Release notes for 6.0:
Thunderbird is based on the new Mozilla Gecko 6 engine
Several theme improvements for Windows 7
Support for Windows 7 Jump lists
Several fixes when importing email from Microsoft Outlook
Default mail client check now works with newer Linux distributions
Various other user interface fixes and improvements
Numerous platform fixes that improve speed, performance, stability and security
Release notes for 5.0:
More responsive and faster to start up and use
Thunderbird is based on the new Mozilla Gecko 5 engine
New Add-ons Manager
Revised account creation wizard to improve email setup
New Troubleshooting Information page
Tabs can now be reordered and dragged to different windows
Attachment sizes now displayed along with attachments
Plugins can now be loaded in RSS feeds by default
There are several theme fixes for Windows Vista and Windows 7
Support for Mac 32/64 bit Universal builds (Thunderbird no longer supports PowerPC on Mac)
Over 390 platform fixes that improve speed, performance, stability and security
- Fix parsing bug: https://rt.cpan.org/Ticket/Display.html?id=66025
- Fix typo: https://rt.cpan.org/Ticket/Display.html?id=65387
- Fix unit tests on Perl 5.8.x: https://rt.cpan.org/Ticket/Display.html?id=66188
- Fix unit test failure on Win32: (https://rt.cpan.org/Ticket/Display.html?id=66286)
- Add build_requires 'Test::Deep'; to Makefile (rt.cpan.org #64659)
- Fix spelling errors (rt.cpan.org #64610)
- Fix double-decoding bug when decoding RFC-2231-encoded parameters
(rt.cpan.org #65162)
- Fix inappropriate inclusion of CR characters in parsed headers
(rt.cpan.org #65681)
- Document that MIME::WordDecoder is mostly deprecated.
- Document that MIME::Head->get(...) can include a trailing newline.
- Increase buffer size from 2kB to 8kB in MIME::Entity and MIME::Body
(part of rt.cpan.org #65162)
- (cleanup) IO-Stringy (specifically, IO::ScalarArray, IO::Lines, and
IO::InnerFile) is no longer used
- (ticket 22684) Fix deadlock in filter() when invoking external
programs such as gzip. (Alexey Tourbin <at -at- altlinux.ru>)
- Remove auto_install from Makefile.PL
- (ticket 60931) If preamble is empty, make sure it's still empty after roundtripping through MIME::Entity
- (ticket 63739) Properly decude RFC2231 encodings in attachment filenames
Postfix stable release 2.8.4 is available. This contains fixes and
workarounds that were already included with the Postfix 2.9
experimental release. Where applicable these fixes will also be
made available for the legacy releases Postfix 2.5..2.7.
* Performance: a high load of DSN success notification requests
could slow down the queue manager. Solution: make the trace
client asynchronous, just like the bounce and defer clients.
* The local(8) delivery agent ignored table lookup errors in
mailbox_command_maps, mailbox_transport_maps, fallback_transport_maps
and (while bouncing mail to alias) alias owner lookup.
* Workaround: dbl.spamhaus.org rejects lookups with "No IP
queries" even if the name has an alphanumerical prefix. We
play safe, and skip both RHSBL and RHSWL queries for names
ending in a numerical suffix.
* The "sendmail -t" command reported "protocol error" instead
of "file too large", "no space left on device" etc.
* The Postfix Milter client reported a temporary error instead
of "file too large" in three cases.
* Linux kernel version 3 support. Linus Torvalds has reset the
counters for reasons not related to changes in code.
You can find the updated Postfix source code at the mirrors listed
at http://www.postfix.org/.
* In mimedefang.c, truncate overlong responses from the multiplexor. Also sanitize replies so "\r" doesn't get fed to smfi_setmlreply.
* If a slave process replies with a very long reply, have the multiplexor consume (and discard) the excess input so the multiplexor-to-slave protocol does not become de-synchronized.
* When mimedefang becomes a daemon, have it wait for a "go/no-go" message from the child before exiting. This should eliminate race conditions whereby the MTA starts before the milter socket is present.
* Avoid run-time errors from Unix::Syslog on some platforms.
Version 1.4.22 - 12 July 2011
-----------------------------
- Backported default timezone fix from version 1.5.2; helps mitigate
timezone errors in environments where a default has not been set
by the administrator.
- Fixed system lock-ups caused by a combination of certain rare,
malformed message headers and buggy versions of PHP mbstring
(#3053349).
- Now allow multiple plugins to handle (add links for) a single
attachment MIME type.
