The shell escaping fix in map_yp_alias (CVE-2009-1579) was incomplete.

[squirrelmail.git] / doc / ChangeLog

diff --git a/doc/ChangeLog b/doc/ChangeLog
index 9e7eb7978bbbd34ec463fd1fb2b18e1fa598583c..4eb9f53f0fb7475996a2a197e58ccad90e896d70 100644 (file)
--- a/doc/ChangeLog
+++ b/doc/ChangeLog
@@ -304,7 +304,8 @@ Version 1.5.2 - SVN
     also includes general cleanup of that page (Thanks to Niels Teusink).
     [also CVE-2009-1578]
   - Fixed unsanitized shell command in example IMAP username mapping
-    function (map_yp_alias) (Thanks to Niels Teusink). [CVE-2009-1579]
+    function (map_yp_alias) (Thanks to Niels Teusink).
+    [CVE-2009-1579, CVE-2009-1381]
   - Fixed session fixation issues where someone who can modify a user's
     cookies could gain control of their login session.  The SquirrelMail
     base URI is now uniformly generated, extraneous cookies are cleaned
@@ -313,6 +314,8 @@ Version 1.5.2 - SVN
   - Cleanup variable name in address search for compose to clearup confusion.
   - Remove Javascript from address search page when JavaScript is disabled.
   - Add "Check All" function to address book when using "in-page" addressbook.
+  - Fixed the Filters plugin to allow commas in filter criteria text.
+  - In SMTP, when we EHLO with an IP, wrap it in brackets (#2793154).
 
 Version 1.5.1 (branched on 2006-02-12)
 --------------------------------------