From: tokul Date: Sun, 29 Jan 2006 12:10:25 +0000 (+0000) Subject: more relnotes updates X-Git-Url: https://vcs.fsf.org/?p=squirrelmail.git;a=commitdiff_plain;h=53bbd9b35b79ec61875e0386e7ae2e289af78c3d more relnotes updates git-svn-id: https://svn.code.sf.net/p/squirrelmail/code/trunk/squirrelmail@10608 7612ce4b-ef26-0410-bec9-ea0150e637f0 --- diff --git a/ReleaseNotes b/ReleaseNotes index b89a8295..3863ea32 100644 --- a/ReleaseNotes +++ b/ReleaseNotes @@ -40,7 +40,14 @@ ngettext and dgettext support. Templates, css and error handler. -Own cookie functions +SquirrelMail started using internal cookie functions in order to have more +controls over cookie format. Cookies set with sqsetcookie() function use +extra parameter that secures cookie information in browsers that follow +MSDN cookie specifications. + +SquirrelMail IMAP and SMTP libraries updated to allow use of STARTTLS extension. +Code is experimental and requires PHP 5.1.0 or newer with +stream_socket_enable_crypto() function support. Updated wrapping functions in compose. @@ -49,28 +56,37 @@ Security updates ================ This release contains security fixes applied to development branch after 1.5.0 -release. -CVE-2004-0521 - SQL injection vulnerability in address book. -CVE-2004-1036 - XSS exploit in decodeHeader function. -CVE-2005-0075 - Potential file inclusion in preference backend selection code. -CVE-2005-0103 - Possible file/offsite inclusion in src/webmail.php. -CVE-2005-0104 - Possible XSS issues in src/webmail.php. -CVE-2005-1769 - Several cross site scripting (XSS) attacks. -CVE-2005-2095 - Extraction of all POST variables in advanced identity code. - +release: + CVE-2004-0521 - SQL injection vulnerability in address book. + CVE-2004-1036 - XSS exploit in decodeHeader function. + CVE-2005-0075 - Potential file inclusion in preference backend selection code. + CVE-2005-0103 - Possible file/offsite inclusion in src/webmail.php. + CVE-2005-0104 - Possible XSS issues in src/webmail.php. + CVE-2005-1769 - Several cross site scripting (XSS) attacks. + CVE-2005-2095 - Extraction of all POST variables in advanced identity code. + +If you use SquirrelMail 1.5.0, you should upgrade to 1.5.1 or downgrade to latest +stable SquirrelMail version. Plugin updates ============== Added site configuration options to filters, fortune, translate, newmail, -bug_report plugins. Improved newmail and change_password plugins. +bug_report plugins. Improved newmail and change_password plugins. Fixed data +corruption issues in calendar plugin. -SquirrelSpell data storage +SquirrelSpell plugin was updated to use generic SquirrelMail preference functions. +User preferences and personal dictionaries that were stored in .words files are +moved to .pref files or other configured user data storage backend. Possible issues =============== -Cookies +Internal SquirrelMail cookie implementation is experimental. If you have cookie +expiration or corruption issues with some browser and can reproduce them only in +1.5.1 version, contact SquirrelMail developers and help them to debug your issue. + Plugins (changes in hooks and IMAP API) + IMAP sorting/threading Backward incompatible changes