- Security: Fix possible cross site scripting through the right_main

[squirrelmail.git] / ChangeLog

diff --git a/ChangeLog b/ChangeLog
index 17541dee1d523c6c6e4630a6d73d6e5795081567..22917a51caf8cfc7aaa3faed6f2d9a0f8c3094de 100644 (file)
--- a/ChangeLog
+++ b/ChangeLog
@@ -507,7 +507,36 @@ Version 1.5.1 -- CVS
     modified to provide support of $sendmail_args. Modifications broke backwards 
     compatibility with qmail-inject workarounds.
   - Added execution error handling in Deliver_SendMail class (#1374174).
-  - Sanitized message composition error messages.
+  - Sanitized Draft folder error message in compose.
+  - Fixed character wrapping/encoding issues in Japanese translation (#1377622). 
+    Issue is specific to sqBodyWrap() and string function wrappers introduced in 
+    1.5.1.
+  - Security: MagicHTML fix for comments in styles which allowed
+    for cross site scripting when using Internet Explorer
+    [CVE-2006-0195].
+  - Added 'mail' and 'sn' attributes to address book LDAP backend search
+    expression (#1368154).
+  - Added mailbox caching code by Michael Long.
+  - Prevent output of whitespace during plugin activation. Fixes possible 
+    attachment corruption by incorrectly coded plugins.
+  - Fixed data sanitizing in calendar plugin (#1291081)(#705796).
+  - Security: Prohibit imap injection attempts (reported by Vicente Aguilera)
+    [CVE-2006-0377].
+  - Don't move messages in sqimap_msgs_list_move() function call, when target
+    mailbox is same as source mailbox. Adds fifth argument to 
+    sqimap_msgs_list_move() function. Fixes possible issues on MacOS Cyrus
+    IMAP server (#1409453).
+  - Style sheets are moved to template.
+  - displayHtmlHeader() function call sends http headers in order to prevent 
+    page caching.
+  - Added Template set selection.
+  - Merged patch from Steve Brown to transform current templates to css
+    based templates.
+  - Added footer template to every page.
+  - Added experimental IMAP and SMTP STARTTLS extension support.
+  - Security: Fix possible cross site scripting through the right_main
+    parameter of webmail.php. This now uses a whitelist of acceptable
+    values. [CVE-2006-0188]
 
 Version 1.5.0 - 2 February 2004
 -------------------------------
@@ -626,6 +655,8 @@ Version 1.5.0 - 2 February 2004
   - Integration of delete_move_next plugin into core.
   - Compression of buttons/headers for message index and message body
   - New option to save replies in the same folder as the original message.
+  - Remove possible unneeded IMAP call for NAMESPACE if it was saved in the
+    session (suggestion by Michael Long).
 
 
 **************************************