| Age | Commit message (Collapse) | Author | Files | Lines |
|---|
|
----------------------------
- Fix saving of Read Receipts to Sent folder.
- Converted Romanian (ro_RO) to UTF-8.
- Converted Slovak (sk_SK) to UTF-8.
- Converted Swedish (sv_SE) to UTF-8.
- Added support for Macedonian.
- Don't allow invalid plugin names in conf.pl --install-plugin.
- Fix warning in Printer Friendly due to missing include (#1849101).
- Let configtest.php use optional PEAR dynamic extension loading,
patch by Walter Huijbers (#1833123).
- Fix for IMAP servers that were having problems saving sent messages.
- Fix broken <style> tag parsing for some HTML messages, thanks
Roalt Zijlstra.
- Re-added support for Vietnamese.
- Fixed broken MDN functionality (send read confirmation).
- Converted Norwegian Bokm�l (nb_NO) to UTF-8.
- Converted traditional Chinese (zh_TW) to UTF-8.
- Avoid deprecation notices on get_magic_quotes_* functions.
- Improved Message-ID generation code.
- Added edit list, checkbox, radio group, multiple-select folder
list and multiple-select string list option widget types,
as well as support for the "trailing_text" widget attribute.
- Boolean option widgets are henceforth presented as checkboxes.
- Tidied up fortune plugin to be inline with specifications for plugins.
- Enhanced address book page: added 'Compose to' button, put labels
around address entries tied to checkboxes, improved column spacing,
added hook for plugins that can filter address book listings.
Complements RisuMail team (risumail.jp).
|
|
NOTE: includes a critical bug fix in the attachment handling
- Enabled user selection of address format when adding from address
book during message composition.
- Fixed issue with adding attachments in PHP 4.x environments (#1805471).
- Backport size setting on "newmail" popup window.
- Added a "short_open_tag" configuration test.
- Undefined notice in error message box when no default folder prefix is set.
- Undefined index error when downloading. Possibly caused by using tabs and
opening multiple mailboxes.
- PAGE_NAME might not be defined in all plugins, which might cause a
"not defined" error on session timeouts.
- Fixed outgoing messages to allow addresses such as "0@..." or "000@...",
etc. (#1818398).
- Fixed issue with in-reply-to and reference headers not being retained on
reply (#1810659).
- Revived logout_error hook (#1800015).
- Allow custom session handlers to work correctly (and be defined at the
application level with SquirrelMail).
- Fix off-by-one in bodystructure parsing triggered by servers sending
a body location part (e.g. Sun Java System Messaging Server). Thanks
John Callahan (#1808382).
- Invalid initialization of To: header (#1772893).
- Includes cleanup in include/validate.php.
- Cleanup in multiple files to remove unneeded includes.
- Added sort by size (#812233 and #159997, plus multiple list requests).
Patch provided by Christopher E. Brown.
- Fix bug in sitewide SMTP settings still using authenticated user, rather
than configured settings (#1835942).
- Fixed mailto: functionality.
- Added mailto: link handling when viewing messages.
- Handle PHP's insistence on setting the value to 'deleted' for destroyed
sessions
|
|
Version 1.4.11 - 29 September 2007
----------------------------------
- Minimum PHP requirement raised from 4.0.6 to 4.1.0.
SquirrelMail has been broken for a while with 4.0.x without anyone
noticing, this move merely reflects reality.
- Fix broken set_url_var function in functions/html.php (#1729814).
- Fix config.pl not detecting auth support correctly (#1727033).
- Fix display of X-Priority in message view.
- Work around mailers sending broken Date headers with no space after the
first comma.
- Let POP3 class properly cope with lines starting with a '.'.
- Some HTML validation cleanups.
- Invalid year in sent_subfolders plugin (#1607380).
- Always treat Content-Type case-insensitively (#1732092).
- Fix typo: html/plain should be text/html.
- Fix en/decode header swith in MDN (#1694687).
- Fix compatibility with Windows path in administrator plugin (#1740469).
- Fix disabling password encryption in mail_fetch (#1738001).
- Fix busy loop and notice when two literals in IMAP fetch (#1739433).
- Backported code for site wide SMTP authentication (#1531889).
- Fixed issue with compose session not being cleaned after message is
saved or sent.
