- RELEASE NOTES
- LedgerSMB 1.2.15
- 1: Welcome to LedgerSMB
- LedgerSMB is an accounting and ERP program initially aimed at small to midsize
- businesses. Currently the financials and supply chain management modules are
- fairly complete, while other modules such as project management exist in a
- rudamentary form. The initial features are identical to SQL-Ledger 2.6.17 from
- which it was derived, but the feature set is starting to diverge rapidly.
- 1.1 System Requirements:
- * Perl 5.8.
- * Apache, IIS, or other web server that supports CGI.
- * PostgreSQL 8.0 or higher. 7.3 and 7.4 could be supported with some effort but
- will not work out of the box. 8.3 is expected to raise issues but they will be
- corrected as we become aware of the problems.
- * Any operating system that supports the above environment.
- * The following CPAN modules:
- * Data::Dumper
- * Locale::Maketext
- * Locale::Maketext::Lexicon
- * MIME::Base64
- * Digest::MD5
- * HTML::Entities
- * DBI
- * DBD::Pg
- * Math::BigFloat
- * IO::File
- * Encode
- * Locale::Country
- * Locale::Language
- * Time::Local
- * Cwd
- * Config::Std
- * MIME::Lite
-
- 2: What's New in 1.2?
- 2.1: Database changes:
- All core tables now have defined primary keys. This allows Slony-I to be
- supported out of the box.
- Chris Browne has contributed a setup script for Slony. It is in the
- utils/replication directory.
- Also all user information has been moved into the database and the password
- algorythm has been changed from crypt to md5. This means that users will need
- to convert their accounts prior to first login on the new system (if this is an
- upgrade).
- Also now the defaults table has moved from a one column per value structure to a simple key->value structure.
- 2.2: Security
- LedgerSMB 1.2 has been through a detailed SQL injection audit of the codebase
- inherited from SQL-Ledger. As a result several vulnerabilities which were known
- to be exploitable were corrected along with hundreds of places where
- vulnerabilities may have been exploitable but we didn't have time to verify the
- what was involved in exploiting it. We believe though that many or most of the
- issues were exploitable given a little time and effort.
- Also, we discovered the template editor's security system was moved from
- blacklisting to whitelisting, eliminating a whole class of possible security
- issues.
- 2.3: New Features in 1.2.x
- Metatron Technology Consulting's SL-POS codebase was merged with this project,
- providing a framework for POS hardware support and more.
- Online credit card processing support has been added.
- LSMB now supports an arbitrary number of defined currencies for a business and
- is no longer limited to 3.
- 2.4: Localization Changes
- Localization functions now use Gettext .po files on all platforms. This means
- that standard translation management tools will work with LSMB translations.
- 2.5: Other changes
- The ledger-smb.conf is now an inifile which will reduce the level of expertise
- necessary to configure it for non-Perl users.
- 3: Known Issues
- 3.1: Reposting Invoices:
- Reposting invoices is known to cause inaccuracies cost of goods sold and
- inventory accounts. This problem has been confirmed to affect SQL-Ledger 2.6.x
- as well and is caused by problems involving the de-allocation and trasaction
- reversal routines. It will be corrected (by removing the ability to truly
- repost invoices) in an upcoming version as we continue to re-engineer the
- application.
- Additionally there is a known issue where reposting invoices more than once causes
- a primary key issue on the transactions table. A fix for this is distributed in
- sql/fixes.
- 3.2: Tax rate changes
- LedgerSMB 1.2.x's database structure does not handle tax rate changes properly. A
- fix for this is in the sql/fixes directory.
- 3.3: Warehouse Tracking
- LedgerSMB inherited an issue from SQL-Ledger where a shipped sales order deletes all
- known shipping information. There is a fix for this in the sql/fixes directory.
- 3.4: Recurring transactions
- LedgerSMB's database structure does not handle certain areas properly regarding
- recurring transactions. A fix for this issue is in the sql/fixes directory.
- 3.5: AR/AP Transactions
- LedgerSMB from 1.2.0 through 1.2.13 had a bug which saved incorrect summary information for AR and AP transactions (but not invoices). A fix for this has been included in sql/fixes and new transactions are not affected as of 1.2.14.
