Adding the 1.5.1 ReleaseNotes

doc/ReleaseNotes/1.5/Notes-1.5.1.txt

@@ -0,0 +1,205 @@
+/*****************************************************************
+ * Release Notes: SquirrelMail 1.5.1                             *
+ * The "Fire in the Hole" Release                                *
+ * 2006-02-19                                                    *
+ *****************************************************************/
+
+In this edition of SquirrelMail Release Notes:
+   * All About This Release!
+   * Major Updates
+   * Security Updates
+   * Plugin Updates
+   * Possible Issues
+   * Backwards Incompatible Changes
+   * Data Directory Changes
+   * Reporting Your Favorite SquirrelMail Bug
+
+
+All About This Release!
+=======================
+This is the second release of our new 1.5.x-series, which is a
+DEVELOPMENT release.
+
+See the Major Updates section of this file for more information.
+
+
+Major Updates
+==============
+Rewritten IMAP functions and optimized IMAP data caching code. Internal
+sorting functions should be faster than code used in SquirrelMail <= 1.5.0. 
+Together with the optimized caching code, all the logic concerning sorting has
+been rewritten so that Squirrelmail can display more columns with sort support 
+in the messages list. I.e. the From and To column in the same view sorted on
+size.  Also, the number of IMAP calls is reduced by smarter caching in the IMAP
+mailbox area and by the optimized header and sort cache code.  Reducing the
+amount of IMAP calls will lower the load on your IMAP server and  increase 
+SquirrelMail performance.
+
+In-house gettext implementation replaced with PHP Gettext classes. Update adds
+ngettext and dgettext support.
+
+Begin work on separating the SquirrelMail internal logic from user interface
+related logic.  This has resulted in the first (very) rough CSS-based PHP 
+templates.  In future releases we will finish the mentioned separation and work
+on simpler templates.
+
+Added JavaScript-based message row highlighting code (disabled by default) for
+faster selection of messages in the messages list.
+
+Usage of a centralized error handler.  Development will continue in 1.5.2.
+
+SquirrelMail has started using internal cookie functions in order to have more
+control over cookie format. Cookies set with sqsetcookie() function now use an
+extra parameter (HttpOnly) to secure cookie information by making the cookie
+not accessible to scripts (particularly, JavaScript).  This feature is only 
+supported in browsers that follow the MSDN cookie specifications (see
+http://msdn.microsoft.com/workshop/author/dhtml/httponly_cookies.asp).  
+Currently this is limited to IE6 >= SP1.
+
+SquirrelMail IMAP and SMTP libraries now support use of STARTTLS extension.  
+The code is experimental and requires PHP 5.1.0 or newer with
+stream_socket_enable_crypto() function support enabled.
+
+Updated wrapping functions in compose. New wrapping code improves quoting
+of text chapters. Thanks to Justus Pendleton.
+
+Added code for advanced searching in messages. Now it's possible to switch
+between normal search and advanced search.
+
+Main SquirrelMail code implements view_as_html, msg_flags and folder_settings
+plugin features. These plugins should not be used in SquirrelMail 1.5.1.
+
+SquirrelMail translations are loaded from locale/*/setup.php files. If files
+are not present or only one translation (en_US) is available, translation 
+selection options are not displayed to end user.
+
+Security Updates
+================
+This release contains security fixes applied to development branch after 1.5.0
+release:
+ CVE-2004-0521 - SQL injection vulnerability in address book.
+ CVE-2004-1036 - XSS exploit in decodeHeader function.
+ CVE-2005-0075 - Potential file inclusion in preference backend selection code.
+ CVE-2005-0103 - Possible file/offsite inclusion in src/webmail.php.
+ CVE-2005-0104 - Possible XSS issues in src/webmail.php.
+ CVE-2005-1769 - Several cross site scripting (XSS) attacks.
+ CVE-2005-2095 - Extraction of all POST variables in advanced identity code.
+ CVE-2006-0188 - Possible XSS through right_frame parameter in webmail.php.
+ CVE-2006-0195 - Possible XSS in MagicHTML, IE only.
+ CVE-2006-0377 - IMAP injection in sqimap_mailbox_select mailbox parameter.
+
+If you use SquirrelMail 1.5.0, you should upgrade to 1.5.1 or downgrade to latest
+stable SquirrelMail version.
+
+
+Plugin Updates
+==============
+Added site configuration options for filters, fortune, translate, newmail,
+bug_report plugins. Improved newmail and change_password plugins. Fixed data
+corruption issues in calendar plugin.
+
+SquirrelSpell plugin was updated to use generic SquirrelMail preference functions.
+User preferences and personal dictionaries that were stored in .words files are
+moved to .pref files or other configured user data storage backend.
