From bd0551b22076b82a6d49e9f7a2b2e0c90a1b2326 Mon Sep 17 00:00:00 2001
From: Aleksander Machniak <alec@alec.pl>
Date: Fri, 05 Feb 2016 07:25:27 -0500
Subject: [PATCH] Secure also downloads of addressbook exports, managesieve script exports and Enigma keys exports

---
 CHANGELOG |   57 +++++++++++++++++++++++++++++++++++++++++++++++++++------
 1 files changed, 51 insertions(+), 6 deletions(-)

diff --git a/CHANGELOG b/CHANGELOG
index f97f1fd..91cb3c3 100644
--- a/CHANGELOG
+++ b/CHANGELOG
@@ -1,7 +1,36 @@
 CHANGELOG Roundcube Webmail
 ===========================
 
-- Improved encrypt/decrypt methods with option to choose the cipher_method (#1489719)
+- Enable use of TLSv1.1 and TLSv1.2 for IMAP (#1490640)
+- Save copy of original .htaccess file when using installto.sh script (1490623)
+- Fix regression where some message attachments could be missing on edit/forward (#1490608)
+- Fix regression in displaying contents of message/rfc822 parts (#1490606)
+- Fix handling of message/rfc822 attachments on replies and forwards (#1490607)
+- Fix PDF support detection in Firefox > 19 (#1490610)
+- Fix path traversal vulnerability in setting a skin [CVE-2015-8770] (#1490620)
+- Fix so drag-n-drop of text (e.g. recipient addresses) on compose page actually works (#1490619)
+- Fix .htaccess rewrite rules to not block .well-known URIs (#1490615)
+- Fix mail view scaling on iOS (#1490551)
+- Fix PHP7 warning "session_start(): Session callback expects true/false return value" (#1490624)
+- Fix XSS issue in SVG images handling (#1490625)
+- Fix missing language name in "Add to Dictionary" request in HTML mode (#1490634)
+
+RELEASE 1.2-beta
+----------------
+- Update TinyMCE to version 4.2
+- Remove backward compatibility "layer" of bc.php (#1490534)
+- Add possibility to define date format in write operations for ldap attributes (#1488741)
+- Display attachment size in compose (#1484774)
+- Added possibility to drag-n-drop attachments from mail preview to compose window
+- Implemented mail messages searching with predefined date interval
+- PGP encryption support via Mailvelope integration
+- PGP encryption support via Enigma plugin
+- PHP7 compatibility fixes (#1490416)
+- Security: Added brute-force attack prevention via login rate limit (#1490566)
+- Security: Added options to validate username/password on logon (#1490500)
+- Security: Improve randomness of security tokens (#1490529)
+- Security: Use random security tokens instead of hashes based on encryption key (#1490404)
+- Security: Improved encrypt/decrypt methods with option to choose the cipher_method (#1489719)
 - Make optional adding of standard signature separator - sig_separator (#1487768)
 - Optimize folder_size() on Cyrus IMAP by using special folder annotation (#1490514)
 - Make optional hidding of folders with name starting with a dot - imap_skip_hidden_folders (#1490468)
@@ -13,9 +42,7 @@
 - Remove common subject prefixes Re:, Re[x]:, Re-x: on reply (#1490497)
 - Added GSSAPI/Kerberos authentication plugin - krb_authentication
 - Password: Allow temporarily disabling the plugin functionality with a notice
-- Support more secure hashing algorithms for auth cookie - configurable by PHP's session.hash_function (#1490403)
 - Require Mbstring and OpenSSL extensions (#1490415)
-- Get rid of Mail_mimeDecode package dependency (#1490416)
 - Add --config and --type options to moduserprefs.sh script (#1490051)
 - Implemented memcache_debug and apc_debug options
 - Installer: Remove system() function use (#1490139)
@@ -27,10 +54,26 @@
 - Plugin API: Added message_ready hook
 - Plugin API: Add special onload() method to execute plugin actions before startup (session and GUI initialization)
 - Implemented UI element to jump to specified page of the messages list (#1485235)
+- Fix searching of contacts to allow remote images for known senders (#1490504)
+- Fix bug where clicking date column with 'arrival' sorting would switch to sorting by 'date' (#1490126)
 - Fix bug where message content could overlap attachments list in Larry skin (#1490479)
-- Fix closing of nested menus (#1490443)
 - Fix so microseconds macro (u) in log_date_format works (#1490446)
 - Fix so unrecognized TNEF attachments are displayed on the list of attachments (#1490351)
+- Fix so database_attachments::cleanup() does not remove attachments from other sessions (#1490542)
+- Fix responses list update issue after response name change (#1490555)
+- Fix bug where message preview was unintentionally reset on check-recent action (#1490563)
+- Fix bug where HTML messages with invalid/excessive css styles couldn't be displayed (#1490539)
+- Fix redundant blank lines when using HTML and top posting (#1490576)
+- Fix redundant blank lines on start of text after html to text conversion (#1490577)
+- Fix HTML sanitizer to skip <!-- node type X --> in output (#1490583)
+- Fix invalid LDAP query in ACL user autocompletion (#1490591)
+
+RELEASE 1.1.3
+-------------
+- Fix closing of nested menus (#1490443)
+- Fix so E_DEPRECATED errors from PEAR libs are ignored by error_reporting change (#1490281)
+- Fix compatibility with PHP 5.3 in rcube_ldap class (#1490424)
+- Get rid of Mail_mimeDecode package dependency (#1490416)
 - Fix "Importing..." message does not hide on error (#1490422)
 - Fix Compose action in addressbook for results from multiple addressbooks (#1490413)
 - Fix bug where some messages in multi-folder search couldn't be viewed/printed/downloaded (#1490426)
@@ -54,6 +97,7 @@
 - Fix "washing" of style elements wrapped into many lines
 - Fix so input field (e.g. search box) does not loose focus on list load (#1490455)
 - Fix so css of one html part does not apply to other text parts on message display (#1490505)
+- Fix XSS issue in drag-n-drop file uploads [CVE-2015-8105] (#1490530)
 - Fix handling of plus character in mailto: links (#1490510)
 - Fix so adding CC/BCC recipients from the sidebar unhides compose form fields in Classic skin (#1490472)
 - Fix so gc.sh script removes also expired sessions from sql database (#1490512)
@@ -61,6 +105,7 @@
 - Fix various issues with Turkish (and similar) locales (#1490519)
 - Fix so In-Reply-To header is set also for MDN receipts (#1490523)
 - Fix missing HTTP_X_FORWARDED_FOR address in generated Received header
+- Fix issue where Content-Length of some attachments could be set to wrong value causing browser errors (#1490482)
 
