This changes the buildlink3.mk files to use an include guard for the
recursive include. The use of BUILDLINK_DEPTH, BUILDLINK_DEPENDS,
BUILDLINK_PACKAGES and BUILDLINK_ORDER is handled by a single new
variable BUILDLINK_TREE. Each buildlink3.mk file adds a pair of
enter/exit marker, which can be used to reconstruct the tree and
to determine first level includes. Avoiding := for large variables
(BUILDLINK_ORDER) speeds up parse time as += has linear complexity.
The include guard reduces system time by avoiding reading files over and
over again. For complex packages this reduces both %user and %sys time to
half of the former time.
The SquirrelMail team is happy to announce the release of version 1.4.17. The
most notable change is a security fix that prevents certain specially-crafted
hyperlinks within messages from executing cross-site scripting attacks. For
other details, see the ReleaseNotes file included in this release. We advise
all users of SquirrelMail software to upgrade.
The SquirrelMail team is happy to announce the release 1.4.16. The most
notable change is that cookies are now sent with the secure attribute set for
HTTPS-connections, meaning that they cannot leak to an HTTP-connection on the
same SquirrelMail installation. For details see the included ReleaseNotes. We
advise users that offer their SquirrelMail both over HTTP and HTTPS to
upgrade.
----------------------------
- Fix saving of Read Receipts to Sent folder.
- Converted Romanian (ro_RO) to UTF-8.
- Converted Slovak (sk_SK) to UTF-8.
- Converted Swedish (sv_SE) to UTF-8.
- Added support for Macedonian.
- Don't allow invalid plugin names in conf.pl --install-plugin.
- Fix warning in Printer Friendly due to missing include (#1849101).
- Let configtest.php use optional PEAR dynamic extension loading,
patch by Walter Huijbers (#1833123).
- Fix for IMAP servers that were having problems saving sent messages.
- Fix broken <style> tag parsing for some HTML messages, thanks
Roalt Zijlstra.
- Re-added support for Vietnamese.
- Fixed broken MDN functionality (send read confirmation).
- Converted Norwegian Bokm�l (nb_NO) to UTF-8.
- Converted traditional Chinese (zh_TW) to UTF-8.
- Avoid deprecation notices on get_magic_quotes_* functions.
- Improved Message-ID generation code.
- Added edit list, checkbox, radio group, multiple-select folder
list and multiple-select string list option widget types,
as well as support for the "trailing_text" widget attribute.
- Boolean option widgets are henceforth presented as checkboxes.
- Tidied up fortune plugin to be inline with specifications for plugins.
- Enhanced address book page: added 'Compose to' button, put labels
around address entries tied to checkboxes, improved column spacing,
added hook for plugins that can filter address book listings.
Complements RisuMail team (risumail.jp).
NOTE: includes a critical bug fix in the attachment handling
- Enabled user selection of address format when adding from address
book during message composition.
- Fixed issue with adding attachments in PHP 4.x environments (#1805471).
- Backport size setting on "newmail" popup window.
- Added a "short_open_tag" configuration test.
- Undefined notice in error message box when no default folder prefix is set.
- Undefined index error when downloading. Possibly caused by using tabs and
opening multiple mailboxes.
- PAGE_NAME might not be defined in all plugins, which might cause a
"not defined" error on session timeouts.
- Fixed outgoing messages to allow addresses such as "0@..." or "000@...",
etc. (#1818398).
- Fixed issue with in-reply-to and reference headers not being retained on
reply (#1810659).
- Revived logout_error hook (#1800015).
- Allow custom session handlers to work correctly (and be defined at the
application level with SquirrelMail).
- Fix off-by-one in bodystructure parsing triggered by servers sending
a body location part (e.g. Sun Java System Messaging Server). Thanks
John Callahan (#1808382).
- Invalid initialization of To: header (#1772893).
- Includes cleanup in include/validate.php.
- Cleanup in multiple files to remove unneeded includes.
- Added sort by size (#812233 and #159997, plus multiple list requests).
Patch provided by Christopher E. Brown.
- Fix bug in sitewide SMTP settings still using authenticated user, rather
than configured settings (#1835942).
- Fixed mailto: functionality.
- Added mailto: link handling when viewing messages.
- Handle PHP's insistence on setting the value to 'deleted' for destroyed
sessions
Version 1.4.11 - 29 September 2007
----------------------------------
- Minimum PHP requirement raised from 4.0.6 to 4.1.0.
SquirrelMail has been broken for a while with 4.0.x without anyone
noticing, this move merely reflects reality.
- Fix broken set_url_var function in functions/html.php (#1729814).
- Fix config.pl not detecting auth support correctly (#1727033).
- Fix display of X-Priority in message view.
