X-Git-Url: https://vcs.fsf.org/?p=squirrelmail.git;a=blobdiff_plain;f=ChangeLog;h=5fa39eebc917c8894ec87e3956fcb6c5bd81b480;hp=67f88eda9a0ddba95c01e321b89f4cdc445b27c4;hb=eaddf11f4c08b8a19396d50c8f80c2360f71d70a;hpb=7e564026564be536247bf195cfccb65d3beb1708 diff --git a/ChangeLog b/ChangeLog index 67f88eda..5fa39eeb 100644 --- a/ChangeLog +++ b/ChangeLog @@ -5,7 +5,7 @@ Version 1.5.1 -- CVS -------------------- - New reply citation to include date and author. - - Fix some possible XSS bugs. + - Securiy: Fix some possible XSS bugs. - Norwegian Bokmal translation uses nb_NO. - Integrated Msg_Flags plugin - turn on/off icons using configuration tool, menu number 11 (Tweaks), option number 3, after which users must select an icon @@ -59,14 +59,14 @@ Version 1.5.1 -- CVS - Make used of cached ordered uid list in case of server_side_sorting. - Rewrite of internal mailbox sorting routines. - Added sort by message size. - - Fixed XSS vulnerability in content-type display in the attachment area - of read_body.php discovered by Roman Medina. + - Security: Fixed XSS vulnerability in content-type display in the attachment + area of read_body.php discovered by Roman Medina. - Get alternating row colors of addressbook in sync with mailbox list. - Give proper error when PEAR DB not found. - Remove inappropriate strip_tags() from add-to-addressbook (#968475). - Prefs caching didn't work properly with register_globals off (#995102). - Security: fix SQL injection vulnerability in addressbook - (CVE ID: CAN-2004-0521). + [CAN-2004-0521]. - Removed html_top and html_bottom hooks. No longer used/needed. - Added "trailing text" for options built by SquirrelMail (text placed after text and select list inputs on options pages) @@ -92,11 +92,83 @@ Version 1.5.1 -- CVS before. - $agresive_decoding configuration option changed to $aggressive_decoding. Fixed spelling. - - Added $loosy_encoding option (provides fix for #806698) + - Added $lossy_encoding option (provides fix for #806698) - Reenabled use of $default_charset option. Option works only with en_US translation in order to prevent language/charset misconfiguration. - Fixes for nonpopulation of folder lists and errors when emptying the trash (provides fixes for #1019185 and #1017941) + - Fixed $custom_css loading in squirrelspell plugin. + - Turkish translation uses C character case conversion rules. Fixes php and + squirrelmail functions are assume English conversion rules. + - Fixed problem that caused an error when deleting all messages on the last page + of a paginated view (provides fix for #1014612) + - Added MySQL password/UNIX crypt support to mysql backend in the + change_password plugin + - Make SMTP Authentication detection in conf.pl more RFC-compliant. + - Fixed IMAP errors when using mail_fetch plugin to auto-fetch on login. + - Fixed folder list in Create Folders list for Courier (properly skip INBOX). + - Fixed undefined variables in sqimap_create_stream(). + - Added Bengali translation support. + - Fixed left frame mailbox list when sorting by case. + - Separated fortune plugin configuration variables from main plugin scripts. + See plugins/fortune/INSTALL. + - Fix for #906217 when checking spelling of inline replies, the corrected + words would appear through original email. + - Fixed empty information menu when viewing vCards without information + but name and e-mail address. + - User may now add an e-mail address when adding vCards without one to the + address book. No need to wait for the error message anymore. + - Removed japanese_xtra function used by older XTRA_CODE calls. Plugins + should use separate xtra_code functions. Older function does not provide + information about supported options. + - Added php-gettext classes (see class/l10n/*.php) and ngettext support + functions (provides fix for #1019007). + - LC_NUMERIC locale is set to C. (workaround for #1027130). Some plugins + might use decimal delimiters incorrectly. + - Added sq_is8bit function that can be used to detect 8bit strings. + - Added sq_mb_list_encodings function that provides list of encodings supported + by php mbstring module. + - Added Content-Transfer-Encoding: 8bit header for read receipts that contain + 8bit symbols. (provides fix for #934033). + - Fixed decoding function problems when mbstring.func_override has MB_OVERLOAD_REGEX + enabled. + - Security: Fixed XSS exploit in decodeHeader function. [CAN-2004-1036] + - Added site configuration and custom translation engine support to translate + plugin. + - Fixed SquirrelSpell error output. Patch courtesy David Boone. + - Fixed bug in IMAP read routines that treated "0" as false instead of + a string (patch courtesy Maurice Makaay). + - Fixed PHP notice when header property value is blank. + - Added compact paginator option. Patch by Felix Egli. + - Fixed reply/forward