 RELEASE 1.1.2
 -------------
@@ -138,7 +183,7 @@
 - Fix bug where max_group_members was ignored when adding a new contact (#1490214)
 - Hide MDN and DSN options in compose if disabled by admin (#1490221)
 - Fix checks based on window.ActiveXObject in IE > 10
-- Fix XSS issue in style attribute handling (#1490227)
+- Fix XSS issue in style attribute handling [CVE-2015-1433] (#1490227)
 - Fix bug where Drafts list wasn't updated on draft-save action in new window (#1490225)
 - Fix so "set as default" option is hidden if identities_level > 1 (#1490226)
 - Fix bug where search was reset after returning from compose visited for reply
@@ -166,7 +211,7 @@
 - Fix drag-n-drop to folders expanded while dragging (#1490157)
 - Fix import of multiple contact groups from Google-csv format (#1490159)
 - Fix import of contacts with multiple email addresses from Google-csv format (#1490178)
-- Fix bugs where CSRF attacks were still possible on some requests
+- Fix bugs where CSRF attacks were still possible on some requests [CVE-2014-9587]
 - Fix some rcube_utils::anytodatetime() corner cases with timezone mismatches (#1490163)
 - Improve move-to and contact-export button in classic skin (#1490166)
 - Fix wrong icon for download button in classic skin

--
Gitblit v1.9.1