selection on Update in parts screen (#7848) * Fix missing columns on trial balance 'Ending' report type (#7870) For installation instructions and system requirements, see https://github.com/ledgersmb/LedgerSMB/blob/1.10.28/README.md The release can be downloaded from our download site at https://download.ledgersmb.org/f/Releases/1.10.28 The release can be downloaded from GitHub at https://github.com/ledgersmb/LedgerSMB/releases/tag/1.10.28 Docker images have been published for ARMv7 (32-bit, e.g. Raspberry Pi (RPi) 3 and 400), ARM64 (e.g. RPi 4) and AMD64. These can be pulled from the GitHub Container Registry: $ docker pull ghcr.io/ledgersmb/ledgersmb:1.10.28 Or pulled from Docker Hub using the command $ docker pull ledgersmb/ledgersmb:1.10.28 These are the sha256 checksums of the uploaded files: 27d784cfb109ade19011297771a3a1143c97e132acc36f60421f2bd2ece646d0 ledgersmb-1.10.28.tar.gz ccd33e5c7feb59544a4c24754a0c7c764e7eb42b20ef13536e90f9f33749020c ledgersmb-1.10.28.tar.gz.asc

1 0

[ANNOUNCE] Docker images for ARM architectures (including Raspberry Pi)
by Erik Huelsmann 22 Dec '23

22 Dec '23

LS, Today, new 1.11.6 images were pushed (1.11.6-2) with several improvements: - New supported architectures "arm/v7" and "arm64" have been built and published, meaning that our Docker images can now be run on Raspberry Pi (RPi) 3 and RPi 400 (both arm/v7 devices) as well as RPi4 and up (arm64 devices) - When setting the LSMB_MAIL_SMTPHOST environment variable to the special value "__CONTAINER_GATEWAY__", the container dynamically figures out the subnet gateway IP address and configures this as the SMTPHOST address. Before this change, the SMTPHOST address defaulted to 172.17.0.1 which is the gateway on the default Docker network, which doesn't work when using the image with docker-compose -- the recommended way of running LedgerSMB containers Please provide us feedback with respect to our Docker images either on the users@ mailing list or by filing an issue at https://github.com/ledgersmb/ledgersmb-docker/issues. Regards, -- Bye, Erik. http://efficito.com -- Hosted accounting and ERP. Robust and Flexible. No vendor lock-in.

1 0