lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Wed, 12 Oct 2011 06:48:21 -0700 From: Chris Travers <chris@...atrontech.com> To: bugtraq@...urityfocus.com Subject: LedgerSMB 1.3.0 released, includes anti-XSRF framework Hi all; LedgerSMB 1.3.0 has been released. One of the important enhancements this version has is protection against cross-site request forgery (XSRF), notably missing in past versions. The codebase we inherited when beginning the project has not been very conducive to retrofitting security framework changes, and this is one of the big reasons for the delay in 1.3. While the 1.2 series had mitigating measures designed to reduce the likelihood that XSRF attacks could be successful over a long period of time, and while critical portions of the application (such as password resets) had measures in place designed to thwart XSRF attacks on a per-attack basis, this is the first version to include, as part of the security framework form id checking. If anyone is listing http://secunia.com/advisories/cve_reference/CVE-2009-3580/ as open, now would be a good time to close it. Any further XSRF vulnerabilities should probably have their own advisories. Best Wishes, Chris Travers LedgerSMB Core Team Metatron Technology Consulting
Powered by blists - more mailing lists