summaryrefslogtreecommitdiff
path: root/doc/release_notes
blob: c12274221779538a5473e573690ce03a9b1a679a (plain) 
    

  1. RELEASE NOTES
    2. 

  2. LedgerSMB 1.2.15
    3. 

  3. 

  4. 

  5. 

  6. 1:  Welcome to LedgerSMB
    7. 

  7. 

  8. LedgerSMB is an accounting and ERP program initially aimed at small to midsize
    9. 

  9. businesses.  Currently the financials and supply chain management modules are
    10. 

  10. fairly complete, while other modules such as project management exist in a
    11. 

  11. rudamentary form.  The initial features are identical to SQL-Ledger 2.6.17 from
    12. 

  12. which it was derived, but the feature set is starting to diverge rapidly.
    13. 

  13. 

  14. 1.1 System Requirements:
    15. 

  15. 

  16. * Perl 5.8.
    17. 

  17. * Apache, IIS, or other web server that supports CGI.
    18. 

  18. * PostgreSQL 8.0 or higher.  7.3 and 7.4 could be supported with some effort but
    19. 

  19. will not work out of the box.  8.3 is expected to raise issues but they will be 
    20. 

  20. corrected as we become aware of the problems.
    21. 

  21. * Any operating system that supports the above environment.
    22. 

  22. * The following CPAN modules:
    23. 

  23.     * Data::Dumper
    24. 

  24.     * Locale::Maketext
    25. 

  25.     * Locale::Maketext::Lexicon
    26. 

  26.     * MIME::Base64
    27. 

  27.     * Digest::MD5
    28. 

  28.     * HTML::Entities
    29. 

  29.     * DBI
    30. 

  30.     * DBD::Pg
    31. 

  31.     * Math::BigFloat
    32. 

  32.     * IO::File
    33. 

  33.     * Encode
    34. 

  34.     * Locale::Country
    35. 

  35.     * Locale::Language
    36. 

  36.     * Time::Local
    37. 

  37.     * Cwd
    38. 

  38.     * Config::Std
    39. 

  39.     * MIME::Lite
    40. 

  40. 

  41.     
    42. 

  42. 

  43. 2:  What's New in 1.2?
    44. 

  44. 

  45. 2.1: Database changes:
    46. 

  46. 

  47. All core tables now have defined primary keys.  This allows Slony-I to be 
    48. 

  48. supported out of the box.
    49. 

  49. 

  50. Chris Browne has contributed a setup script for Slony.  It is in the 
    51. 

  51. utils/replication directory.
    52. 

  52. 

  53. Also all user information has been moved into the database and the password 
    54. 

  54. algorythm has been changed from crypt to md5.  This means that users will need 
    55. 

  55. to convert their accounts prior to first login on the new system (if this is an
    56. 

  56. upgrade).
    57. 

  57. 

  58. Also now the defaults table has moved from a one column per value structure to a simple key->value structure.
    59. 

  59. 

  60. 

  61. 2.2:  Security
    62. 

  62. 

  63. LedgerSMB 1.2 has been through a detailed SQL injection audit of the codebase
    64. 

  64. inherited from SQL-Ledger.  As a result several vulnerabilities which were known
    65. 

  65. to be exploitable were corrected along with hundreds of places where
    66. 

  66. vulnerabilities may have been exploitable but we didn't have time to verify the
    67. 

  67. what was involved in exploiting it.  We believe though that many or most of the
    68. 

  68. issues were exploitable given a little time and effort.
    69. 

  69. 

  70. Also, we discovered the template editor's security system was moved from
    71. 

  71. blacklisting to whitelisting, eliminating a whole class of possible security
    72. 

  72. issues.
    73. 

  73. 

  74. 2.3:  New Features in 1.2.x
    75. 

  75. 

  76. Metatron Technology Consulting's SL-POS codebase was merged with this project,
    77. 

  77. providing a framework for POS hardware support and more.
    78. 

  78. 

  79. Online credit card processing support has been added.
    80. 

  80. 

  81. LSMB now supports an arbitrary number of defined currencies for a business and 
    82. 

  82. is no longer limited to 3.
    83. 

