![[tokkee]](http://tokkee.org/images/avatar.png){kind=avatar}
diff --git a/CHANGES.txt b/CHANGES.txt
index 7cc26ae7abe357735a1cfe06f44f3ceca86e2e1f..cc011fc6b04e438d8bbe7c695a989b5bf47003e4 100644 (file)
--- a/CHANGES.txt
+++ b/CHANGES.txt
(Ralf Schlatterbeck)
- Fixed bug in mailgw refactoring, patch issue2550697 (thanks Hubert
Touvet)
-- Fix first part of Password handling security issue2550688 (thanks
- Joseph Myers for reporting and Eli Collins for fixing)
+- Fix Password handling security issue2550688 (thanks Joseph Myers for
+ reporting and Eli Collins for fixing) -- this fixes all observations
+ by Joseph Myers except for auto-migration of existing passwords.
+- Add new config-option 'migrate_passwords' in section 'web' to
+ auto-migrate passwords at web-login time. Default for the new option
+ is "yes" so if you don't want that passwords are auto-migrated to a
+ more secure password scheme on user login, set this to "no" before
+ running your tracker(s) after the upgrade.
+- Add new config-option 'password_pbkdf2_default_rounds' in 'main'
+ section to configure the default parameter for new password
+ generation. Set this to a higher value on faster systems which want
+ more security. Thanks to Eli Collins for implementing this (see
+ issue2550688).
2010-10-08 1.4.16 (r4541)