Changelog for 1.8.004.20131001

doc/rpm-build/debian.changes

@@ -1,3 +1,21 @@
+egroupware (1.8.004.20131001) hardy; urgency=low
+
+  * THIS RELEASE CONTAINS IMPORTANT SECURITY FIXES, PLEASE UPDATE ASAP
+  * Security: fixed remote code execution
+  * API: using now httponly and secure cookies (secure only if https is used to login)
+  * API: header.inc.php uses for new installations or on update now secure password hashes like they were used for accounts since some time now
+  * Setup: uses now a session instead of storing credentials in a cookie
+  * Filemanager: html downloads get now either force a download or - if brower supports - use a content-security-policiy header to mitigate risk of session hijacking
+  * THANKS and credits to Marcel Mangold <marcel.mangold@syss.de>, Pascal Uter <pascal.uter@syss.de> from SySS GmbH for notifying us about above problems and hardening possibilities
+  * Addressbook: deleting an account now also takes care of deleting or changing ownership of distribution lists (beside contacts as before)
+  * EMail/all apps: fixed notifications caused EMail to loose connection to IMAP server
+  * eMail: fix possible problem when mail-message-body (text or html part) is empty
+  * eMail: fix problem for folder preferences did not overrule folders set by getSpecialUseFolders
+  * eMail/Sieve: improved capability parsing
+  * eMail/IMAP: fix for failed connection for subsequent connects when using STARTTLS in certain enviroments
+
+ -- Ralf Becker <rb@stylite.de>  Tue, 01 Oct 2013 17:15:08 +0200
+
 egroupware (1.8.004.20130831) hardy; urgency=low
 
   * Addressbook/CardDAV: fixed not working (forced) preference to display only accounts of groupmembers