+
+
+Possible Issues
+===============
+Internal SquirrelMail cookie implementation is experimental. If you have cookie
+expiration or corruption issues and can reproduce them only in 1.5.1 version,
+contact one of the SquirrelMail developers and to help them debug the issue.
+
+SquirrelMail 1.5.1 changed some functions and hooks. login_form hook requires
+different coding style.  html_top, html_bottom, internal_link hooks have been
+removed.  src/move_messages.php code has been moved to the main mailbox listing
+script. Some hooks may be broken after implementation of templates, especially
+in mailbox listing pages.  soupNazi() function has been replaced with the 
+checkForJavascript() function.  sqimap_messages_delete(), 
+sqimap_messages_copy(), sqimap_messages_flag() and sqimap_get_small_header()
+functions are now obsolete.  Some IMAP functions return data in different
+format.  If plugins depend on changed or removed functions, they will break in
+this version of SquirrelMail.
+
+This SquirrelMail version added http headers that prevent caching of pages by
+proxies. Headers are added in SquirrelMail displayHtmlHeader() function. Changes
+require that html output is not started before displayHtmlHeader() is called. If 
+some code starts output, PHP errors will be displayed. If plugins display 
+notices in options_save hook and don't stop script execution on error, page 
+display will be broken.
+
+SquirrelMail 1.5.1 implemented code that unregisters globals in PHP
+register_globals=on setups.  Plugins that load main SquirrelMail functions and
+depend on PHP register_globals=on will be broken.
+
+IMAP sorting/threading
+By default, SquirrelMail will make use of the capabilities provided by the IMAP
+server. This means that if the IMAP server supports SORT and THREAD sorting then
+SquirrelMail makes use of it. Some broken IMAP servers advertise the SORT and
+THREAD capabilities although they do not support it. For those IMAP servers
+there is a config option to disable the use of SORT and THREAD sort.
+
+Backward Incompatible Changes
+=============================
+Index order options are modified in 1.5.1 version. If older options are
+detected, interface upgrades to newer option format and deletes old options.
+
+In version 1.5.1, SquirrelSpell user dictionaries are saved with generic
+SquirrelMail data functions.  SquirrelSpell should copy older dictionaries
+if dictionary version information is not present in user preferences. Once
+the dictionary is copied, <username>.words files are obsolete and no longer
+updated.
+
+If the same data directory is used with other backwards incompatible versions,
+the older SquirrelMail version may lose some user preferences or work with
+outdated data.  Admins are advised to use a separate data directory for the 
+1.5.1 release.  The data directory can be configured by running configure.
+
+Data Directory
+==============
+The directory data/ is no longer included in our tarball. Since placing this
+directory under a web-accessible directory is not very wise, we've decided to
+not pack it anymore.  Admins will need to create it. Please choose a location
+that's safe (not web accessible), e.g. /var/squirrelmail/data.
+
+Reporting Your Favorite SquirrelMail Bug
+========================================
+We constantly aim to make SquirrelMail even better, so we need you to submit
+any bugs you come across! Also, please mention that the bug is in this release
+(version 1.5.1), and list your IMAP server and web server details.  Bugs can be
+submitted at:
+
+   http://www.squirrelmail.org/bugs
+
+Thanks for your cooperation with this. This helps ensure that nothing slips
+through the cracks.  Also, please search the bug database for existing items
+before submitting a new bug.  This will help to eliminate duplicate reports and
+increase the time we can spend FIXING existing bugs by DECREASING the time we
+spend sorting through bug reports.  Remember to check for CLOSED bug reports
+also, not just OPEN bug reports, in case a bug you want to report may have been
+recently fixed in CVS.
+
+If you want to join us in coding SquirrelMail, or have other things to share
+with the developers, join the development mailing list:
+
+   squirrelmail-devel@lists.sourceforge.net
+
+
+About Our Release Alias
+=======================
+This release is labeled the "Fire in the Hole" release. "Fire in the Hole" is
+a phrase used to warn of the detonation of an explosive device. The phrase may
+have been originated by miners, who made extensive use of explosives while
+working underground.
+
+This release has been created to get a fixed package after more than two years
+of development in the CVS HEAD branch.  This package contains many experimental
+changes.  These changes add new features that can/will be unstable and/or 
+create an inconsistent UI.  If you want to use stable code, you should stick to
+the 1.4.x series of SquirrelMail.  If you find issues in this package, make
+sure that they are still present in the latest development code snapshots.  To
+obtain thelatest development snapshot, see 
+	
+	http://www.squirrelmail.org/download.php#snapshot
+
+                  Happy SquirrelMailing!
+                    - The SquirrelMail Project Team