Posted
over 2 years
ago
by
ehu
Screenshots for 1.9
ehu
Thu, 10/21/2021 - 23:36
Topic
Screenshots
Release
1.9
... [More]
[Less]
|
Posted
over 2 years
ago
by
ehu
Screenshots for 1.9
ehu
Thu, 10/21/2021 - 23:36
Topic
Screenshots
Release
1.9
... [More]
[Less]
|
Posted
over 2 years
ago
by
ehu
Screenshots for 1.9
ehu
Thu, 10/21/2021 - 23:36
Topic
Screenshots
Release
1.9
... [More]
[Less]
|
Posted
over 2 years
ago
by
LedgerSMB_Team
1.9.2 Released
Security release
No
LedgerSMB_Team
Tue, 10/12/2021 - 13:53
Release candidate
No
Download
https://download.ledgersmb.org/f/Releases/1.9.2/
... [More]
The LedgerSMB development team is happy to announce yet another new
version of its open source ERP and accounting application.
This release contains the following fixes and improvements:
Changelog for 1.9.2
* Fix sending mail with multiple Bcc addresses (#6087)
* Fix manual taxes on credit invoices (#5721)
* Add missing account configuration on Sales account (#6100)
* Fix Update clobbering invoice header data (e.g. fx rate) (#6114)
For installation instructions and system requirements, see
https://github.com/ledgersmb/LedgerSMB/blob/1.9.2/README.md
The release can be downloaded from our download site at
https://download.ledgersmb.org/f/Releases/1.9.2
The release can be downloaded from GitHub at
https://github.com/ledgersmb/LedgerSMB/releases/tag/1.9.2
Or pulled from Docker Hub using the command
$ docker pull ledgersmb/ledgersmb:1.9.2
These are the sha256 checksums of the uploaded files:
73a5006669cbb177c732602ecbf9f85c3b11d8171eeecebcc0cf933eca9f7c02 ledgersmb-1.9.2.tar.gz
50c09dd7652d6054189e82d5e1f37b4b1bca19467f7a14fc54a68ff80dcb7deb ledgersmb-1.9.2.tar.gz.asc
Release
1.9
[Less]
|
Posted
over 2 years
ago
by
LedgerSMB_Team
1.9.2 Released
Security release
No
LedgerSMB_Team
Tue, 10/12/2021 - 13:53
Release candidate
No
Download
https://download.ledgersmb.org/f/Releases/1.9.2/
... [More]
The LedgerSMB development team is happy to announce yet another new
version of its open source ERP and accounting application.
This release contains the following fixes and improvements:
Changelog for 1.9.2
* Fix sending mail with multiple Bcc addresses (#6087)
* Fix manual taxes on credit invoices (#5721)
* Add missing account configuration on Sales account (#6100)
* Fix Update clobbering invoice header data (e.g. fx rate) (#6114)
For installation instructions and system requirements, see
https://github.com/ledgersmb/LedgerSMB/blob/1.9.2/README.md
The release can be downloaded from our download site at
https://download.ledgersmb.org/f/Releases/1.9.2
The release can be downloaded from GitHub at
https://github.com/ledgersmb/LedgerSMB/releases/tag/1.9.2
Or pulled from Docker Hub using the command
$ docker pull ledgersmb/ledgersmb:1.9.2
These are the sha256 checksums of the uploaded files:
73a5006669cbb177c732602ecbf9f85c3b11d8171eeecebcc0cf933eca9f7c02 ledgersmb-1.9.2.tar.gz
50c09dd7652d6054189e82d5e1f37b4b1bca19467f7a14fc54a68ff80dcb7deb ledgersmb-1.9.2.tar.gz.asc
Release
1.9
[Less]
|
Posted
over 2 years
ago
by
LedgerSMB_Team
1.8.22 Released
Security release
No
LedgerSMB_Team
Tue, 10/12/2021 - 13:36
Release candidate
No
Download
https://download.ledgersmb.org/f/Releases/1.8.22/
... [More]
The LedgerSMB development team is happy to announce yet another new
version of its open source ERP and accounting application.
