I will be announcing the issue found on the user and announcement list along with a workaround as well. This is far more likely to be done by accident than malice, and need not be crippling if you know how to fix it. However if someone sets headings to themselves as parents, or circular parent nodes (heading 2000 is parent to 2010, which is parent to 2011, which is parent to 2000), then the PNL and some other reports will go into an endless loop until resources are exhausted and the system recovers.
To fix it you can edit the account headings and move the data back, Anyone who needs help should inquire on the -devel list or seek support but the time outlay is very little. 1.4.12 includes a db trigger to detect and reject such circular dependencies.
Note that this can only be done by someone with access to define and alter the chart of accounts, so typically this is only a few trusted individuals who, by their permissions, could cause worse problems using normal functions of the software, and it is more likely to happen by accident than malice, but it could be used to impact some business activities. So this is very minor in terms of security but it does have larger implications on robustness.
There are a number of other fixes and an updated German. The complete changelog is below:
Changelog for 1.4.12
* Updated German translation by Adrian v. Meibom <..hidden..
* Fixed printing of purchase order due to SQL error (bug 1359) (Erik H)
* Don't show button for dis-allowed action in GL entry (bug 1355) (Erik H)
* Admin can't reset user's password due to SQL error (bug 1333) (Erik H)
* Fix dependency listing (include JSON) (bug 1347) (Erik H)
* Make setup.pl
generate fewer warnings in the error logs (Erik H)
* Fix 'Save as' in contact account clobbering existing one (bug 1364) (Erik H)
* Fixed empty response causing some problems. (Chris T)
* Detect account heading graph loops and throw errors (Chris T)
Chris T is Chris Travers
Erik H is Erik Huelsmann
Efficito: Hosted Accounting and ERP. Robust and Flexible. No vendor lock-in.