- 4: Differences between LedgerSMB and SQL-Ledger(TM)
- 4.1: Login name restrictions
- Logins in SQL-Ledger can contain any printable characters. In LedgerSMB these
- are restricted to alphanumeric characters and the symbols ., @, and -.
- 4.2: Session handling
- SQL-Ledger as of 2.6.17 used session tokens for authentication. These tokens
- are based on the current timestamp and therefore insecure. Furthermore, these
- tokens are not tracked on the server, so one can easily forge credentials for
- either the main application or the administrative interface. While this was
- corrected in 2.6.18, the solutions chosen by SQL-Ledger (caching the crypted
- password by the browser) is not in line with commonly accepted best security
- practices.
- LedgerSMB stores the sessions in the database. These are generated as md5 sums
- of random numbers and are believed to be reasonably secure. The sessions time
- out after a period of inactivity. In the initial release both
- SQL-Ledger-style session ID's and the newer version were required to access the
- application. In newer versions, the SQL-Ledger style session ID's have been
- removed.
- 4.3: Database Changes
- Under certain circumstances where the Chart of Accounts is improperly modified,
- it is possible to post transactions such that a portion of the transaction is
- put into a NULL account. LedgerSMB does not allow NULL values in the chart id
- field of the transaction.
- Also, the transaction amount has been changed from FLOAT to NUMERIC so that
- arbitrary precision mathematics can be used in third party reports. This ought
- to also allow SQL-Ledger to properly scale up better as SUM operations on
- floating points are unsafe for large numbers of records where accounting data is
- involved.
- 5: Roadmap
- This project has no defined roadmap but rather a set of statements and
- objectives contained in the documentation manager and trackers of sourceforge.
- In general, our development is focused around the following principles:
- * LSMB as infrastructure: LSMB should be accessible from other applications.
- * Universal applicability: LSMB should be usable by any any business and should
- always do the right thing in the background. Businesses should never find that
- they have outgrown the software.
- * Focus on Small to Midsize Businesses: LSMB's core market will remain in the
- small to midsize market.
- 6: Get Involved
- Contributors should start by joining the LedgerSMB users and devel lists. Code
- contributions at the moment must be committed by either project maintainer and
- should be submitted either using the patches interface at Sourceforge or the
- devel mailing lists.
- Additionally, we can use help in QA, documentation, advocacy, and many other
- places.
- SQL-Ledger is a registered trademark of DWS systems and is not affiliated with
- this project or its members in any way.
- DEPRECATIONS:
- =============================
- The entire set of Perl modules and database structures should be seen as
- deprecated from the perspective of add-on development. For advice in making
- add-ons as upgrade-safe as possible, please email the -devel list. Please
- include a description of what you are trying to accomplish.
- KNOWN ISSUES:
- ==============================
- The POS printing system gives an access denied message because the printer
- triggers the directory transversal checks. To work around this problem, ensure
- that you do not need to use absolute paths for the printer program (use lpr or
- put netdirect.pl in /usr/local/bin and reference without the full path).
- Also the POS system requires some additional configuration both in the chart of
- accounts and in the system itself. Please edit the pos.conf.pl and create
- appropriate till accounts.
- Major Bugs Fixed in 1.2.15:
- ================================
- 1) (Critical) Denial of service potential by uploading files of arbitrary size.
- Prior versions did not have an upload limit, so denial of service was possibe
- by uploading arbitrarily large amounts of data.
- 2) (Critical) SQL Injection vulnerability possible in the AP transaction
- report. A variable was incorrectly escaped.
- 3) Errors in transferring inventory between warehouses resolved.
- 4) Pricematrix now recognizes both pricebreaks and sell price fields, and works
- for customers, vendors, and pricegroups. The current logic is that the
- default pricing is overridden by temporary pricing for a generic pricegroup
- then by the specific pricegroup, and lastly by the specific customer.
- 5) Errors pulling transactions by department are resolved.
- For a list of all changes, see the Changelog.
|