dc00b90c |
1 | /***************************************************************** |
2 | * Release Notes: SquirrelMail 1.5.1 * |
3 | * The "Fire in the Hole" Release * |
4 | * 2006-02-19 * |
5 | *****************************************************************/ |
6 | |
7 | In this edition of SquirrelMail Release Notes: |
8 | * All About This Release! |
9 | * Major Updates |
10 | * Security Updates |
11 | * Plugin Updates |
12 | * Possible Issues |
13 | * Backwards Incompatible Changes |
14 | * Data Directory Changes |
15 | * Reporting Your Favorite SquirrelMail Bug |
16 | |
17 | |
18 | All About This Release! |
19 | ======================= |
20 | This is the second release of our new 1.5.x-series, which is a |
21 | DEVELOPMENT release. |
22 | |
23 | See the Major Updates section of this file for more information. |
24 | |
25 | |
26 | Major Updates |
27 | ============== |
28 | Rewritten IMAP functions and optimized IMAP data caching code. Internal |
29 | sorting functions should be faster than code used in SquirrelMail <= 1.5.0. |
30 | Together with the optimized caching code, all the logic concerning sorting has |
31 | been rewritten so that Squirrelmail can display more columns with sort support |
32 | in the messages list. I.e. the From and To column in the same view sorted on |
33 | size. Also, the number of IMAP calls is reduced by smarter caching in the IMAP |
34 | mailbox area and by the optimized header and sort cache code. Reducing the |
35 | amount of IMAP calls will lower the load on your IMAP server and increase |
36 | SquirrelMail performance. |
37 | |
38 | In-house gettext implementation replaced with PHP Gettext classes. Update adds |
39 | ngettext and dgettext support. |
40 | |
41 | Begin work on separating the SquirrelMail internal logic from user interface |
42 | related logic. This has resulted in the first (very) rough CSS-based PHP |
43 | templates. In future releases we will finish the mentioned separation and work |
44 | on simpler templates. |
45 | |
46 | Added JavaScript-based message row highlighting code (disabled by default) for |
47 | faster selection of messages in the messages list. |
48 | |
49 | Usage of a centralized error handler. Development will continue in 1.5.2. |
50 | |
51 | SquirrelMail has started using internal cookie functions in order to have more |
52 | control over cookie format. Cookies set with sqsetcookie() function now use an |
53 | extra parameter (HttpOnly) to secure cookie information by making the cookie |
54 | not accessible to scripts (particularly, JavaScript). This feature is only |
55 | supported in browsers that follow the MSDN cookie specifications (see |
56 | http://msdn.microsoft.com/workshop/author/dhtml/httponly_cookies.asp). |
57 | Currently this is limited to IE6 >= SP1. |
58 | |
59 | SquirrelMail IMAP and SMTP libraries now support use of STARTTLS extension. |
60 | The code is experimental and requires PHP 5.1.0 or newer with |
61 | stream_socket_enable_crypto() function support enabled. |
62 | |
63 | Updated wrapping functions in compose. New wrapping code improves quoting |
64 | of text chapters. Thanks to Justus Pendleton. |
65 | |
66 | Added code for advanced searching in messages. Now it's possible to switch |
67 | between normal search and advanced search. |
68 | |
69 | Main SquirrelMail code implements view_as_html, msg_flags and folder_settings |
70 | plugin features. These plugins should not be used in SquirrelMail 1.5.1. |
71 | |
72 | SquirrelMail translations are loaded from locale/*/setup.php files. If files |
73 | are not present or only one translation (en_US) is available, translation |
74 | selection options are not displayed to end user. |
75 | |
76 | Security Updates |
77 | ================ |
78 | This release contains security fixes applied to development branch after 1.5.0 |
79 | release: |
80 | CVE-2004-0521 - SQL injection vulnerability in address book. |
81 | CVE-2004-1036 - XSS exploit in decodeHeader function. |
82 | CVE-2005-0075 - Potential file inclusion in preference backend selection code. |
83 | CVE-2005-0103 - Possible file/offsite inclusion in src/webmail.php. |
84 | CVE-2005-0104 - Possible XSS issues in src/webmail.php. |
85 | CVE-2005-1769 - Several cross site scripting (XSS) attacks. |
86 | CVE-2005-2095 - Extraction of all POST variables in advanced identity code. |
87 | CVE-2006-0188 - Possible XSS through right_frame parameter in webmail.php. |
88 | CVE-2006-0195 - Possible XSS in MagicHTML, IE only. |
89 | CVE-2006-0377 - IMAP injection in sqimap_mailbox_select mailbox parameter. |
90 | |
91 | If you use SquirrelMail 1.5.0, you should upgrade to 1.5.1 or downgrade to latest |
92 | stable SquirrelMail version. |
93 | |
94 | |
95 | Plugin Updates |
96 | ============== |
97 | Added site configuration options for filters, fortune, translate, newmail, |
98 | bug_report plugins. Improved newmail and change_password plugins. Fixed data |
99 | corruption issues in calendar plugin. |
100 | |
101 | SquirrelSpell plugin was updated to use generic SquirrelMail preference functions. |
102 | User preferences and personal dictionaries that were stored in .words files are |
103 | moved to .pref files or other configured user data storage backend. |
104 | |
105 | |
106 | Possible Issues |
107 | =============== |
108 | Internal SquirrelMail cookie implementation is experimental. If you have cookie |
109 | expiration or corruption issues and can reproduce them only in 1.5.1 version, |
110 | contact one of the SquirrelMail developers and to help them debug the issue. |