  83. 

  84. 2.4:  Localization Changes
    85. 

  85. 

  86. Localization functions now use Gettext .po files on all platforms.  This means 
    87. 

  87. that standard translation management tools will work with LSMB translations.
    88. 

  88. 

  89. 2.5:  Other changes
    90. 

  90. 

  91. The ledger-smb.conf is now an inifile which will reduce the level of expertise 
    92. 

  92. necessary to configure it for non-Perl users.
    93. 

  93. 

  94. 3:  Known Issues
    95. 

  95. 

  96. 3.1: Reposting Invoices:
    97. 

  97. Reposting invoices is known to cause inaccuracies cost of goods sold and
    98. 

  98. inventory accounts.  This problem has been confirmed to affect SQL-Ledger 2.6.x 
    99. 

  99. as well and is caused by problems involving the de-allocation and trasaction
    100. 

  100. reversal routines.  It will be corrected (by removing the ability to truly
    101. 

  101. repost invoices) in an upcoming version as we continue to re-engineer the
    102. 

  102. application.
    103. 

  103. 

  104. Additionally there is a known issue where reposting invoices more than once causes
    105. 

  105. a primary key issue on the transactions table.  A fix for this is distributed in
    106. 

  106. sql/fixes.
    107. 

  107. 

  108. 3.2: Tax rate changes
    109. 

  109. LedgerSMB 1.2.x's database structure does not handle tax rate changes properly.  A 
    110. 

  110. fix for this is in the sql/fixes directory.
    111. 

  111. 

  112. 3.3: Warehouse Tracking
    113. 

  113. LedgerSMB inherited an issue from SQL-Ledger where a shipped sales order deletes all
    114. 

  114. known shipping information.  There is a fix for this in the sql/fixes directory.
    115. 

  115. 

  116. 3.4: Recurring transactions
    117. 

  117. LedgerSMB's database structure does not handle certain areas properly regarding 
    118. 

  118. recurring transactions.  A fix for this issue is in the sql/fixes directory.
    119. 

  119. 

  120. 3.5: AR/AP Transactions
    121. 

  121. LedgerSMB from 1.2.0 through 1.2.13 had a bug which saved incorrect summary information for AR and AP transactions (but not invoices).  A fix for this has been included in sql/fixes and new transactions are not affected as of 1.2.14.
    122. 

  122. 

  123. 4:  Differences between LedgerSMB and SQL-Ledger(TM)
    124. 

  124. 

  125. 4.1: Login name restrictions
    126. 

  126. Logins in SQL-Ledger can contain any printable characters.  In LedgerSMB these
    127. 

  127. are restricted to alphanumeric characters and the symbols ., @, and -.
    128. 

  128. 

  129. 4.2: Session handling
    130. 

  130. SQL-Ledger as of 2.6.17 used session tokens for authentication.  These tokens
    131. 

  131. are based on the current timestamp and therefore insecure.  Furthermore, these
    132. 

  132. tokens are not tracked on the server, so one can easily forge credentials for
    133. 

  133. either the main application or the administrative interface.  While this was 
    134. 

  134. corrected in 2.6.18, the solutions chosen by SQL-Ledger (caching the crypted 
    135. 

  135. password by the browser) is not in line with commonly accepted best security
    136. 

  136. practices.
    137. 

  137. 

  138. LedgerSMB stores the sessions in the database.  These are generated as md5 sums
    139. 

  139. of random numbers and are believed to be reasonably secure.  The sessions time
    140. 

  140. out after a period of inactivity.  In the initial release both
    141. 

  141. SQL-Ledger-style session ID's and the newer version were required to access the
    142. 

  142. application.  In newer versions, the SQL-Ledger style session ID's have been 
    143. 

  143. removed.
    144. 

  144. 

  145. 4.3: Database Changes
    146. 

  146. Under certain circumstances where the Chart of Accounts is improperly modified,
    147. 

  147. it is possible to post transactions such that a portion of the transaction is
    148. 

  148. put into a NULL account.  LedgerSMB does not allow NULL values in the chart id
    149. 

