Change anti-CSRF security token lifetime to be session-based

[squirrelmail.git] / doc / ChangeLog

diff --git a/doc/ChangeLog b/doc/ChangeLog
index d4cdb30a35ce03c89eff2836eb58e944e819b84e..58de4e7e6e24bf79163700ece8a0fc0604735d47 100644 (file)
--- a/doc/ChangeLog
+++ b/doc/ChangeLog
@@ -404,6 +404,22 @@ Version 1.5.2 - SVN
     the HELO host sent to the SMTP server when sending messages
   - Added PDO support for database connections, so no external
     database module needs to be installed
+  - Fixed insufficient sendmail command argument escaping (thanks
+    to Mitchel Sahertian, Beyond Security/Dawid Golunski and Filippo
+    Cavallarin for bringing this to our attention). [CVE-2017-7692]
+  - Added ability to control the display of the "Check Spelling"
+    button provided by the squirrelspell plugin, which allows
+    administrators to offer this plugin but keep it out of the way
+    for users who do not want it. Put sqspell_show_button=0 in 
+    default preferences if it should be hidden by default
+  - Add ability for saved drafts to indicate if they are a reply
+    or forward and if so, to which message, and mark that message
+    as replied or forwarded when the draft is finally sent
+  - Added option to allow returning to the message one had been
+    replying to after sending 
+  - Sanitize user-supplied attachment filenames (thanks to Florian
+    Grunow for reporting this issue) [CVE-2018-8741]
+  - Changed anti-CSRF security token lifetime to be session-based.
 
 Version 1.5.1 (branched on 2006-02-12)
 --------------------------------------