| 1 | /***************************************************************** |
| 2 | * Release Notes: SquirrelMail 1.5.2 * |
| 3 | * The "" Release * |
| 4 | * 2006-xx-xx * |
| 5 | *****************************************************************/ |
| 6 | |
| 7 | WARNING. If you can read this, then you are reading file from cvs and not |
| 8 | final release notes. |
| 9 | |
| 10 | |
| 11 | In this edition of SquirrelMail Release Notes: |
| 12 | * All About This Release! |
| 13 | * Major Updates |
| 14 | * Security Updates |
| 15 | * Plugin Updates |
| 16 | * Possible Issues |
| 17 | * Backwards Incompatible Changes |
| 18 | * Data Directory Changes |
| 19 | * Reporting Your Favorite SquirrelMail Bug |
| 20 | |
| 21 | |
| 22 | All About This Release! |
| 23 | ======================= |
| 24 | This is the second release of our new 1.5.x-series, which is a |
| 25 | DEVELOPMENT release. |
| 26 | |
| 27 | See the Major Updates section of this file for more information. |
| 28 | |
| 29 | |
| 30 | Major Updates |
| 31 | ============== |
| 32 | Rewritten IMAP functions and optimized IMAP data caching code. Internal |
| 33 | sorting functions should be faster than code used in SquirrelMail <= 1.5.0. |
| 34 | Together with the optimized caching code, all the logic concerning sorting has |
| 35 | been rewritten so that Squirrelmail can display more columns with sort support |
| 36 | in the messages list. I.e. the From and To column in the same view sorted on |
| 37 | size. Also, the number of IMAP calls is reduced by smarter caching in the IMAP |
| 38 | mailbox area and by the optimized header and sort cache code. Reducing the |
| 39 | amount of IMAP calls will lower the load on your IMAP server and increase |
| 40 | SquirrelMail performance. |
| 41 | |
| 42 | In-house gettext implementation replaced with PHP Gettext classes. Update adds |
| 43 | ngettext and dgettext support. |
| 44 | |
| 45 | Begin work on separating the SquirrelMail internal logic from user interface |
| 46 | related logic. This has resulted in the first (very) rough CSS-based PHP |
| 47 | templates. In future releases we will finish the mentioned separation and work |
| 48 | on simpler templates. |
| 49 | |
| 50 | Added JavaScript-based message row highlighting code (disabled by default) for |
| 51 | faster selection of messages in the messages list. |
| 52 | |
| 53 | Usage of a centralized error handler. Development will continue in 1.5.2. |
| 54 | |
| 55 | SquirrelMail has started using internal cookie functions in order to have more |
| 56 | control over cookie format. Cookies set with sqsetcookie() function now use an |
| 57 | extra parameter (HttpOnly) to secure cookie information by making the cookie |
| 58 | not accessible to scripts (particularly, JavaScript). This feature is only |
| 59 | supported in browsers that follow the MSDN cookie specifications (see |
| 60 | http://msdn.microsoft.com/workshop/author/dhtml/httponly_cookies.asp). |
| 61 | Currently this is limited to IE6 >= SP1. |
| 62 | |
| 63 | SquirrelMail IMAP and SMTP libraries now support use of STARTTLS extension. |
| 64 | The code is experimental and requires PHP 5.1.0 or newer with |
| 65 | stream_socket_enable_crypto() function support enabled. |
| 66 | |
| 67 | Updated wrapping functions in compose. New wrapping code improves quoting |
| 68 | of text chapters. Thanks to Justus Pendleton. |
| 69 | |
| 70 | Added code for advanced searching in messages. Now it's possible to switch |
| 71 | between normal search and advanced search. |
| 72 | |
| 73 | Main SquirrelMail code implements view_as_html and folder_settings plugin |
| 74 | features. These plugins should not be used in SquirrelMail 1.5.1. |
| 75 | |
| 76 | |
| 77 | Security Updates |
| 78 | ================ |
| 79 | This release contains security fixes applied to development branch after 1.5.0 |
| 80 | release: |
| 81 | CVE-2004-0521 - SQL injection vulnerability in address book. |
| 82 | CVE-2004-1036 - XSS exploit in decodeHeader function. |
| 83 | CVE-2005-0075 - Potential file inclusion in preference backend selection code. |
| 84 | CVE-2005-0103 - Possible file/offsite inclusion in src/webmail.php. |
| 85 | CVE-2005-0104 - Possible XSS issues in src/webmail.php. |
| 86 | CVE-2005-1769 - Several cross site scripting (XSS) attacks. |
| 87 | CVE-2005-2095 - Extraction of all POST variables in advanced identity code. |
| 88 | CVE-2006-0188 - Possible XSS through right_frame parameter in webmail.php. |
| 89 | CVE-2006-0195 - Possible XSS in MagicHTML, IE only. |
| 90 | CVE-2006-0377 - IMAP injection in sqimap_mailbox_select mailbox parameter. |
| 91 | |
| 92 | If you use SquirrelMail 1.5.0, you should upgrade to 1.5.1 or downgrade to latest |
| 93 | stable SquirrelMail version. |
| 94 | |
| 95 | |
| 96 | Plugin Updates |
| 97 | ============== |
| 98 | Added site configuration options for filters, fortune, translate, newmail, |
| 99 | bug_report plugins. Improved newmail and change_password plugins. Fixed data |
| 100 | corruption issues in calendar plugin. |
| 101 | |
| 102 | SquirrelSpell plugin was updated to use generic SquirrelMail preference functions. |
| 103 | User preferences and personal dictionaries that were stored in .words files are |
| 104 | moved to .pref files or other configured user data storage backend. |
| 105 | |
| 106 | |
| 107 | Possible Issues |
| 108 | =============== |
| 109 | Internal SquirrelMail cookie implementation is experimental. If you have cookie |
| 110 | expiration or corruption issues and can reproduce them only in 1.5.1 version, |
| 111 | contact one of the SquirrelMail developers and to help them debug the issue. |
| 112 | |
| 113 | SquirrelMail 1.5.1 changed some functions and hooks. login_form hook requires |
