[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Notes on 1.2.x vs 1.3.x security, and 1.2.x legacy support.

Hi all;

I wanted to take a few minutes to ensure you all are familiar with the
security differences between 1.2.x and 1.3.x as well as articulate my
own support policies for the 1.2 branch.

LedgerSMB 1.2 has no built-in permissions enforcement.  This is
documented in our manual as well as suggestions for mitigating this
issue.  What passes for security enforcement, due to the SQL-Ledger
heritage of our software, was basically changing the user interface to
hide options for which the user was not authorized.  This changes in
1.3 where the suggestions made in 1.2 have been heavily automated so
that they become feasible for most users to use.  As of 1.3, users are
actually restricted from doing things they are not allowed to do.
Users may be messages such as "Access denied" when they step outside
of their approved permissions.

Additionally 1.3 has added a framework to stop so-called cross-site
request forgery attacks.  Such attacks can be used by a knowledgeable
insider to cause users of LedgerSMB 1.2.x system to enter financial
transactions without their knowledge.  Unfortunately the fix was very
disruptive and therefore we didn't feel we could apply it to LedgerSMB

For the above reasons, I think it is important for users to upgrade to
LedgerSMB 1.3 as soon as it is feasible to do so.  Unfortunately since
this is a difficult upgrade, I do expect that many users will not be
able to upgrade immediately.  It may take some time but I would hope
that over the next six months or so, LedgerSMB 1.2.x can be retired.
Of course, that depends on when users can migrate.  I personally
expect community (free) support for 1.2.x by myself and others to fade
away pretty quickly however, as this process goes forward.

As a side note, LedgerSMB 1.3 is fundamentally different in a number
of ways, and it is likely to be possible to backport security fixes
from future versions with less effort than it has been in the past.
This being said, I am usually willing to support any branch that my
customers insist on, provided they are aware of risks, and it is
likely that other consultants in the community will take a similar
perspective.  Since this open source, and we make our money off of
services and support rather than licensing fees, users have quite a
bit more options than with proprietary software.

Best Wishes,
Chris Travers