LedgerSMB 1.2.0 finally released, fixes CVE-2006-5589

[Chris Travers <chris () metatrontech com>]

LedgerSMB 1.2.0 has been released, completing a comprehensive SQL 
injection audit of the code inherited from SQL-Ledger.  Numerous SQL 
injection issues were fixed.  In fact, most fields were not properly 
quoted and escaped.  These problems should affect all known versions of 
SQL-Ledger as well.  The fix was delayed because the scale of the 
changes made required extensive testing-- these were not trivial changes.

Users are advised to upgrade as soon as possible.  However, one should 
also note that (as we have documented in our manual), user permissions 
are not yet strictly enforced.  Therefore, the current recommendation 
that database user accounts are used to enforce privilege separation 
still holds.

Those who maintain security advisory lists should list CVE-2006-5589 as 
now officially closed for LedgerSMB, though it is likely to remain open 
for SQL-Ledger.

Best Wishes,
Chris Travers

Attachment: chris.vcf
Description: