- Add explicit "Search" permissions, see Security Fix below.

[roundup.git] / CHANGES.txt

diff --git a/CHANGES.txt b/CHANGES.txt
index 320e28d78ad12ee1588065ec64dbdce31a84f9cc..af4da31d8e0941fc93950cb9061b68adaef995d2 100644 (file)
--- a/CHANGES.txt
+++ b/CHANGES.txt
@@ -2,7 +2,24 @@ This file contains the changes to the Roundup system over time. The entries
 are given with the most recent entry first. If no other name is given,
 Richard Jones did the change.
 
-2010-??-?? 1.4.16
+20XX-XX-XX 1.4.17 (rXXXX)
+
+Features:
+
+- Add explicit "Search" permissions, see Security Fix below.
+
+Fixed:
+
+- Some minor typos fixed in doc/customizing.txt (Thanks Ralf Hemmecke).
+- Security Fix: Add a check for search-permissions: now we allow
+  searching for properties only if the property is readable without a
+  check method or if an explicit search permission (see above unter
+  "Features) is given for the property. This fixes cases where a user
+  doesn't have access to a property but can deduce the content by
+  crafting a clever search, group or sort query.
+  see doc/upgrading.txt for how to fix your trackers!
+
+2010-10-08 1.4.16 (r4541)
 
 Features:
 
@@ -44,6 +61,7 @@ Fixed:
   Thanks to Benni Bärmann for reporting.
 - Allow search_popup macro to work with all db classes, issue2550567
   (thanks John Kristensen)
+- lower memory footprint for (journal-) import
 
 
 2010-07-12 1.4.15