111 | |
112 | SquirrelMail 1.5.1 changed some functions and hooks. login_form hook requires |
113 | different coding style. html_top, html_bottom, internal_link hooks have been |
114 | removed. src/move_messages.php code has been moved to the main mailbox listing |
115 | script. Some hooks may be broken after implementation of templates, especially |
116 | in mailbox listing pages. soupNazi() function has been replaced with the |
117 | checkForJavascript() function. sqimap_messages_delete(), |
118 | sqimap_messages_copy(), sqimap_messages_flag() and sqimap_get_small_header() |
119 | functions are now obsolete. Some IMAP functions return data in different |
120 | format. If plugins depend on changed or removed functions, they will break in |
121 | this version of SquirrelMail. |
122 | |
123 | This SquirrelMail version added http headers that prevent caching of pages by |
124 | proxies. Headers are added in SquirrelMail displayHtmlHeader() function. Changes |
125 | require that html output is not started before displayHtmlHeader() is called. If |
126 | some code starts output, PHP errors will be displayed. If plugins display |
127 | notices in options_save hook and don't stop script execution on error, page |
128 | display will be broken. |
129 | |
130 | SquirrelMail 1.5.1 implemented code that unregisters globals in PHP |
131 | register_globals=on setups. Plugins that load main SquirrelMail functions and |
132 | depend on PHP register_globals=on will be broken. |
133 | |
134 | IMAP sorting/threading |
135 | By default, SquirrelMail will make use of the capabilities provided by the IMAP |
136 | server. This means that if the IMAP server supports SORT and THREAD sorting then |
137 | SquirrelMail makes use of it. Some broken IMAP servers advertise the SORT and |
138 | THREAD capabilities although they do not support it. For those IMAP servers |
139 | there is a config option to disable the use of SORT and THREAD sort. |
140 | |
141 | Backward Incompatible Changes |
142 | ============================= |
143 | Index order options are modified in 1.5.1 version. If older options are |
144 | detected, interface upgrades to newer option format and deletes old options. |
145 | |
146 | In version 1.5.1, SquirrelSpell user dictionaries are saved with generic |
147 | SquirrelMail data functions. SquirrelSpell should copy older dictionaries |
148 | if dictionary version information is not present in user preferences. Once |
149 | the dictionary is copied, <username>.words files are obsolete and no longer |
150 | updated. |
151 | |
152 | If the same data directory is used with other backwards incompatible versions, |
153 | the older SquirrelMail version may lose some user preferences or work with |
154 | outdated data. Admins are advised to use a separate data directory for the |
155 | 1.5.1 release. The data directory can be configured by running configure. |
156 | |
157 | Data Directory |
158 | ============== |
159 | The directory data/ is no longer included in our tarball. Since placing this |
160 | directory under a web-accessible directory is not very wise, we've decided to |
161 | not pack it anymore. Admins will need to create it. Please choose a location |
162 | that's safe (not web accessible), e.g. /var/squirrelmail/data. |
163 | |
164 | Reporting Your Favorite SquirrelMail Bug |
165 | ======================================== |
166 | We constantly aim to make SquirrelMail even better, so we need you to submit |
167 | any bugs you come across! Also, please mention that the bug is in this release |
168 | (version 1.5.1), and list your IMAP server and web server details. Bugs can be |
169 | submitted at: |
170 | |
171 | http://www.squirrelmail.org/bugs |
172 | |
173 | Thanks for your cooperation with this. This helps ensure that nothing slips |
174 | through the cracks. Also, please search the bug database for existing items |
175 | before submitting a new bug. This will help to eliminate duplicate reports and |
176 | increase the time we can spend FIXING existing bugs by DECREASING the time we |
177 | spend sorting through bug reports. Remember to check for CLOSED bug reports |
178 | also, not just OPEN bug reports, in case a bug you want to report may have been |
179 | recently fixed in CVS. |
180 | |
181 | If you want to join us in coding SquirrelMail, or have other things to share |
182 | with the developers, join the development mailing list: |
183 | |
184 | squirrelmail-devel@lists.sourceforge.net |
185 | |
186 | |
187 | About Our Release Alias |
188 | ======================= |
189 | This release is labeled the "Fire in the Hole" release. "Fire in the Hole" is |
190 | a phrase used to warn of the detonation of an explosive device. The phrase may |
191 | have been originated by miners, who made extensive use of explosives while |
192 | working underground. |
193 | |
194 | This release has been created to get a fixed package after more than two years |
195 | of development in the CVS HEAD branch. This package contains many experimental |
196 | changes. These changes add new features that can/will be unstable and/or |
197 | create an inconsistent UI. If you want to use stable code, you should stick to |
198 | the 1.4.x series of SquirrelMail. If you find issues in this package, make |
199 | sure that they are still present in the latest development code snapshots. To |
200 | obtain thelatest development snapshot, see |
201 | |
202 | http://www.squirrelmail.org/download.php#snapshot |
203 | |
204 | Happy SquirrelMailing! |
205 | - The SquirrelMail Project Team |