- Added ability to detect HTTP_X_FORWARDED_PROTO in get_location(),
thanks to Daniel Watts
- Fix test for signout.php in the logged in check in is_logged_in() so it
cannot be circumvented by manipulating the URL. External plugins might
rely on this function guaranteeing that the user is logged in.
- Use attachment_dir only at the point where we're actually
reading from / writing to the files, do not carry it around
in the object. This makes us safer in the event the object
is somehow exposed to the outside world.
- Better support mailboxes named 'None' (#1598890).
- Sort readdir() output in conf.pl (#1755886).
- Fix message cache in printer friendly, thanks Tomas Kuliavas.
- Made the webmail_top hook work again for plugins that want to change
the URI of the "right" frame; plugins have to change the value of the
global variable $right_frame_url
- Fix issue in darkness theme with extra closing bracket.
- No longer store all message composition sessions in the PHP session,
since it was not made use of and in rare cases, made sessions too big.
- Composition restoration functionality now correctly restores attachments.
- Added smtp_auth hook.
- Change default Selection List Style to Indented.
- Added "preselected" query argument to mailbox list.
- Added mailbox_display_buttons hook.
- Removed "Include CCs when Forwarding Messages", which had no functionality
whatsoever.
- Make the Message Details plugin actually show the correct entity when
viewing details of attached messages.
|
|
|
|
|
|
Changes since version 1.4.7:
- A security fix for CVE-2006-4019
- A collection of bugfixes
|
|
- Fixed URL for Read Receipts being incorrect in some cases (#1177518).
- Fixed endless loop when trying to parse "From: )(" (#1517867).
- Using is_file() instead of file_exists() in fortune plugin (#1499134).
- Add manual page for conf.pl under contrib.
- Don't allow selecting INBOX as Sent, Draft or Trash folder (#1242346).
|
|
and add a new helper target and script, "show-buildlink3", that outputs
a listing of the buildlink3.mk files included as well as the depth at
which they are included.
For example, "make show-buildlink3" in fonts/Xft2 displays:
zlib
fontconfig
iconv
zlib
freetype2
expat
freetype2
Xrender
renderproto
|
|
of the order in which buildlink3.mk files are (recursively) included
by a package Makefile.
|
|
that they look nicer.
|
|
RECOMMENDED is removed. It becomes ABI_DEPENDS.
BUILDLINK_RECOMMENDED.foo becomes BUILDLINK_ABI_DEPENDS.foo.
BUILDLINK_DEPENDS.foo becomes BUILDLINK_API_DEPENDS.foo.
BUILDLINK_DEPENDS does not change.
IGNORE_RECOMMENDED (which defaulted to "no") becomes USE_ABI_DEPENDS
which defaults to "yes".
Added to obsolete.mk checking for IGNORE_RECOMMENDED.
I did not manually go through and fix any aesthetic tab/spacing issues.
I have tested the above patch on DragonFly building and packaging
subversion and pkglint and their many dependencies.
I have also tested USE_ABI_DEPENDS=no on my NetBSD workstation (where I
have used IGNORE_RECOMMENDED for a long time). I have been an active user
of IGNORE_RECOMMENDED since it was available.
As suggested, I removed the documentation sentences suggesting bumping for
"security" issues.
As discussed on tech-pkg.
I will commit to revbump, pkglint, pkg_install, createbuildlink separately.
Note that if you use wip, it will fail! I will commit to pkgsrc-wip
later (within day).
|
|
This release is very important, and we strongly advise everybody to
update to the latest release.
Security Update
===============
This version contains a number of security updates that were brought
to our attention via a number of sources.
- In webmail.php, the right_frame parameter was not properly sanitized
to deal with very lenient browsers, which allowed for cross site
scripting or frame replacing. [CVE-2006-0188]
- In the MagicHTML function, some very obscure constructs were
discovered to be exploitable: 'u\rl' was interpreted as 'url' (privacy
concern), and comments could be inside keywords (allows for cross site
scripting). Both only affect Internet Explorer users. Found by Martijn
Brinkers and Scott Hughes. [CVE-2006-0195]
- The function sqimap_mailbox_select did not strip newlines from the
mailbox parameter, and thereby allowed for IMAP command injection.
Found by Vicente Aguilera. [CVE-2006-0377]
|
|
|
|
|
|
- Some modification to MESSAGES:
* remove trailing white space.
* use www.example.com as example URL.
|
|
* lots of bug fixes
* translation updates
|
|
* Fix several cross site scripting vulnerabilities
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0337
|
|
|