- Work around mailers sending broken Date headers with no space after the
first comma.
- Let POP3 class properly cope with lines starting with a '.'.
- Some HTML validation cleanups.
- Invalid year in sent_subfolders plugin (#1607380).
- Always treat Content-Type case-insensitively (#1732092).
- Fix typo: html/plain should be text/html.
- Fix en/decode header swith in MDN (#1694687).
- Fix compatibility with Windows path in administrator plugin (#1740469).
- Fix disabling password encryption in mail_fetch (#1738001).
- Fix busy loop and notice when two literals in IMAP fetch (#1739433).
- Backported code for site wide SMTP authentication (#1531889).
- Fixed issue with compose session not being cleaned after message is
saved or sent.
- Added ability to detect HTTP_X_FORWARDED_PROTO in get_location(),
thanks to Daniel Watts
- Fix test for signout.php in the logged in check in is_logged_in() so it
cannot be circumvented by manipulating the URL. External plugins might
rely on this function guaranteeing that the user is logged in.
- Use attachment_dir only at the point where we're actually
reading from / writing to the files, do not carry it around
in the object. This makes us safer in the event the object
is somehow exposed to the outside world.
- Better support mailboxes named 'None' (#1598890).
- Sort readdir() output in conf.pl (#1755886).
- Fix message cache in printer friendly, thanks Tomas Kuliavas.
- Made the webmail_top hook work again for plugins that want to change
the URI of the "right" frame; plugins have to change the value of the
global variable $right_frame_url
- Fix issue in darkness theme with extra closing bracket.
- No longer store all message composition sessions in the PHP session,
since it was not made use of and in rare cases, made sessions too big.
- Composition restoration functionality now correctly restores attachments.
- Added smtp_auth hook.
- Change default Selection List Style to Indented.
- Added "preselected" query argument to mailbox list.
- Added mailbox_display_buttons hook.
- Removed "Include CCs when Forwarding Messages", which had no functionality
whatsoever.
- Make the Message Details plugin actually show the correct entity when
viewing details of attached messages.
- Fixed URL for Read Receipts being incorrect in some cases (#1177518).
- Fixed endless loop when trying to parse "From: )(" (#1517867).
- Using is_file() instead of file_exists() in fortune plugin (#1499134).
- Add manual page for conf.pl under contrib.
- Don't allow selecting INBOX as Sent, Draft or Trash folder (#1242346).
and add a new helper target and script, "show-buildlink3", that outputs
a listing of the buildlink3.mk files included as well as the depth at
which they are included.
For example, "make show-buildlink3" in fonts/Xft2 displays:
zlib
fontconfig
iconv
zlib
freetype2
expat
freetype2
Xrender
renderproto
RECOMMENDED is removed. It becomes ABI_DEPENDS.
BUILDLINK_RECOMMENDED.foo becomes BUILDLINK_ABI_DEPENDS.foo.
BUILDLINK_DEPENDS.foo becomes BUILDLINK_API_DEPENDS.foo.
BUILDLINK_DEPENDS does not change.
IGNORE_RECOMMENDED (which defaulted to "no") becomes USE_ABI_DEPENDS
which defaults to "yes".
Added to obsolete.mk checking for IGNORE_RECOMMENDED.
I did not manually go through and fix any aesthetic tab/spacing issues.
I have tested the above patch on DragonFly building and packaging
subversion and pkglint and their many dependencies.
I have also tested USE_ABI_DEPENDS=no on my NetBSD workstation (where I
have used IGNORE_RECOMMENDED for a long time). I have been an active user
of IGNORE_RECOMMENDED since it was available.
As suggested, I removed the documentation sentences suggesting bumping for
"security" issues.
As discussed on tech-pkg.
I will commit to revbump, pkglint, pkg_install, createbuildlink separately.
Note that if you use wip, it will fail! I will commit to pkgsrc-wip
later (within day).
This release is very important, and we strongly advise everybody to
update to the latest release.
Security Update
===============
This version contains a number of security updates that were brought
to our attention via a number of sources.
- In webmail.php, the right_frame parameter was not properly sanitized
to deal with very lenient browsers, which allowed for cross site
scripting or frame replacing. [CVE-2006-0188]
- In the MagicHTML function, some very obscure constructs were
discovered to be exploitable: 'u\rl' was interpreted as 'url' (privacy
concern), and comments could be inside keywords (allows for cross site
scripting). Both only affect Internet Explorer users. Found by Martijn
Brinkers and Scott Hughes. [CVE-2006-0195]
- The function sqimap_mailbox_select did not strip newlines from the
mailbox parameter, and thereby allowed for IMAP command injection.
Found by Vicente Aguilera. [CVE-2006-0377]