  149. field of the transaction.
    150. 

  150. 

  151. Also, the transaction amount has been changed from FLOAT to NUMERIC so that
    152. 

  152. arbitrary precision mathematics can be used in third party reports.  This ought
    153. 

  153. to also allow SQL-Ledger to properly scale up better as SUM operations on
    154. 

  154. floating points are unsafe for large numbers of records where accounting data is
    155. 

  155. involved.
    156. 

  156. 

  157. 5:  Roadmap
    158. 

  158. This project has no defined roadmap but rather a set of statements and 
    159. 

  159. objectives contained in the documentation manager and trackers of sourceforge.
    160. 

  160. In general, our development is focused around the following principles:
    161. 

  161. 

  162. * LSMB as infrastructure:  LSMB should be accessible from other applications.
    163. 

  163. 

  164. * Universal applicability:  LSMB should be usable by any any business and should
    165. 

  165. always do the right thing in the background.  Businesses should never find that 
    166. 

  166. they have outgrown the software.
    167. 

  167. 

  168. * Focus on Small to Midsize Businesses:  LSMB's core market will remain in the
    169. 

  169. small to midsize market.
    170. 

  170. 

  171. 6:  Get Involved
    172. 

  172. Contributors should start by joining the LedgerSMB users and devel lists.  Code
    173. 

  173. contributions at the moment must be committed by either project maintainer and
    174. 

  174. should be submitted either using the patches interface at Sourceforge or the
    175. 

  175. devel mailing lists.
    176. 

  176. 

  177. Additionally, we can use help in QA, documentation, advocacy, and many other
    178. 

  178. places. 
    179. 

  179. 

  180. SQL-Ledger is a registered trademark of DWS systems and is not affiliated with 
    181. 

  181. this project or its members in any way.
    182. 

  182. 

  183. DEPRECATIONS:
    184. 

  184. =============================
    185. 

  185. The entire set of Perl modules and database structures should be seen as 
    186. 

  186. deprecated from the perspective of add-on development.  For advice in making
    187. 

  187. add-ons as upgrade-safe as possible, please email the -devel list.  Please 
    188. 

  188. include a description of what you are trying to accomplish.
    189. 

  189. 

  190. KNOWN ISSUES:
    191. 

  191. ==============================
    192. 

  192. The POS printing system gives an access denied message because the printer
    193. 

  193. triggers the directory transversal checks.  To work around this problem, ensure
    194. 

  194. that you do not need to use absolute paths for the printer program (use lpr or
    195. 

  195. put netdirect.pl in /usr/local/bin and reference without the full path).
    196. 

  196. 

  197. Also the POS system requires some additional configuration both in the chart of 
    198. 

  198. accounts and in the system itself.  Please edit the pos.conf.pl and create 
    199. 

  199. appropriate till accounts.
    200. 

  200. 

  201. Major Bugs Fixed in 1.2.15:
    202. 

  202. ================================
    203. 

  203. 1) (Critical)  Denial of service potential by uploading files of arbitrary size.
    204. 

  204.    Prior versions did not have an upload limit, so denial of service was possibe
    205. 

  205.    by uploading arbitrarily large amounts of data.
    206. 

  206. 

  207. 2) (Critical)  SQL Injection vulnerability possible in the AP transaction 
    208. 

  208.    report.  A variable was incorrectly escaped.
    209. 

  209. 

  210. 3)  Errors in transferring inventory between warehouses resolved.
    211. 

  211. 

  212. 4)  Pricematrix now recognizes both pricebreaks and sell price fields, and works
    213. 

  213.     for customers, vendors, and pricegroups.  The current logic is that the
    214. 

  214.     default pricing is overridden by temporary pricing for a generic pricegroup
    215. 

  215.     then by the specific pricegroup, and lastly by the specific customer.
    216. 

  216. 

  217. 5)  Errors pulling transactions by department are resolved.
    218. 

  218. 

  219. For a list of all changes, see the Changelog.
    220.
generated by cgit v1.2.3 (git 2.39.1) at 2024-06-01 22:24:22 +0000