LedgerSMB

Screenshots for 1.9 ehu Thu, 10/21/2021 - 23:36 Topic Screenshots Release 1.9 ... [More] [Less]

Screenshots for 1.9 ehu Thu, 10/21/2021 - 23:36 Topic Screenshots Release 1.9 ... [More] [Less]

Screenshots for 1.9 ehu Thu, 10/21/2021 - 23:36 Topic Screenshots Release 1.9 ... [More] [Less]

1.9.2 Released Security release No LedgerSMB_Team Tue, 10/12/2021 - 13:53 Release candidate No Download https://download.ledgersmb.org/f/Releases/1.9.2/ ... [More] The LedgerSMB development team is happy to announce yet another new version of its open source ERP and accounting application. This release contains the following fixes and improvements: Changelog for 1.9.2 * Fix sending mail with multiple Bcc addresses (#6087) * Fix manual taxes on credit invoices (#5721) * Add missing account configuration on Sales account (#6100) * Fix Update clobbering invoice header data (e.g. fx rate) (#6114) For installation instructions and system requirements, see https://github.com/ledgersmb/LedgerSMB/blob/1.9.2/README.md The release can be downloaded from our download site at https://download.ledgersmb.org/f/Releases/1.9.2 The release can be downloaded from GitHub at https://github.com/ledgersmb/LedgerSMB/releases/tag/1.9.2 Or pulled from Docker Hub using the command $ docker pull ledgersmb/ledgersmb:1.9.2 These are the sha256 checksums of the uploaded files: 73a5006669cbb177c732602ecbf9f85c3b11d8171eeecebcc0cf933eca9f7c02 ledgersmb-1.9.2.tar.gz 50c09dd7652d6054189e82d5e1f37b4b1bca19467f7a14fc54a68ff80dcb7deb ledgersmb-1.9.2.tar.gz.asc Release 1.9 [Less]

1.9.2 Released Security release No LedgerSMB_Team Tue, 10/12/2021 - 13:53 Release candidate No Download https://download.ledgersmb.org/f/Releases/1.9.2/ ... [More] The LedgerSMB development team is happy to announce yet another new version of its open source ERP and accounting application. This release contains the following fixes and improvements: Changelog for 1.9.2 * Fix sending mail with multiple Bcc addresses (#6087) * Fix manual taxes on credit invoices (#5721) * Add missing account configuration on Sales account (#6100) * Fix Update clobbering invoice header data (e.g. fx rate) (#6114) For installation instructions and system requirements, see https://github.com/ledgersmb/LedgerSMB/blob/1.9.2/README.md The release can be downloaded from our download site at https://download.ledgersmb.org/f/Releases/1.9.2 The release can be downloaded from GitHub at https://github.com/ledgersmb/LedgerSMB/releases/tag/1.9.2 Or pulled from Docker Hub using the command $ docker pull ledgersmb/ledgersmb:1.9.2 These are the sha256 checksums of the uploaded files: 73a5006669cbb177c732602ecbf9f85c3b11d8171eeecebcc0cf933eca9f7c02 ledgersmb-1.9.2.tar.gz 50c09dd7652d6054189e82d5e1f37b4b1bca19467f7a14fc54a68ff80dcb7deb ledgersmb-1.9.2.tar.gz.asc Release 1.9 [Less]

1.8.22 Released Security release No LedgerSMB_Team Tue, 10/12/2021 - 13:36 Release candidate No Download https://download.ledgersmb.org/f/Releases/1.8.22/ ... [More] The LedgerSMB development team is happy to announce yet another new version of its open source ERP and accounting application. This release contains the following fixes and improvements: Changelog for 1.8.22 * Fix sending mail with multiple Bcc addresses (#6087) * Fix manual taxes on credit invoices (#5721) * Fix 'Secure' flag on session cookie; CVE-2021-3882 * Improve configuring acceptable reverse proxy addresses For installation instructions and system requirements, see https://github.com/ledgersmb/LedgerSMB/blob/1.8.22/README.md The release can be downloaded from our download site at https://download.ledgersmb.org/f/Releases/1.8.22 The release can be downloaded from GitHub at https://github.com/ledgersmb/LedgerSMB/releases/tag/1.8.22 Or pulled from Docker Hub using the command $ docker pull ledgersmb/ledgersmb:1.8.22 These are the sha256 checksums of the uploaded files: 583f56c2d303eeb133222467d368a58b5e66ee080040335d3608dfc672aa7316 ledgersmb-1.8.22.tar.gz 15affde0f85b03dd9a1784304958a030fa9b5009df800e093f443bce55c541a0 ledgersmb-1.8.22.tar.gz.asc Release 1.8 [Less]

1.8.22 Released Security release No LedgerSMB_Team Tue, 10/12/2021 - 13:36 Release candidate No Download https://download.ledgersmb.org/f/Releases/1.8.22/ ... [More] The LedgerSMB development team is happy to announce yet another new version of its open source ERP and accounting application. This release contains the following fixes and improvements: Changelog for 1.8.22 * Fix sending mail with multiple Bcc addresses (#6087) * Fix manual taxes on credit invoices (#5721) * Fix 'Secure' flag on session cookie; CVE-2021-3882 * Improve configuring acceptable reverse proxy addresses For installation instructions and system requirements, see https://github.com/ledgersmb/LedgerSMB/blob/1.8.22/README.md The release can be downloaded from our download site at https://download.ledgersmb.org/f/Releases/1.8.22 The release can be downloaded from GitHub at https://github.com/ledgersmb/LedgerSMB/releases/tag/1.8.22 Or pulled from Docker Hub using the command $ docker pull ledgersmb/ledgersmb:1.8.22 These are the sha256 checksums of the uploaded files: 583f56c2d303eeb133222467d368a58b5e66ee080040335d3608dfc672aa7316 ledgersmb-1.8.22.tar.gz 15affde0f85b03dd9a1784304958a030fa9b5009df800e093f443bce55c541a0 ledgersmb-1.8.22.tar.gz.asc Release 1.8 [Less]