- Now allow administrators to disable all plugins or enable just
a select few plugins (overriding the active plugins in the normal
configuration) by setting $temporary_plugins as an empty array
(all disabled) or an array with one or more plugin directory names
in config_local.php.
- Backport fix for call_user_func_array not supporting NULL as empty
array in PHP 5.3.3
- Fixed sqauth_read_password() for plugins on the login_verified hook.
- Added SMTP SASL PLAIN authentication option to configuration tool
(core support for such is not new).
- Gmail doens't support standard search commands; removed sort buttons.
- Forced addition of a file suffix to attachments that lack a filename
(helps forwarded messages avoid spam filters) (thanks to Petr
Kletecka) (#3139004).
- Fixed missing security token in listcommands plugin.
- Added smtp_auth hook (thanks to Emmanuel Dreyfus).
- Made speed enhancements to threaded message display (thanks to Siim
Poder) (#3288123).
- Allow administrators to configure subfolders of user INBOXes to be
treated as special folders by adding $subfolders_of_inbox_are_special
to config_local.php.
- Fixed incorrect display of INBOX subfolders under some configurations.
IMPORTANT: You may need to update your configuration so that
$default_sub_of_inbox is TRUE if it was FALSE (e.g., Courier IMAP users)
and after updating to this version, your special folders are no longer
listed at the top of your folder list. Also, if this change prevents
users from logging in with an error such as "ERROR: Could not complete
request. Query: CREATE "Trash" Reason Given: Invalid mailbox name.",
you will need to correct the user preference values for the problem
folders. You can do so with commands such as the following for file-
based preferences (adjust the data directory location as needed):
find /var/lib/squirrelmail/data/ -name *.pref -exec sed --in-place 's/trash_folder=Trash/trash_folder=INBOX.Trash/g' {} \;
find /var/lib/squirrelmail/data/ -name *.pref -exec sed --in-place 's/trash_folder=Drafts/trash_folder=INBOX.Drafts/g' {} \;
find /var/lib/squirrelmail/data/ -name *.pref -exec sed --in-place 's/trash_folder=Sent/trash_folder=INBOX.Sent/g' {} \;
Or, for database-based preferences:
UPDATE userprefs SET prefval = 'INBOX.Trash' WHERE prefkey = 'trash_folder' AND prefval = 'Trash';
UPDATE userprefs SET prefval = 'INBOX.Drafts' WHERE prefkey = 'draft_folder' AND prefval = 'Drafts';
UPDATE userprefs SET prefval = 'INBOX.Sent' WHERE prefkey = 'sent_folder' AND prefval = 'Sent';
MAKE SURE to back up your user preferences first!
- Optimized message highlighting rules; faster message list display
and faster highlight rules management (thanks to C. Bensend for
extensive effort helping diagnose)
- New Mail plugin no longer removes normal organization title when
putting the number of new messages in the browser title
- Added clickjacking protection (thanks to Asbjorn Thorsen and Geir
Hansen for bringing this to our attention). [CVE-2010-4554]
- Fixed XSS holes in generic options inputs, XSS hole in the SquirrelSpell
plugin, XSS hole in the Index Order page, and added anti-CSRF protection
to the empty trash feature and the Index Order page (thanks to Nicholas
Carlini for finding all these issues). [CVE-2010-4555]
- Fixed XSS problem with unsanitized style tags in messages. [CVE-2011-2023]
While here,
* Exactly enable/disable PCRE support with package option, enabled by default.
* Add workaround patches for PR#44275, sizeof(time_t) > sizeof(unsigned long).
Changes to the Cyrus IMAP Server since 2.4.9
* fixed handling of unparsable emails during append (which would
cause invalid cyrus.index records otherwise)
* quota: fix a pile of bugs. #1801, virtdomain support; #2728, slow
user delete; #3178, "file name too long" with big mailbox names;
#3179, quota -f doubles usage.
* Bug #3043 - parse multiple groups in headers correctly
* Bug #3158 - lmtp backend connection timeout
* Bug #3223 - limit MIME parsing depth to avoid stack overflows
* Bug #3273 - add SORT=DISPLAY support (but note: still questions
about correctness of unicode sorting)
* Bug #3504 - convert all sieve scripts to \r\n line endings on
upload
* Bug #3402 - options to munge 8bit characters in headers during lmtp
delivery to avoid backscatter
* sync_client: fix broken keepalive TCP options (I doubt anyone ever
tried to use it)
* Bug #3482 - add "-o" option to ipurge to only purge messages with
\Deleted flag set
Add PKG_DESTDIR_SUPPORT;
Add LICENSE
`$Cambridge: hermes/src/prayer/docs/DONE,v 1.66 2011/06/27 13:39:56 dpc22 Exp $
27/06/2010
==========
Release: Prayer 1.3.4
22/06/2011
==========
draft.c fixes:
Fold long lines of addresses before the entry which reaches 78 characters
when possible, rather than after the first entry which crosses that
boundary. Long standing bug bear of mine but several support functions
needed to be rewritten to use scratch string in place of output buffer.
