| 1 | /***************************************************************** |
| 2 | * Release Notes: SquirrelMail 1.5.1 * |
| 3 | * The "Fire in the Hole" Release * |
| 4 | * 2006-02-19 * |
| 5 | *****************************************************************/ |
| 6 | |
| 7 | WARNING. If you can read this, then you are reading file from 1.5.1cvs and not |
| 8 | final release notes. |
| 9 | |
| 10 | |
| 11 | |
| 12 | In this edition of SquirrelMail Release Notes: |
| 13 | * All about this Release! |
| 14 | * Major updates |
| 15 | * Security updates |
| 16 | * Plugin updates |
| 17 | * Possible issues |
| 18 | * Backwards incompatible changes |
| 19 | * Data directory changes |
| 20 | * Reporting my favorite SquirrelMail bug |
| 21 | |
| 22 | All about this Release! |
| 23 | ======================= |
| 24 | |
| 25 | This is the second release of our new 1.5.x-series, which is a |
| 26 | DEVELOPMENT release. |
| 27 | |
| 28 | See the Major Updates section of this file for more. |
| 29 | |
| 30 | |
| 31 | Major updates |
| 32 | ============== |
| 33 | Rewritten IMAP functions and added optimized imap data caching code. Internal |
| 34 | sorting functions should be faster than code used in SquirrelMail 1.5.0 and |
| 35 | older versions. Together with the optimized caching code all the logic |
| 36 | concerning sorting is rewritten in order to achieve that Squirrelmail can |
| 37 | display more columns with sort support in the messages list. I.e. the From and |
| 38 | To column in the same view sorted on size. |
| 39 | The amount of IMAP calls is reduced by smarter caching in the imap mailbox area |
| 40 | and the optimized header- and sort cache as described before. Reducing the |
| 41 | amount of IMAP calls will lower the load of your IMAP server and increase the |
| 42 | SquirrelMail performance. |
| 43 | |
| 44 | Own gettext implementation replaced with PHP Gettext classes. Update adds |
| 45 | ngettext and dgettext support. |
| 46 | |
| 47 | Initiation of separating the SquirrelMail internal logic from user interface |
| 48 | related logic which resulted in the first rough css based templates in php. In |
| 49 | future releases we finish the mentioned separation and work on simpler |
| 50 | templates. |
| 51 | |
| 52 | Added javascript based message row highlighting code (disabled by default) for |
| 53 | faster selection of messages in the messages list. |
| 54 | |
| 55 | Usage of a centralized error handler (moving process continues in 1.5.2). |
| 56 | |
| 57 | SquirrelMail started using internal cookie functions in order to have more |
| 58 | controls over cookie format. Cookies set with sqsetcookie() function use |
| 59 | extra parameter (HttpOnly) that protects cookie information for javascript |
| 60 | access in browsers that follow MSDN cookie specifications (currently recent IE6 |
| 61 | versions). |
| 62 | |
| 63 | SquirrelMail IMAP and SMTP libraries updated to allow use of STARTTLS extension. |
| 64 | The code is experimental and requires PHP 5.1.0 or newer with |
| 65 | stream_socket_enable_crypto() function support. |
| 66 | |
| 67 | Updated wrapping functions in compose. |
| 68 | |
| 69 | Added code for advanced searching in message. Now it's possible to switch |
| 70 | between normal search and advanced search. |
| 71 | |
| 72 | |
| 73 | Security updates |
| 74 | ================ |
| 75 | |
| 76 | This release contains security fixes applied to development branch after 1.5.0 |
| 77 | release: |
| 78 | CVE-2004-0521 - SQL injection vulnerability in address book. |
| 79 | CVE-2004-1036 - XSS exploit in decodeHeader function. |
| 80 | CVE-2005-0075 - Potential file inclusion in preference backend selection code. |
| 81 | CVE-2005-0103 - Possible file/offsite inclusion in src/webmail.php. |
| 82 | CVE-2005-0104 - Possible XSS issues in src/webmail.php. |
| 83 | CVE-2005-1769 - Several cross site scripting (XSS) attacks. |
| 84 | CVE-2005-2095 - Extraction of all POST variables in advanced identity code. |
| 85 | CVE-2006-0188 - Possible XSS through right_frame parameter in webmail.php. |
| 86 | CVE-2006-0195 - Possible XSS in MagicHTML, IE only. |
| 87 | CVE-2006-0377 - IMAP injection in sqimap_mailbox_select mailbox parameter. |
| 88 | |
| 89 | If you use SquirrelMail 1.5.0, you should upgrade to 1.5.1 or downgrade to latest |
| 90 | stable SquirrelMail version. |
| 91 | |
| 92 | Plugin updates |
| 93 | ============== |
| 94 | Added site configuration options to filters, fortune, translate, newmail, |
| 95 | bug_report plugins. Improved newmail and change_password plugins. Fixed data |
| 96 | corruption issues in calendar plugin. |
| 97 | |
| 98 | SquirrelSpell plugin was updated to use generic SquirrelMail preference functions. |
| 99 | User preferences and personal dictionaries that were stored in .words files are |
| 100 | moved to .pref files or other configured user data storage backend. |
| 101 | |
| 102 | |
| 103 | Possible issues |
| 104 | =============== |
| 105 | Internal SquirrelMail cookie implementation is experimental. If you have cookie |
| 106 | expiration or corruption issues with some browser and can reproduce them only in |
