Hi all; I wanted to take a few minutes to ensure you all are familiar with the security differences between 1.2.x and 1.3.x as well as articulate my own support policies for the 1.2 branch.
LedgerSMB 1.2 has no built-in permissions enforcement. This is documented in our manual as well as suggestions for mitigating this issue. What passes for security enforcement, due to the SQL-Ledger heritage of our software, was basically changing the user interface to hide options for which the user was not authorized. This changes in 1.3 where the suggestions made in 1.2 have been heavily automated so that they become feasible for most users to use. As of 1.3, users are actually restricted from doing things they are not allowed to do. Users may be messages such as "Access denied" when they step outside of their approved permissions. Additionally 1.3 has added a framework to stop so-called cross-site request forgery attacks. Such attacks can be used by a knowledgeable insider to cause users of LedgerSMB 1.2.x system to enter financial transactions without their knowledge. Unfortunately the fix was very disruptive and therefore we didn't feel we could apply it to LedgerSMB 1.2.x For the above reasons, I think it is important for users to upgrade to LedgerSMB 1.3 as soon as it is feasible to do so. Unfortunately since this is a difficult upgrade, I do expect that many users will not be able to upgrade immediately. It may take some time but I would hope that over the next six months or so, LedgerSMB 1.2.x can be retired. Of course, that depends on when users can migrate. I personally expect community (free) support for 1.2.x by myself and others to fade away pretty quickly however, as this process goes forward. As a side note, LedgerSMB 1.3 is fundamentally different in a number of ways, and it is likely to be possible to backport security fixes from future versions with less effort than it has been in the past. This being said, I am usually willing to support any branch that my customers insist on, provided they are aware of risks, and it is likely that other consultants in the community will take a similar perspective. Since this open source, and we make our money off of services and support rather than licensing fees, users have quite a bit more options than with proprietary software. Best Wishes, Chris Travers ------------------------------------------------------------------------------ All the data continuously generated in your IT infrastructure contains a definitive record of customers, application performance, security threats, fraudulent activity and more. Splunk takes this data and makes sense of it. Business sense. IT sense. Common sense. http://p.sf.net/sfu/splunk-d2d-oct _______________________________________________ Ledger-smb-devel mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/ledger-smb-devel
