The LedgerSMB core team has released 1.2.24, which corrects three issues:
1) Filenames broken in batch printing.
2) LedgerSMB not running properly with Suexec.
3) A non-exploitable SQL injection issue in a stored procedure used
to manage custom fields in the database. This procedure is designed
to be run from a general purpose sql console like psql or pgAdmin III,
and runs with the permissions of the individual running the procedure.
Absent custom code, therefore, it does not pose privilege escalation
issues, and does not allow users of the application to run SQL queries
they wouldn't be able to run otherwise.
As always, changes in a production version include only bugfixes, and
it is generally recommended that users stay current.
Log in to post a comment.