1.7.36 Released Security release No LedgerSMB_Team Tue, 10/12/2021 - 12:54 Release candidate No Download https://download.ledgersmb.org/f/Releases/1.7.36/ ... [More] The LedgerSMB development team is happy to announce yet another new version of its open source ERP and accounting application. This release contains the following fixes and improvements: Changelog for 1.7.36 * Fix manual taxes on credit invoices (#5721) * Improve configuring acceptable reverse proxy addresses For installation instructions and system requirements, see https://github.com/ledgersmb/LedgerSMB/blob/1.7.36/README.md The release can be downloaded from our download site at https://download.ledgersmb.org/f/Releases/1.7.36 The release can be downloaded from GitHub at https://github.com/ledgersmb/LedgerSMB/releases/tag/1.7.36 Or pulled from Docker Hub using the command $ docker pull ledgersmb/ledgersmb:1.7.36 These are the sha256 checksums of the uploaded files: 8c638acc822a43a1ec66268f08c961f5b392b6fadd6069eb6c2462e5b2ce9030 ledgersmb-1.7.36.tar.gz d85b50e090e99f5917c6d834cb8d54360d56af9dff8b05b4ffff3d4cf9984ccb ledgersmb-1.7.36.tar.gz.asc Release 1.7 [Less]

1.7.36 Released Security release No LedgerSMB_Team Tue, 10/12/2021 - 12:54 Release candidate No Download https://download.ledgersmb.org/f/Releases/1.7.36/ ... [More] The LedgerSMB development team is happy to announce yet another new version of its open source ERP and accounting application. This release contains the following fixes and improvements: Changelog for 1.7.36 * Fix manual taxes on credit invoices (#5721) * Improve configuring acceptable reverse proxy addresses For installation instructions and system requirements, see https://github.com/ledgersmb/LedgerSMB/blob/1.7.36/README.md The release can be downloaded from our download site at https://download.ledgersmb.org/f/Releases/1.7.36 The release can be downloaded from GitHub at https://github.com/ledgersmb/LedgerSMB/releases/tag/1.7.36 Or pulled from Docker Hub using the command $ docker pull ledgersmb/ledgersmb:1.7.36 These are the sha256 checksums of the uploaded files: 8c638acc822a43a1ec66268f08c961f5b392b6fadd6069eb6c2462e5b2ce9030 ledgersmb-1.7.36.tar.gz d85b50e090e99f5917c6d834cb8d54360d56af9dff8b05b4ffff3d4cf9984ccb ledgersmb-1.7.36.tar.gz.asc Release 1.7 [Less]

Security advisory for CVE-2021-3882 (non-Secure session cookie) ehu Tue, 10/12/2021 - 11:41   Sensitive Cookie in HTTPS Session Without 'Secure' Attribute Summary   LedgerSMB does not set the 'Secure' attribute on the session ... [More] authorization   cookie when the client uses HTTPS and the LedgerSMB server is behind a   reverse proxy.  By tricking a user to use an unencrypted connection (HTTP),   an attacker may be able to obtain the authentication data by capturing   network traffic. Known vulnerable   All of:   - 1.8.0 upto 1.8.21 (including) Known fixed   - 1.8.22 Details   LedgerSMB 1.8 and newer switched from Basic authentication to using cookie   authentication with encrypted cookies.  Although an attacker can't access   the information inside the cookie, nor the password of the user, possession   of the cookie is enough to access the application as the user from which the   cookie has been obtained.   In order for the attacker to obtain the cookie, first of all the server   must be configured to respond to unencrypted requests, the attacker must be   suitably positioned to eavesdrop on the network traffic between the client   and the server *and* the user must be tricked into using unencrypted HTTP   traffic.   Proper audit control and separation of duties limit Integrity impact of   the attack vector.   Severity   CVSSv3.1 Base Score: 5.9 (Medium)   CVSSv3.1 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:L/A:N Recommendations   Users of LedgerSMB 1.8 are urged to upgrade to known-fixed versions. Users   of LedgerSMB 1.7 or 1.9 are unaffected by this vulnerability and don't need   to take action.   As a workaround, users may configure their Apache or Nginx reverse proxy   to add the Secure attribute at the network boundary instead of relying on   LedgerSMB.   For Apache, please refer to the 'Header always edit' configuration command   in the mod_headers module.   For Nginx, please refer to the 'proxy_cookie_flags' configuration command. References   CVE-2021-3882  (LedgerSMB)   https://ledgersmb.org/cve-2021-3882-sensitive-non-secure-cookie   https://huntr.dev/bounties/7061d97a-98a5-495a-8ba0-3a4c66091e9d/   Reported by   0xdhinu, user of the huntr.dev platform   Attachments File CVE-2021-3882.patch_.txt Topic Security advisory Release 1.8 [Less]