It has been brought to our attention that a number of security
vulnerabilities have been noted in SQL-Ledger. Several of these
affect earlier versions of LedgerSMB, and three hotfixes have been
released for problems that continue to affect the LedgerSMB codebase.
As always, we highly recommend testing all hotfixes before applying
them to a production environment.
The CVE's mentioned here are the ones attached to SQL-Ledger. Subtle
differences as to how these affect LedgerSMB are noted below.
These vulnerabilities include:
* No Cross-Site-Request-Forgery (XSRF) protection (CVE-2009-3580)
* SQL Injection (similar to CVE-2009-3582)
* Local File Include (CVE-2009-3583)
* Default Administrator Password Weakness (CVE-2009-4402)
* No secure flag on cookie when (CVE-2009-3584)
For more information including where to download hotfixes, please see the mailing list announcement at: