Version 1.5.2 - SVN
-------------------
+ - Fixed system lock-ups caused by a combination of certain rare, malformed
+ message headers and buggy versions of PHP mbstring (#3053349, $2987016).
- Fix broken set_url_var function in functions/html.php (#1729814).
- Fix incorrect detection of auth mechanisms in conf.pl (#1727033).
- The search expression in the LDAP backend of the Addressbook is now
- Completed a massive update to contrib/flat2sql.pl.
- Display visual indication of forwarded messages.
- Added Khmer translation (Thanks to Khoem Sokhem).
+ - Removed use of session_unregister() for compatibility with PHP 5.3.0
+ and PHP 6
- Remove ability for HTML emails to use CSS positioning to overlay
SquirrelMail content (Thanks to Luc Beurton). (#2723196) [CVE-2009-1581]
- Fixed improper sanitizing of PHP_SELF and the lack of sanitizing of
also includes general cleanup of that page (Thanks to Niels Teusink).
[also CVE-2009-1578]
- Fixed unsanitized shell command in example IMAP username mapping
- function (map_yp_alias) (Thanks to Niels Teusink). [CVE-2009-1579]
+ function (map_yp_alias) (Thanks to Niels Teusink).
+ [CVE-2009-1579, CVE-2009-1381]
- Fixed session fixation issues where someone who can modify a user's
cookies could gain control of their login session. The SquirrelMail
base URI is now uniformly generated, extraneous cookies are cleaned
up and session IDs are regenerated upon every login (Thanks to Tomas
Hoger). [CVE-2009-1580]
+ - Cleanup variable name in address search for compose to clearup confusion.
+ - Remove Javascript from address search page when JavaScript is disabled.
+ - Add "Check All" function to address book when using "in-page" addressbook.
+ - Fixed the Filters plugin to allow commas in filter criteria text.
+ - In SMTP, when we EHLO with an IP, wrap it in brackets (#2793154).
+ - Bug Report plugin not handling multiple same key capabilities (thread/auth)
+ (#2796007).
+ - Removed the shut down DSBL blocklists (#2796734).
+ - Fixed broken RFC1918 reference in contrib/.htaccess and doc/.htaccess (#2798839).
+ - Stop using deprecated ereg functions. (#2820952)
+ - Remove personal data from Message ID seed. (#880029/847107)
+ - Implemented page referal verification mechanism. (Secunia Advisory SA34627)
+ - Implemented security token system. (Secunia Advisory SA34627)
+ - Fix issue with multi-part related messages not showing all attachments (#2830140).
+ - Fix for security token missing in newmail plugin (#2919418).
+ - Fix for mailto: urls containing + characters, thanks to Michael Puls II for the
+ patch.
+ - Make base URL autodetection more robust; fixes some lighttpd issues
+ (probably #1741469).
+ - Encoded From headers now properly quoted (#2830141).
+ - Multibyte strings (notably subjects) are now handled correctly (#2824813,
+ #2925731).
+ - X-DNS-Prefetch-Control: off header is now sent to browsers to prevent information
+ leakage when Firefox does DNS prefetching for URLs contained in emails.
+ - Added the ability to configure Google Mail (Gmail) as the mail server
+ behind SquirrelMail.
+ - Fix error with SpamCop reporting plugin not being able to send report as
+ emails (#1795310).
+ - Fix typo in SpamCop plugin.
+ - Reduced default time security tokens stay valid from 30 days to 2 days
+ (reduces chances of session data growing too large)
+ - Fixed minor vulnerability in Mail Fetch plugin [CVE-2010-1637/TEHTRI-SA-2010-009]
+ - Now properly quote personal part of encoded addresses when replying.
+ - Now fill in default subject when forwarding as attachment (#2936541).
+ - Fixed issues caused by use of PostgreSQL keyword "user" in SquirrelMail's
+ default preferences database schema (#2943483).
+ - Fixed attachment filename decoding problems (#2994865).
+ - Now allow multiple plugins to handle (add links for) a single
+ attachment MIME type.
+ - Fixed sqauth_read_password() for plugins on the login_verified hook.
+ - Forced addition of a file suffix to attachments that lack a filename
+ (helps forwarded messages avoid spam filters) (Thanks to Petr
+ Kletecka) (#3139004).
+ - Added smtp_authenticate hook (Thanks to Emmanuel Dreyfus).
+ - Allow administrators to configure subfolders of user INBOXes to be
+ treated as special folders by adding $subfolders_of_inbox_are_special
+ to config_local.php.
+ - Added clickjacking protection (thanks to Asbjorn Thorsen and Geir Hansen
+ for bringing this to our attention). [CVE-2010-4554]
+ - Fixed XSS holes in generic options inputs, XSS hole in the SquirrelSpell
+ plugin, and added anti-CSRF protection to the empty trash feature (thanks
+ to Nicholas Carlini for finding all these issues).
+ [CVE-2011-2752, CVE-2011-2753, CVE-2010-4555]
+ - Fixed XSS problem with unsanitized style tags in messages. [CVE-2011-2023]
Version 1.5.1 (branched on 2006-02-12)
--------------------------------------
projects / squirrelmail.git / blobdiff