X-Git-Url: https://vcs.fsf.org/?p=squirrelmail.git;a=blobdiff_plain;f=ChangeLog;h=5fa39eebc917c8894ec87e3956fcb6c5bd81b480;hp=ab081ffd0f529e8239d25ff9bb654f8f19fd1540;hb=eaddf11f4c08b8a19396d50c8f80c2360f71d70a;hpb=de2349c4756aeb710097ea4fccd6ce33f0e32157 diff --git a/ChangeLog b/ChangeLog index ab081ffd..5fa39eeb 100644 --- a/ChangeLog +++ b/ChangeLog @@ -5,7 +5,7 @@ Version 1.5.1 -- CVS -------------------- - New reply citation to include date and author. - - Fix some possible XSS bugs. + - Securiy: Fix some possible XSS bugs. - Norwegian Bokmal translation uses nb_NO. - Integrated Msg_Flags plugin - turn on/off icons using configuration tool, menu number 11 (Tweaks), option number 3, after which users must select an icon @@ -59,14 +59,14 @@ Version 1.5.1 -- CVS - Make used of cached ordered uid list in case of server_side_sorting. - Rewrite of internal mailbox sorting routines. - Added sort by message size. - - Fixed XSS vulnerability in content-type display in the attachment area - of read_body.php discovered by Roman Medina. + - Security: Fixed XSS vulnerability in content-type display in the attachment + area of read_body.php discovered by Roman Medina. - Get alternating row colors of addressbook in sync with mailbox list. - Give proper error when PEAR DB not found. - Remove inappropriate strip_tags() from add-to-addressbook (#968475). - Prefs caching didn't work properly with register_globals off (#995102). - Security: fix SQL injection vulnerability in addressbook - (CVE ID: CAN-2004-0521). + [CAN-2004-0521]. - Removed html_top and html_bottom hooks. No longer used/needed. - Added "trailing text" for options built by SquirrelMail (text placed after text and select list inputs on options pages) @@ -132,7 +132,7 @@ Version 1.5.1 -- CVS 8bit symbols. (provides fix for #934033). - Fixed decoding function problems when mbstring.func_override has MB_OVERLOAD_REGEX enabled. - - Fixed XSS exploit in decodeHeader function. + - Security: Fixed XSS exploit in decodeHeader function. [CAN-2004-1036] - Added site configuration and custom translation engine support to translate plugin. - Fixed SquirrelSpell error output. Patch courtesy David Boone. @@ -144,6 +144,31 @@ Version 1.5.1 -- CVS by Felix Egli. - Removed command line option unsupported by qmail-inject in class/deliver/Deliver_SendMail.class.php. Thanks to Ken Brush. + - Global file based address book is controled in configuration. Removed + global_file address book backend (use 'local_file' instead). + - Added Net-Style theme by Gabriele Maidecchi. Closes patch #1041323. + - Fix: Messages shown with bad times in message list due to misinterpreted + UW IMAP internal date. + - Fixed path used by random theme. + - Utf7-imap encoding/decoding functions will check, if required charset is + supported by mbstring and use it. Fixes bug #1005353. + - LDAP backend will use internal squirrelmail charset conversion functions + instead of php xml extension. Fixes bug #655137. + - Added Wood theme and Silver Steel theme by Pavel Spatny and Simple Green theme + - Fix two time zone calculation bugs, thanks to David White. Fixes #1063879. + - 'Priority' and 'Importance' headers are now also recognised, next to the + 'X-Priority' header that we've supported since a long time. Fixes #1039935. + - Handle a reload of the signout page gracefully: do not present an error + about having to be logged in to be able to sign out. Fixes #1070069. + - Prevent & being eaten in set_url_var, thanks Marcin Orlowski. Fixes #1053725. + - Removed internal_link hook. + - Added sq_setlocale function in order to use multiple locale names. + - Added size attributes to new_mail sound tags. Fixes #818958. + - Removed extra ; in SquirrelMail added Received header per RFC 822. Fixes #1088548. + - Add IMAP server type "hmailserver" to make search work with hMailServer. + Fixes #1085377. + - Reuploaded newmail plugin sounds. Fixes files uploaded to cvs without binary + option. Version 1.5.0 -------------------- @@ -306,7 +331,7 @@ Version 1.4.0 -- 3 April 2003 - Update required PHP version in documentation to 4.0.6. - Fixed delete_move_next plugin to remember where it moved mail to. - Fixed compose to remember attachments. - - Fixed possible XSS in compose when replying to malicious sources. + - Security: Fixed possible XSS in compose when replying to malicious sources. - Add display of the maximum filesize for attachment uploads. - Do not add < and > if an identity doesn't contain a full name. - Fixed bug in parsing Content-Type properties part. @@ -348,7 +373,7 @@ Version 1.4.0 RC 2a - Correctly fold encoded header lines. - Fix prefs caching not working correctly in PHP 4.3 caused by a stupid version checking mechanism. - - Fix XSS hole that allowed JavaScript execution by sending someone + - Security: Fix XSS hole that allowed JavaScript execution by sending someone an email with specially crafted headers. Thanks Jason Munro, and Masato Higashiyama. @@ -462,13 +487,13 @@ Version 1.2.7 -- June 21 2002 Version 1.2.6 -- April 29 2002 ------------------------------ - - A complete MagicHTML rewrite since the existing codebase was + - Security: A complete MagicHTML rewrite since the existing codebase was causing too many XSS problems. Hopefully now Nick Cleaton will leave us alone. :) Testing credits go to Nick. - - Fix for cross-site scripting vulnerability (bug #545933) + - Security: Fix for cross-site scripting vulnerability (bug #545933) Reported by Nick Cleaton. - Changing "emtpy" to "purge" for more clarity. - - Fix for cross-site scripting vulnerability (bug #544658) + - Security: Fix for cross-site scripting vulnerability (bug #544658) Reported by Nick Cleaton. - Fix for incorrect word wrap in Opera (bug #495073) - Workaround for older prefs: some of them contain "None" for @@ -483,7 +508,7 @@ Version 1.2.6 -- April 29 2002 - Added a server-side sorting global option - Compose in new window size can be set in Display prefs. - Logout error system unified. - - Fix for a "theme passed as cookie" exploit. + - Security: Fix for a "theme passed as cookie" exploit. [CVE-2002-0516] - PostgreSQL is now supported for database backed use - Added user option to sort messages by internal date - Changed attachment handling now attachments are adressed to @@ -554,7 +579,7 @@ Version 1.2.5 -- 22 February 2002 Version 1.2.4 -- 25 January 2002 -------------------------------- - - Fixes a nasty remote arbitrary command execution vulnerability + - Security: Fixes a nasty remote arbitrary command execution vulnerability in the spellchecker plugin. Version 1.2.3 -- 21 January 2002 @@ -725,6 +750,7 @@ Version 1.0.6 -- April 19, 2001 Version 1.0.5 -- April 17, 2001 ------------------------------- - MAJOR security issues addressed. Please upgrade as soon as possible. + [CAN-2001-1159] - Downloading attachments should work better due to a tip by Ray Black III. - Fixed bug with drop-down folder list not containing INBOX - Added Swedish help files Teemu Junnila