Long subject lines which are not RFC1522 encoded need to be folded.
separately. Reported by Andrey N. Oktyabrski <ano@bestmx.ru>.
RFC1522 is not allowed to fold lines in the middle of a UTF-8 multibyte
character. Reported by Andrey N. Oktyabrski <ano@bestmx.ru>.
Tidy library:
Add support for tidyp fork of (apparently abandoned) tidy library.
Fix cross site scripting problem:
MSIE and Chrome think that <!---> is a complete comment. Allows people to
hide scripts inside <!---><script>...<!--->. Strip all comments (which is
something that the old sanitiser had been doing already)
Sieve blocks should check "From: " address in body as well as
envelope sender address. Check "Sender: " as well for completeness.
Linux needs IPPROTO_IPV6 to bind to '0.0.0.0' and '::'
01/11/2010
==========
Mike Brudenell <mike.brudenell@york.ac.uk> reported problem with RFC
2183/RFC 2231 quoting with vey long filenames, or filenames with strange
characters from ASCII range.
20/07/2010
==========
Release: Prayer 1.3.3
08/07/2010
==========
Better handling of complex multipart messages:
Rather than just displaying the first text/plain or text/html that we can
find in the top, (leaving people to access sections for the other parts),
display the entire tree: multipart/alternative are handled as before, but
with other multipart messages, recurse into the subtrees and repeat. Given:
1 (Nested multipart)
1.1 text/html
1.2 text/plain
2 text/plain
we display sections 1.1 and 2. Previously we would display section 2,
which is a bit of a disaster if section (1) was the original message and
a listserver has helpfully tagged on a message footer as a separate bodypart
Combine os_*.c back into a single file (which is where I started off
many years back). Eliminates lots of repeated code.
07/07/2010
==========
Bugs
====
os_bind_inet_socket(unsigned long port, char *interface)
If interface resolves to multiple IP addresses then only binds to the
first. Should really walk along ai->ai_next and bind to each IP address
in turn. Unfortuanetly this means that os_bind_inet_socket() needs to
return an array of sockfds rather than a single int. Parent routines
probably aren't going to play ball either.
Most likely cause will be a hostname which generates both IPv4 and IPv6
addresses. Unfortanately it is a probably that we are going to have
to solve eventually.
05/07/2010
==========
Fix XSS problems reported by:
Jacob H. Hilton <jhh40@cam.ac.uk>
Dr Andrew C Aitchison <A.C.Aitchison@dpmms.cam.ac.uk>
Rather than trying to spot dangerous tags by simple substring matching in C,
I now feed the html through Tidy library (http://tidy.sourceforge.net/),
and then prune unwanted nodes from the parse tree before setting it to
the pretty printer. The only problem is that the Tidy library doesn't
provide any public API for manipulating the parse tree (although it does
provide a public API for walking the tree!?), so I had to dig around to
find the private functions required to remove and manipulate nodes.
Javascript embedded into CSS is also a problem: I need to strip off CSS
character entities before looking for dangerous expressions. The final
part is still a simple string match: I hope that I don't end up having to
generate parse trees for CSS as well as the HTML.
Now passes full test suite at:
https://secure.grepular.com/email_privacy_tester/
Better vacation screen
Subject line
Phrasing
Coping with multiple logins as single user from single browser:
SessionID stored in HTTP Cookie: second login blats first
Can store SessionID in URL (Prayer does this if no cookies available)
Not secure: leaks in HTTP "Referrer" header with links from HTML email.
Solution: Use HTTP Cookie keyed by PID of login session.
Smaller cleanups:
Improve gap between words in spell check (Cambridge house style)
Remove extra blank lines after postpone, restore cycle.
while here, expunge old sites from MASTER_SITES, and add the http site in
release announcement.