| 107 | 1.5.1 version, contact one of the SquirrelMail developers and help them to debug |
| 108 | your issue. |
| 109 | |
| 110 | SquirrelMail 1.5.1 changed some functions and hooks. login_form hook requires |
| 111 | different coding style. html_top, html_bottom, internal_link hooks are removed. |
| 112 | src/move_messages.php code moved to main mailbox listing script. Some hooks are |
| 113 | broken after implementation of templates in mailbox listing pages. soupNazi() |
| 114 | function is replaced with checkForJavascript() function. sqimap_messages_delete, |
| 115 | sqimap_messages_copy, sqimap_messages_flag and sqimap_get_small_header() |
| 116 | functions are obsoleted. Some IMAP functions return data in different format. |
| 117 | If plugins depend on changed or removed functions, they will break in this |
| 118 | SquirrelMail version. |
| 119 | |
| 120 | This SquirrelMail version implemented code that unregisters globals in PHP |
| 121 | register_globals=on setups. If some plugin loads main SquirrelMail functions |
| 122 | and depends on PHP register_globals, it will be broken. |
| 123 | |
| 124 | IMAP sorting/threading |
| 125 | By default SquirrelMail will make use of the capabilities provided by the IMAP |
| 126 | server. This means that if the IMAP server supports SORT and THREAD sorting then |
| 127 | SquirrelMail makes use of it. Some broken IMAP servers advertise the SORT and |
| 128 | THREAD capabilities although they do not support it. For those IMAP servers |
| 129 | there is a config option to disable the use of SORT and THREAD sort. |
| 130 | |
| 131 | Backward incompatible changes |
| 132 | ============================= |
| 133 | Index order options are modified in 1.5.1 version. If older options are |
| 134 | detected, interface upgrades to newer option format and deletes old options. |
| 135 | |
| 136 | In 1.5.1 version SquirrelSpell user dictionaries are saved with generic |
| 137 | SquirrelMail data functions. Code should copy older dictionary, if dictionary |
| 138 | version information is not present in user preferences. Once dictionary is |
| 139 | copied, <username>.words files are obsolete and no longer updated. |
| 140 | |
| 141 | If the same data directory is used with other backwards incompatible version, |
| 142 | the older SquirrelMail version can lose some user preferences or work with |
| 143 | outdated data. We advise to use separate data directory for the 1.5.1 release. |
| 144 | The data directory can be configured by running configure. |
| 145 | |
| 146 | |
| 147 | Data directory |
| 148 | ============== |
| 149 | |
| 150 | The directory data/ used to be included in our tarball. Since placing this dir |
| 151 | under a web accessible directory is not very wise, we've decided to not pack it |
| 152 | anymore; you need to create it yourself. Please choose a location that's safe, |
| 153 | e.g. somewhere under /var. |
| 154 | |
| 155 | |
| 156 | Reporting my favorite SquirrelMail bug |
| 157 | ====================================== |
| 158 | |
| 159 | We constantly aim to make SquirrelMail even better. So we need you to submit |
| 160 | any bug you come across! Also, please mention that the bug is in this 1.5.1 |
| 161 | release, and list your IMAP server and webserver details. |
| 162 | |
| 163 | http://www.squirrelmail.org/bugs |
| 164 | |
| 165 | Thanks for your cooperation with this. That helps us to make sure nothing slips |
| 166 | through the cracks. Also, it would help if people would check existing tracker |
| 167 | items for a bug before reporting it again. This would help to eliminate |
| 168 | duplicate reports, and increase the time we can spend CODING by DECREASING the |
| 169 | time we spend sorting through bug reports. And remember, check not only OPEN |
| 170 | bug reports, but also closed ones as a bug that you report MAY have been fixed |
| 171 | in CVS already. |
| 172 | |
| 173 | If you want to join us in coding SquirrelMail, or have other things to share |
| 174 | with the developers, join the development mailing list: |
| 175 | |
| 176 | squirrelmail-devel@lists.sourceforge.net |
| 177 | |
| 178 | |
| 179 | About Our Release Alias |
| 180 | ======================= |
| 181 | |
| 182 | This release is labeled the "Fire in the Hole" release. "Fire in the hole" is |
| 183 | a phrase used to warn of the detonation of an explosive device. The phrase may |
| 184 | have been originated by miners, who made extensive use of explosives while |
| 185 | working underground. |
| 186 | |
| 187 | Release is created in order to get fixed package after two years of development |
| 188 | in HEAD branch. Package contains many experimental changes. Changes add new |
| 189 | features, that can be unstable and cause inconsistent UI. If you want to use |
| 190 | stable code, you should stick to SquirrelMail 1.4.x series. If you find issues |
| 191 | in this package, make sure that they are still present in latest development |
| 192 | code snapshots. |
| 193 | |
| 194 | Happy SquirrelMailing! |
| 195 | - The SquirrelMail Project Team |