From e27dc30c76f0b738170158772faa2bcc69cf22ce Mon Sep 17 00:00:00 2001 From: Ralf Becker Date: Tue, 1 Oct 2013 15:15:08 +0000 Subject: [PATCH] Changelog for 1.8.004.20131001 --- doc/rpm-build/debian.changes | 18 ++++++++++++++++++ 1 file changed, 18 insertions(+) diff --git a/doc/rpm-build/debian.changes b/doc/rpm-build/debian.changes index 92cf9b4dbe..7565ebc649 100644 --- a/doc/rpm-build/debian.changes +++ b/doc/rpm-build/debian.changes @@ -1,3 +1,21 @@ +egroupware (1.8.004.20131001) hardy; urgency=low + + * THIS RELEASE CONTAINS IMPORTANT SECURITY FIXES, PLEASE UPDATE ASAP + * Security: fixed remote code execution + * API: using now httponly and secure cookies (secure only if https is used to login) + * API: header.inc.php uses for new installations or on update now secure password hashes like they were used for accounts since some time now + * Setup: uses now a session instead of storing credentials in a cookie + * Filemanager: html downloads get now either force a download or - if brower supports - use a content-security-policiy header to mitigate risk of session hijacking + * THANKS and credits to Marcel Mangold , Pascal Uter from SySS GmbH for notifying us about above problems and hardening possibilities + * Addressbook: deleting an account now also takes care of deleting or changing ownership of distribution lists (beside contacts as before) + * EMail/all apps: fixed notifications caused EMail to loose connection to IMAP server + * eMail: fix possible problem when mail-message-body (text or html part) is empty + * eMail: fix problem for folder preferences did not overrule folders set by getSpecialUseFolders + * eMail/Sieve: improved capability parsing + * eMail/IMAP: fix for failed connection for subsequent connects when using STARTTLS in certain enviroments + + -- Ralf Becker Tue, 01 Oct 2013 17:15:08 +0200 + egroupware (1.8.004.20130831) hardy; urgency=low * Addressbook/CardDAV: fixed not working (forced) preference to display only accounts of groupmembers