| 114 | different coding style. html_top, html_bottom, internal_link hooks have been |
| 115 | removed. src/move_messages.php code has been moved to the main mailbox listing |
| 116 | script. Some hooks may be broken after implementation of templates, especially |
| 117 | in mailbox listing pages. soupNazi() function has been replaced with the |
| 118 | checkForJavascript() function. sqimap_messages_delete(), |
| 119 | sqimap_messages_copy(), sqimap_messages_flag() and sqimap_get_small_header() |
| 120 | functions are now obsolete. Some IMAP functions return data in different |
| 121 | format. If plugins depend on changed or removed functions, they will break in |
| 122 | this version of SquirrelMail. |
| 123 | |
| 124 | This SquirrelMail version added http headers that prevent caching of pages by |
| 125 | proxies. Headers are added in SquirrelMail displayHtmlHeader() function. Changes |
| 126 | require that html output is not started before displayHtmlHeader() is called. If |
| 127 | some code starts output, PHP errors will be displayed. If plugins display |
| 128 | notices in options_save hook and don't stop script execution on error, page |
| 129 | display will be broken. |
| 130 | |
| 131 | SquirrelMail 1.5.1 implemented code that unregisters globals in PHP |
| 132 | register_globals=on setups. Plugins that load main SquirrelMail functions and |
| 133 | depend on PHP register_globals=on will be broken. |
| 134 | |
| 135 | IMAP sorting/threading |
| 136 | By default, SquirrelMail will make use of the capabilities provided by the IMAP |
| 137 | server. This means that if the IMAP server supports SORT and THREAD sorting then |
| 138 | SquirrelMail makes use of it. Some broken IMAP servers advertise the SORT and |
| 139 | THREAD capabilities although they do not support it. For those IMAP servers |
| 140 | there is a config option to disable the use of SORT and THREAD sort. |
| 141 | |
| 142 | Backward Incompatible Changes |
| 143 | ============================= |
| 144 | Index order options are modified in 1.5.1 version. If older options are |
| 145 | detected, interface upgrades to newer option format and deletes old options. |
| 146 | |
| 147 | In version 1.5.1, SquirrelSpell user dictionaries are saved with generic |
| 148 | SquirrelMail data functions. SquirrelSpell should copy older dictionaries |
| 149 | if dictionary version information is not present in user preferences. Once |
| 150 | the dictionary is copied, <username>.words files are obsolete and no longer |
| 151 | updated. |
| 152 | |
| 153 | If the same data directory is used with other backwards incompatible versions, |
| 154 | the older SquirrelMail version may lose some user preferences or work with |
| 155 | outdated data. Admins are advised to use a separate data directory for the |
| 156 | 1.5.1 release. The data directory can be configured by running configure. |
| 157 | |
| 158 | Data Directory |
| 159 | ============== |
| 160 | The directory data/ is no longer included in our tarball. Since placing this |
| 161 | directory under a web-accessible directory is not very wise, we've decided to |
| 162 | not pack it anymore. Admins will need to create it. Please choose a location |
| 163 | that's safe (not web accessible), e.g. /var/squirrelmail/data. |
| 164 | |
| 165 | Reporting Your Favorite SquirrelMail Bug |
| 166 | ======================================== |
| 167 | We constantly aim to make SquirrelMail even better, so we need you to submit |
| 168 | any bugs you come across! Also, please mention that the bug is in this release |
| 169 | (version 1.5.1), and list your IMAP server and web server details. Bugs can be |
| 170 | submitted at: |
| 171 | |
| 172 | http://squirrelmail.org/bugs |
| 173 | |
| 174 | Thanks for your cooperation with this. This helps ensure that nothing slips |
| 175 | through the cracks. Also, please search the bug database for existing items |
| 176 | before submitting a new bug. This will help to eliminate duplicate reports and |
| 177 | increase the time we can spend FIXING existing bugs by DECREASING the time we |
| 178 | spend sorting through bug reports. Remember to check for CLOSED bug reports |
| 179 | also, not just OPEN bug reports, in case a bug you want to report may have been |
| 180 | recently fixed in our source code repository. |
| 181 | |
| 182 | If you want to join us in coding SquirrelMail, or have other things to share |
| 183 | with the developers, join the development mailing list: |
| 184 | |
| 185 | squirrelmail-devel@lists.sourceforge.net |
| 186 | |
| 187 | |
| 188 | About Our Release Alias |
| 189 | ======================= |
| 190 | This release is labeled the "Fire in the Hole" release. "Fire in the Hole" is |
| 191 | a phrase used to warn of the detonation of an explosive device. The phrase may |
| 192 | have been originated by miners, who made extensive use of explosives while |
| 193 | working underground. |
| 194 | |
| 195 | This release has been created to get a fixed package after more than two years |
| 196 | of development in the CVS HEAD branch. This package contains many experimental |
| 197 | changes. These changes add new features that can/will be unstable and/or |
| 198 | create an inconsistent UI. If you want to use stable code, you should stick to |
| 199 | the 1.4.x series of SquirrelMail. If you find issues in this package, make |
| 200 | sure that they are still present in the latest development code snapshots. To |
| 201 | obtain thelatest development snapshot, see |
| 202 | |
| 203 | http://squirrelmail.org/download.php#snapshot |
| 204 | |
| 205 | Happy SquirrelMailing! |
| 206 | - The SquirrelMail Project Team |