This release contains the following fixes and improvements:
Changelog for 1.8.22
* Fix sending mail with multiple Bcc addresses (#6087)
* Fix manual taxes on credit invoices (#5721)
* Fix 'Secure' flag on session cookie; CVE-2021-3882
* Improve configuring acceptable reverse proxy addresses
For installation instructions and system requirements, see
https://github.com/ledgersmb/LedgerSMB/blob/1.8.22/README.md
The release can be downloaded from our download site at
https://download.ledgersmb.org/f/Releases/1.8.22
The release can be downloaded from GitHub at
https://github.com/ledgersmb/LedgerSMB/releases/tag/1.8.22
Or pulled from Docker Hub using the command
$ docker pull ledgersmb/ledgersmb:1.8.22
These are the sha256 checksums of the uploaded files:
583f56c2d303eeb133222467d368a58b5e66ee080040335d3608dfc672aa7316 ledgersmb-1.8.22.tar.gz
15affde0f85b03dd9a1784304958a030fa9b5009df800e093f443bce55c541a0 ledgersmb-1.8.22.tar.gz.asc
Release
1.8
[Less]
|
Posted
over 2 years
ago
by
LedgerSMB_Team
1.8.22 Released
Security release
No
LedgerSMB_Team
Tue, 10/12/2021 - 13:36
Release candidate
No
Download
https://download.ledgersmb.org/f/Releases/1.8.22/
... [More]
The LedgerSMB development team is happy to announce yet another new
version of its open source ERP and accounting application.
This release contains the following fixes and improvements:
Changelog for 1.8.22
* Fix sending mail with multiple Bcc addresses (#6087)
* Fix manual taxes on credit invoices (#5721)
* Fix 'Secure' flag on session cookie; CVE-2021-3882
* Improve configuring acceptable reverse proxy addresses
For installation instructions and system requirements, see
https://github.com/ledgersmb/LedgerSMB/blob/1.8.22/README.md
The release can be downloaded from our download site at
https://download.ledgersmb.org/f/Releases/1.8.22
The release can be downloaded from GitHub at
https://github.com/ledgersmb/LedgerSMB/releases/tag/1.8.22
Or pulled from Docker Hub using the command
$ docker pull ledgersmb/ledgersmb:1.8.22
These are the sha256 checksums of the uploaded files:
583f56c2d303eeb133222467d368a58b5e66ee080040335d3608dfc672aa7316 ledgersmb-1.8.22.tar.gz
15affde0f85b03dd9a1784304958a030fa9b5009df800e093f443bce55c541a0 ledgersmb-1.8.22.tar.gz.asc
Release
1.8
[Less]
|
Posted
over 2 years
ago
by
LedgerSMB_Team
1.7.36 Released
Security release
No
LedgerSMB_Team
Tue, 10/12/2021 - 12:54
Release candidate
No
Download
https://download.ledgersmb.org/f/Releases/1.7.36/
... [More]
The LedgerSMB development team is happy to announce yet another new
version of its open source ERP and accounting application.
This release contains the following fixes and improvements:
Changelog for 1.7.36
* Fix manual taxes on credit invoices (#5721)
* Improve configuring acceptable reverse proxy addresses
For installation instructions and system requirements, see
https://github.com/ledgersmb/LedgerSMB/blob/1.7.36/README.md
The release can be downloaded from our download site at
https://download.ledgersmb.org/f/Releases/1.7.36
The release can be downloaded from GitHub at
https://github.com/ledgersmb/LedgerSMB/releases/tag/1.7.36
Or pulled from Docker Hub using the command
$ docker pull ledgersmb/ledgersmb:1.7.36
These are the sha256 checksums of the uploaded files:
8c638acc822a43a1ec66268f08c961f5b392b6fadd6069eb6c2462e5b2ce9030 ledgersmb-1.7.36.tar.gz
d85b50e090e99f5917c6d834cb8d54360d56af9dff8b05b4ffff3d4cf9984ccb ledgersmb-1.7.36.tar.gz.asc
Release
1.7
[Less]
|
Posted
over 2 years
ago
by
LedgerSMB_Team
1.7.36 Released
Security release
No
LedgerSMB_Team
Tue, 10/12/2021 - 12:54
Release candidate
No
Download
https://download.ledgersmb.org/f/Releases/1.7.36/
... [More]
The LedgerSMB development team is happy to announce yet another new
version of its open source ERP and accounting application.
