diff --git a/CHANGES.txt b/CHANGES.txt
index 12385abf6bd8aedc64f7eafe6e2b9e1dd23084d5..0039f56c42d135da0ac4eae410b468e3bc6abc3c 100644 (file)
--- a/CHANGES.txt
+++ b/CHANGES.txt
This file contains the changes to the Roundup system over time. The entries
are given with the most recent entry first.
-2009-12-XX 1.4.11 (rXXXX)
+2010-02-09 1.4.12 (r4455)
+
+Features:
+- Support IMAP CRAM-MD5, thanks Jochen Maes
+
+Fixes:
+- Proper handling of 'Create' permissions in both mail gateway (earlier
+ commit r4405 by Richard), web interface, and xmlrpc. This used to
+ check 'Edit' permission previously. See
+ http://thread.gmane.org/gmane.comp.bug-tracking.roundup.devel/5133
+ Add regression tests for proper handling of 'Create' and 'Edit'
+ permissions.
+- Fix handling of non-ascii in realname in the nosy mailer, this used to
+ mangle the email address making it unusable when replying. Thanks to
+ intevation for funding the fix.
+- Fix documentation on user required to run the tests, fixes
+ issue2550618, thanks to Chris aka 'radioking'
+- Add simple doc about translating customised tracker content
+- Add "flup" setup documentation, thanks Christian Glass
+- Fix "Web Access" permission check to allow serving of static files to
+ Anonymous again
+- Add check for "Web Access" permission in all web templating permission
+ checks
+- Improvements in upgrading documentation, thanks Christian Glass
+- Display 'today' in the account user's timezone, thanks David Wolever
+- Fix file handle leak in some web interfaces with logging turned on,
+ fixes issue1675845
+- Attempt to generate more human-readable addresses in email, fixes
+ issue2550632
+- Allow value to be specified to multilink form element templating, fixes
+ issue2550613, thanks David Wolever
+- Fix thread safety with stdin in roundup-server, fixes issue2550596
+ (thanks Werner Hunger)
+
+
+2009-12-21 1.4.11 (r4413)
Features:
- Generic class editor may now restore retired items (thanks Ralf Hemmecke)
Fixes:
+- Fix security hole allowing user permission escalation (thanks Ralf
+ Schlatterbeck)
- More SSL fixes. SSL wants the underlying socket non-blocking. So we
don't call socket.setdefaulttimeout in case of SSL. This apparently
never raises a WantReadError from SSL.