Changes to the Cyrus IMAP Server since 2.4.8
* fixed crashes in seen handling
* Bug #3453 - fixed LSUB replication
* Bug #3442 - allow disabling PCRE if it's buggy at your site
* Bug #3443 - LSUB response fixes
* Bug #3448 - XFER error handling (murder)
* Bug #3437 - fixed regression: quotaroot wasn't being updated on
rename
* Bug #3456 - fixed crash on rename user.foo user.foo without
partition change
* config update: database paths for most databases are now
configurable in imapd.conf
* Bug #3303 - fixed index lock breaking on XFER (thanks Julien
Coloos)
* Bug #3457 - fixed ESEARCH parsing (was breaking iPhones)
* Bug #3188 - fixed XFER with unlimited quota (thanks again Julien
Coloos)
* Misc other quota fixes (there are still known bugs with the quota
system)
* Bug #3169 - fixed GETQUOTAROOT for domain quotaroots
* Bug #3465 - fixed compilation with Perl 5.14 (thanks
hsk@imb-jena.de, and also thanks to Ondrej Sury who reported it
separately)
* Bug #3464 - fix for sendmail exec failure. This was a nasty one,
Patch was provided by PR pkg/45088 from ISIHARA Takanori.
Changes of Sylpheed
* 3.1.1 (stable)
* The column width of the address book will be saved now.
* The keyboard shortcut of 'File/Send' menu of compose window was changed
to prevent accidental sending.
* The bug that caused occasional crash when summary was updated while
receiving messages was fixed.
* The compilation problem on some environment was fixed.
* Some locale problems on Mac OS X was fixed.
* The compilation error on newer gcc was fixed.
* Finnish translation was added.
Based on PR#44939 by Susumu Miwa.
Modified by Makoto Fujiwawa and me in pkgsrc-wip.
Quickml server provides very-easy-to-use mailing list service.
It was too open in this age, some limitation is provided in
this package. The original code is written by Satoru Takabayashi.
8.14.5/8.14.5 2011/05/17
Do not cache SMTP extensions across connections as the cache
is based on hostname which may not be a unique identifier
for a server, i.e., different machines may have the
same hostname but provide different SMTP extensions.
Problem noted by Jim Hermann.
Avoid an out-of-bounds access in case a resolver reply for a DNS
map lookup returns a size larger than 1K. Based on a
patch from Dr. Werner Fink of SuSE.
If a job is aborted using the interrupt signal (e.g., control-C from
the keyboard), perform minimal cleanup to avoid invoking
functions that are not signal-safe. Note: in previous
versions the mail might have been queued up already
and would be delivered subsequently, now an interrupt
will always remove the queue files and thus prevent
delivery.
Per RFC 6176, when operating as a TLS client, do not offer SSLv2.
Since TLS session resumption is never used as a client, disable
use of RFC 4507-style session tickets.
Work around gcc4 versions which reverse 25 years of history and
no longer align char buffers on the stack, breaking calls
to resolver functions on strict alignment platforms.
Found by Stuart Henderson of OpenBSD.
Read at most two AUTH lines from a server greeting (up to two
lines are read because servers may use "AUTH mechs" and
"AUTH=mechs"). Otherwise a malicious server may exhaust
the memory of the client. Bug report by Nils of MWR
InfoSecurity.
Avoid triggering an assertion in the OpenLDAP code when the
connection to an LDAP server is lost while making a query.
Problem noted and patch provided by Andy Fiddaman.
If ConnectOnlyTo is set and sendmail is compiled with NETINET6
it would try to use an IPv6 address if an IPv4 (or
unparseable) address is specified.
If SASLv2 is used, make sure that the macro {auth_authen} is
stored in xtext format to avoid problems with parsing
it. Problem noted by Christophe Wolfhugel.
CONFIG: FEATURE(`ldap_routing') in 8.14.4 tried to add a missing
-T<TMPF> that is required, but failed for some cases
that did not use LDAP. This change has been undone
until a better solution can be implemented. Problem
found by Andy Fiddaman.
CONFIG: Add cf/ostype/solaris11.m4 for Solaris11 support.
Contributed by Casper Dik of Oracle.
CONTRIB: qtool.pl: Deal with H entries that do not have a
letter between the question marks. Patch from
Stefan Christensen.
DOC: Use a better description for the -i option in sendmail.
Patch from Mitchell Berger.
Portability:
Add support for Darwin 10.x (Mac OS X 10.6).
Enable HAVE_NANOSLEEP for FreeBSD 3 and later. Patch
from John Marshall.
Enable HAVE_NANOSLEEP for OpenBSD 4.3 and later.
Use new directory "/system/volatile" for PidFile on
Solaris 11. Patch from Casper Dik of Oracle.
Fix compilation on Solaris 11 (and maybe some other
OSs) when using OpenSSL 1.0. Based on patch from
Jan Pechanec of Oracle.
Set SOCKADDR_LEN_T and SOCKOPT_LEN_T to socklen_t
for Solaris 11. Patch from Roger Faulkner of Oracle.
New Files:
cf/ostype/solaris11.m4
