A couple of recent security reports has spurred some work on mhonarc,
which includes looking at existing open bugs to see which ones can be
fixed quickly. It's been a very long time since the last release.
I believe I have all changes I want done at this time for the next release
(which will be 2.6.17) is committed. Some changes were done some time
ago, and only available via snapshot builds. However, I've applied some
changes recently also.
I've updated today's snapshot build to reflect changes done today.
If anyone can, in the next few days, test out the snapshot build,
please do. Due to the security items reported, I would like to do formal
release by next week.
Here is the current change summary:
============================================================================
* Security Fixes:
Bug ID Summary
------ ------------------------------------------------------------
32013 CVE-2010-4524: Improper escaping of certain HTML
sequences (XSS)
32014 CVE-2010-1677: DoS when processing html messages with deep
tag nesting
------ ------------------------------------------------------------
* Bug Fixes:
Bug ID Summary
------ ------------------------------------------------------------
13853 Creation of archive with attachments writes over symlinks
14747 major (10X) memory savings possible in some situations
17904 FieldOrder affects AddressModifyCode
18113 Inconsistant thread slices w/ poor man's windowing
24247 iso2022jp.pl: unneeded ESC ( B remains in message body
25225 dir_create() fails to make temporary directories (PATCH)
25486 Resource FieldStore causes .mhonarc.db to grow over bounds
26577 Changed semantic for unpack breaks UTF-8
------ ------------------------------------------------------------
* Added FOLLOWSYMLINKS resource (Bug #13853).
* When KEEPONRMM is enabled, messages that are removed from
the archive do not cause linked messages to be updated.
This allows for pages that use $TSLICE$ to maintain thread
links for messages that "fall off" of the maintained list
of archived messages.
* Added pre-extraction of From name and From address. This
provides a performance improvement for archives that make use
of the $FROMADDR$ and $FROMADDRNAME$ resource variables along
with author sorting.
* Added mapping of message index keys to time stamp. This should
provide some performance gain since parsing out of time stamp from
index is no longer required.
* Cache last message number in db to avoid directory scan of archive
each time an add operation is performed. This provides a performance
improvement for large archives and on file systems where directory
reading with many files may not be optimal. Thanks go to Christopher
Lindsey for patch.
* Added References and In-Reply-To to as-is fields list to avoid
automatic modification of message IDs if address-rewriting is
in effect.
---------------------------------------------------------------------
To sign-off this list, send email to majordomo(_at_)mhonarc(_dot_)org with the
message text UNSUBSCRIBE MHONARC-DEV
