diff --git a/CHANGES.txt b/CHANGES.txt
index 2347b09f1f26d06f5301c39df0dbb7df650e8e41..37d98928d8e1526940b7669e3e58aa69017d82c7 100644 (file)
--- a/CHANGES.txt
+++ b/CHANGES.txt
are given with the most recent entry first. If no other name is given,
Richard Jones did the change.
-2010-??-?? 1.4.16
+20XX-XX-XX 1.4.17 (rXXXX)
+
+Features:
+
+- Add explicit "Search" permissions, see Security Fix below.
+- Add "lookup" method to xmlrpc interface (Ralf Schlatterbeck)
+
+Fixed:
+
+- Security Fix: Add a check for search-permissions: now we allow
+ searching for properties only if the property is readable without a
+ check method or if an explicit search permission (see above unter
+ "Features) is given for the property. This fixes cases where a user
+ doesn't have access to a property but can deduce the content by
+ crafting a clever search, group or sort query.
+ see doc/upgrading.txt for how to fix your trackers! (Ralf Schlatterbeck).
+- Some minor typos fixed in doc/customizing.txt (Thanks Ralf Hemmecke).
+- XML-RPC documentation now linked from the docs/index (Bernhard Reiter).
+- Fix setting of sys.path when importing schema.py, fixes issue2550675,
+ thanks to Bryce L Nordgren for reporting. (Ralf Schlatterbeck)
+- clear the cache on commit for rdbms backends: Don't carry over cached
+ values from one transaction to the next (there may be other changes
+ from other transactions) see new ConcurrentDBTest for a
+ read-modify-update cycle that fails with the old caching behavior.
+ (Ralf Schlatterbeck)
+
+2010-10-08 1.4.16 (r4541)
Features:
Added regression tests for message/rfc822 attachments with and without
configured unpacking (mailgw unpack_rfc822, see Features above)
Thanks to Benni Bärmann for reporting.
+- Allow search_popup macro to work with all db classes, issue2550567
+ (thanks John Kristensen)
+- lower memory footprint for (journal-) import
2010-07-12 1.4.15