[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Recommendations for upgrading for SQL-Ledger users

Chris Travers wrote:
Hi all;

Most of us in the community are frustrated with the issues that have
plagued LSMB 1.2.x.  I wanted to send in my recommendations and ask
for other comments.

SQL-Ledger 2.6.x (and earlier) users should upgrade at their earliest
convenience at least as far as 1.1.12.  A large number of serious
security issues have been addressed here which make authentication
bypass and/or login hijack.  However LSMB 1.1.x has a large number of
SQL-injection issues inherited from SQL-Ledger which could be used to
cause all manner of problems.

Please note that only serious authentication bypass or data integrity
issues are likely to be fixed in 1.1.x.

1.1.x represents a simple, easy-to-hit target.  Code refactoring and
re-engineering had not yet begun, but there are known security issues
that cannot be easily fixed without causing a great number of bugs.
These include SQL injection issues which could be used by a malicious
user to alter the audit trails to suggest that someone else posted a
transaction (that is an embezzlement risk).

One other benefit of upgrading at least this far is the fact that you
will get fair warning if there are data integrity issues in your
SQL-Ledger installation which could cause problems later.

THis release is a bit or a problem release and will probably go down
as our equivalent of Apache 2.0.  There are compelling reasons to
upgrade:  we resolved all known SQL-injection issues and added many
additional measures to prevent arbitrary code execution.  However, the
upgrade is not smooth and one can expect some possible problems.

If you have any sort of real authentication enforcement needs, we
suggest upgrading to this version.  This is not a smooth process.  But
we as a community will do what we have to in order to help make this
work for you.

1.3.x is not yet out but it will be the the logical migration point
for SQL-Ledger 2.8.x users.  We expect it to be far less problematic
than 1.2.x simply because the most problematic changes in our road to
2.0 were in that release.  There are likely to be some issues with
custom templates, however.
Chris, thank you for the explanation. Can I get a little clarification please.

If I convert my 2.6.x SL to 1.1.12 LS and I don't feel I have compelling reasons to go to 1.2 at this time, would I be converting down the road to a more stable 1.2 and then to 1.3? Or would there be a migration path of 1.1.12 to 1.3 directly? And finally, (I know it's ready when it's ready) do you have any feel for the time lines?

My reason for asking is that my fiscal year starts in July and I would like to be operational July 1 with the best, most stable state I can be in at that time. Any upgrades I apply after that must be relatively trouble-free. I am looking for information that would help me formulate a strategy.

Thanks for all your efforts with this.


John Hobbs
Chryxus Corporation