form in order to avoid warnings in SSL enabled sites. Patch + by Felix Egli. + - Removed command line option unsupported by qmail-inject in + class/deliver/Deliver_SendMail.class.php. Thanks to Ken Brush. + - Global file based address book is controled in configuration. Removed + global_file address book backend (use 'local_file' instead). + - Added Net-Style theme by Gabriele Maidecchi. Closes patch #1041323. + - Fix: Messages shown with bad times in message list due to misinterpreted + UW IMAP internal date. + - Fixed path used by random theme. + - Utf7-imap encoding/decoding functions will check, if required charset is + supported by mbstring and use it. Fixes bug #1005353. + - LDAP backend will use internal squirrelmail charset conversion functions + instead of php xml extension. Fixes bug #655137. + - Added Wood theme and Silver Steel theme by Pavel Spatny and Simple Green theme + - Fix two time zone calculation bugs, thanks to David White. Fixes #1063879. + - 'Priority' and 'Importance' headers are now also recognised, next to the + 'X-Priority' header that we've supported since a long time. Fixes #1039935. + - Handle a reload of the signout page gracefully: do not present an error + about having to be logged in to be able to sign out. Fixes #1070069. + - Prevent & being eaten in set_url_var, thanks Marcin Orlowski. Fixes #1053725. + - Removed internal_link hook. + - Added sq_setlocale function in order to use multiple locale names. + - Added size attributes to new_mail sound tags. Fixes #818958. + - Removed extra ; in SquirrelMail added Received header per RFC 822. Fixes #1088548. + - Add IMAP server type "hmailserver" to make search work with hMailServer. + Fixes #1085377. + - Reuploaded newmail plugin sounds. Fixes files uploaded to cvs without binary + option. Version 1.5.0 -------------------- @@ -259,7 +331,7 @@ Version 1.4.0 -- 3 April 2003 - Update required PHP version in documentation to 4.0.6. - Fixed delete_move_next plugin to remember where it moved mail to. - Fixed compose to remember attachments. - - Fixed possible XSS in compose when replying to malicious sources. + - Security: Fixed possible XSS in compose when replying to malicious sources. - Add display of the maximum filesize for attachment uploads. - Do not add < and > if an identity doesn't contain a full name. - Fixed bug in parsing Content-Type properties part. @@ -301,7 +373,7 @@ Version 1.4.0 RC 2a - Correctly fold encoded header lines. - Fix prefs caching not working correctly in PHP 4.3 caused by a stupid version checking mechanism. - - Fix XSS hole that allowed JavaScript execution by sending someone + - Security: Fix XSS hole that allowed JavaScript execution by sending someone an email with specially crafted headers. Thanks Jason Munro, and Masato Higashiyama. @@ -415,13 +487,13 @@ Version 1.2.7 -- June 21 2002 Version 1.2.6 -- April 29 2002 ------------------------------ - - A complete MagicHTML rewrite since the existing codebase was + - Security: A complete MagicHTML rewrite since the existing codebase was causing too many XSS problems. Hopefully now Nick Cleaton will leave us alone. :) Testing credits go to Nick. - - Fix for cross-site scripting vulnerability (bug #545933) + - Security: Fix for cross-site scripting vulnerability (bug #545933) Reported by Nick Cleaton. - Changing "emtpy" to "purge" for more clarity. - - Fix for cross-site scripting vulnerability (bug #544658) + - Security: Fix for cross-site scripting vulnerability (bug #544658) Reported by Nick Cleaton. - Fix for incorrect word wrap in Opera (bug #495073) - Workaround for older prefs: some of them contain "None" for @@ -436,7 +508,7 @@ Version 1.2.6 -- April 29 2002 - Added a server-side sorting global option - Compose in new window size can be set in Display prefs. - Logout error system unified. - - Fix for a "theme passed as cookie" exploit. + - Security: Fix for a "theme passed as cookie" exploit. [CVE-2002-0516] - PostgreSQL is now supported for database backed use - Added user option to sort messages by internal date - Changed attachment handling now attachments are adressed to @@ -507,7 +579,7 @@ Version 1.2.5 -- 22 February 2002 Version 1.2.4 -- 25 January 2002 -------------------------------- - - Fixes a nasty remote arbitrary command execution vulnerability + - Security: Fixes a nasty remote arbitrary command execution vulnerability in the spellchecker plugin. Version 1.2.3 -- 21 January 2002 @@ -678,6 +750,7 @@ Version 1.0.6 -- April 19, 2001 Version 1.0.5 -- April 17, 2001 ------------------------------- - MAJOR security issues addressed. Please upgrade as soon as possible. + [CAN-2001-1159] - Downloading attachments should work better due to a tip by Ray Black III. - Fixed bug with drop-down folder list not containing INBOX - Added Swedish help files Teemu Junnila