lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [day] [month] [year] [list]
Date: Wed, 12 Oct 2011 06:48:21 -0700
From: Chris Travers <chris@...atrontech.com>
To: bugtraq@...urityfocus.com
Subject: LedgerSMB 1.3.0 released, includes anti-XSRF framework

Hi all;

LedgerSMB 1.3.0 has been released.  One of the important enhancements
this version has is protection against cross-site request forgery
(XSRF), notably missing in past versions.  The codebase we inherited
when beginning the project has not been very conducive to retrofitting
security framework changes, and this is one of the big reasons for the
delay in 1.3.

While the 1.2 series had mitigating measures designed to reduce the
likelihood that XSRF attacks could be successful over a long period of
time, and while critical portions of the application (such as password
resets) had measures in place designed to thwart XSRF attacks on a
per-attack basis, this is the first version to include, as part of the
security framework form id checking.

If anyone is listing
http://secunia.com/advisories/cve_reference/CVE-2009-3580/ as open,
now would be a good time to close it.  Any further XSRF
vulnerabilities should probably have their own advisories.

Best Wishes,
Chris Travers
LedgerSMB Core Team
Metatron Technology Consulting

Powered by blists - more mailing lists