This release contains the following fixes and improvements:
Changelog for 1.7.36
* Fix manual taxes on credit invoices (#5721)
* Improve configuring acceptable reverse proxy addresses
For installation instructions and system requirements, see
https://github.com/ledgersmb/LedgerSMB/blob/1.7.36/README.md
The release can be downloaded from our download site at
https://download.ledgersmb.org/f/Releases/1.7.36
The release can be downloaded from GitHub at
https://github.com/ledgersmb/LedgerSMB/releases/tag/1.7.36
Or pulled from Docker Hub using the command
$ docker pull ledgersmb/ledgersmb:1.7.36
These are the sha256 checksums of the uploaded files:
8c638acc822a43a1ec66268f08c961f5b392b6fadd6069eb6c2462e5b2ce9030 ledgersmb-1.7.36.tar.gz
d85b50e090e99f5917c6d834cb8d54360d56af9dff8b05b4ffff3d4cf9984ccb ledgersmb-1.7.36.tar.gz.asc
Release
1.7
[Less]
|
Posted
over 2 years
ago
by
ehu
Security advisory for CVE-2021-3882 (non-Secure session cookie)
ehu
Tue, 10/12/2021 - 11:41
Sensitive Cookie in HTTPS Session Without 'Secure' Attribute
Summary
LedgerSMB does not set the 'Secure' attribute on the session
... [More]
authorization
cookie when the client uses HTTPS and the LedgerSMB server is behind a
reverse proxy. By tricking a user to use an unencrypted connection (HTTP),
an attacker may be able to obtain the authentication data by capturing
network traffic.
Known vulnerable
All of:
- 1.8.0 upto 1.8.21 (including)
Known fixed
- 1.8.22
Details
LedgerSMB 1.8 and newer switched from Basic authentication to using cookie
authentication with encrypted cookies. Although an attacker can't access
the information inside the cookie, nor the password of the user, possession
of the cookie is enough to access the application as the user from which the
cookie has been obtained.
In order for the attacker to obtain the cookie, first of all the server
must be configured to respond to unencrypted requests, the attacker must be
suitably positioned to eavesdrop on the network traffic between the client
and the server *and* the user must be tricked into using unencrypted HTTP
traffic.
Proper audit control and separation of duties limit Integrity impact of
the attack vector.
Severity
CVSSv3.1 Base Score: 5.9 (Medium)
CVSSv3.1 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:L/A:N
Recommendations
Users of LedgerSMB 1.8 are urged to upgrade to known-fixed versions. Users
of LedgerSMB 1.7 or 1.9 are unaffected by this vulnerability and don't need
to take action.
As a workaround, users may configure their Apache or Nginx reverse proxy
to add the Secure attribute at the network boundary instead of relying on
LedgerSMB.
For Apache, please refer to the 'Header always edit' configuration command
in the mod_headers module.
For Nginx, please refer to the 'proxy_cookie_flags' configuration command.
References
CVE-2021-3882 (LedgerSMB)
https://ledgersmb.org/cve-2021-3882-sensitive-non-secure-cookie
https://huntr.dev/bounties/7061d97a-98a5-495a-8ba0-3a4c66091e9d/
Reported by
0xdhinu, user of the huntr.dev platform
Attachments
File
CVE-2021-3882.patch_.txt
Topic
Security advisory
Release
1.8
[Less]
|