Release preparation

Author: schlatterbeck

CHANGES.txt

@@ -3,7 +3,7 @@ Entries are given with the most recent entry first.
 Each entry has the developer who committed the change in brackets.
 Entries without name were done by Richard Jones.
 
-2012-XX-XX: 1.4.20
+2012-05-15: 1.4.20
 
 Features:
 

doc/announcement.txt

@@ -1,57 +1,109 @@
-I'm proud to release version 1.4.19 of Roundup which introduces some
-minor features and, as usual, fixes some bugs:
+I'm proud to release version 1.4.20 of Roundup which can be seen as a
+security release. We've fixed several security issues, in particular
+some XSS issues. We've also dropped support for python 2.4 with this
+release. This release also introduces some minor features and, as usual,
+fixes some bugs:
 
 Features:
 
-- Xapian indexing improved: Slightly faster and slightly smaller database. 
-  Closes issue2550687. Thanks to Olly Betts for the patch. (Bernhard Reiter)
-- PostgreSQL backend minor improvement: database creation less likely to fail
-  for PostgreSQL versions >= 8.1 as the table "postgres" is used by default.
-  Closes issue2550543. Thanks to Kai Storbeck for the patch. (Bernhard Reiter)
-- Allow HTMLRequest.batch to filter on other permissions than "View"
-  (e.g. on the new "Search" permission") by adding a "permission"
-  parameter. Thanks to Eli Collins for the patch. Closes issue2550699. (Ralf)
+- Experimental support for the new Chameleon templating engine.
+  We now have two configurable templating engines, the old Zope TAL
+  templates (called zopetal in the config) and the new Chameleon (called
+  chameleon in the config). A new config-option "template_engine" under
+  [main] can take these config-options, the default is zopetal.
+  Thanks to Cheer Xiao for the idea of making this configurable *and*
+  for the actual implementation! (Ralf)
+  WARNING: Chameleon support is highly experimental and *not* recommended for
+  production use. It has known performance issues and i18n is not yet
+  functioning. It's still under active development. Only use this feature if
+  you want to experiment with Chameleon and/or help with Roundup
+  developement. If you found a bug in Chameleon support, please report after
+  testing against latest Roundup source from the Mercurial repository.
+- issue2550678: Allow pagesize=-1 which returns all results.
+  Suggested and implemented by John Kristensen. 
+  Tested by Satchidanand Haridas. (Bernhard)
+- Allow to turn off translation of generated html options in menu method
+  of LinkHTMLProperty and MultilinkHTMLProperty -- default is
+  translation as it used to be (Ralf)
+- Sending of OpenPGP encrypted mail to all users or selected users (via
+  roles) is now working. (Ralf)
+- Add config-option "nosy" to messages_to_author setting in [nosy]
+  section of config: This will send a message to the author only
+  in the case where the author is on the nosy-list (either added
+  earlier or via the add_author setting). Current config-options
+  for this setting will send / not send to author without considering
+  the nosy list. (Ralf)
 
 Fixed:
 
-- Installation: Fixed an issue that prevented use of EasyInstall 
-  and a Python egg. Thanks to Satchidanand Haridas for the patch and
-  John Kristensen for testing it. (Bernhard Reiter)
-- The PostgreSQL backend quotes database names now for CREATE and DROP, 
-  enabling more exotic tracker names. Closes issue2550497. 
-  Thanks to Sebastian Harl for providing the patch. (Bernhard Reiter)
-- Updated the url to point to www.roundup-tracker.org in two places in the
-  docs. (Bernhard Reiter)
-- Do not depend on a CPython implementation detail anymore to make Roundup 
-  more compatible with other Python implementations like PyPy.
-  Closes issue2550707. Thanks to Christof Meerwald. (Bernhard Reiter, Richard)
-- Yet another fix to the mail gateway, messages got *all* files of
-  an issue, not just the new ones. Thanks to Rafal Bisingier for
-  reporting and proposing a fix. The regression test was updated.
+- issue2550730: FAQ has broken link to Zope book. Reported and fixed by
+  John Rouillard.(Bernhard)
+- issue2550728: remove buggy parentheses in TAL/DummyEngine.py.
+  Reported and fixed by Ralf Hemmecke. (Bernhard)
+- issue2550715: IndexError when requesting non-existing file via http.
+  Reported and fixed by Cedric Krier. (Bernhard)
+- issue2550712: exportcsvaction errors poorly when given invalid columns.
+  Reported by Will Kahn-Greene, fixed by Cedric Krier. (Bernhard)
+- issue2550695: 'No sort or group' settings not retained when editing queries.
+  Reported and fixed by John Kristensen. Tested by Satchidanand Haridas. 
+  (Bernhard)
+- Fix matching of incoming email addresses to the alternate_addresses
+  field of a user -- this would match substrings, e.g. if the user has
+  [email protected] as an alternate email and an incoming mail
+  is addressed to [email protected] this would (wrongly) match. (Ralf)
+- issue2550729: Fix password history display for anydbm backend, thanks
+  to Ralf Hemmecke for reporting. (Ralf)
+- OpenPGP support is again working (pyme API has changed significantly) and
+  we now have a regression test. We now take care that bounce-messages
+  for incoming encrypted mails or mails where the policy dictates that
+  outgoing traffic should be encrypted is actually OpenPGP encrypted. (Ralf)
+- Ignore confirm set() fields by themselves in the absence of non-"confirm"
+  values; otherwise a bare confirm field can be used to change the a
+  password. Reported by Cam Blackwood. (Ralf)
+- Updated version of simplified Chinese message file by Cheer Xiao:
+  Corrected some mistakes, added a few more items and did some
+  formating. (Ralf)
+- Fix xmlrpc URL parsing so that passwords may contain a ':' character
   (Ralf)
-- Fix version numbers in upgrade documentation, the file-unlink defect
-  was in 1.4.17 not 1.4.16. Thanks to Rafal Bisingier. (Ralf)
-- Fix encoded email header parsing if multiple encoded and non-encoded
-  parts are present. RFC2047 specifies that spacing is removed only
-  between encoded parts, we always removed the space. Note that this bug
-  was present before mail gateway refactoring :-) Thanks for thorough
-  testing of mail gateway code by Rafal Bisingier. (Ralf)
-- The "Retire" permission was not being registered. (Richard)
-- Fix StringIO issue2550713: io.StringIO in newer versions of python
-  returns unicode strings and expects a unicode string in the
-  constructor. Unfortunately csv  doesn't handle unicode (yet). So we
-  need to use a BytesIO which gets the utf-8 string from the
-  web-interface. Compatibility for old versions by using
-  StringIO.StringIO for emulating a io.BytesIO also works.
-  Thanks to Cedric Krier for reporting. Closes issue2550713.
-  Added a regression test for EditCSVAction (Ralf)
-- Fix issue2550691 where a Unix From-Header was sometimes inserted in
-  outgoing emails, thanks to Joseph Myers for the patch. (Ralf)
+- Be more tolerant when parsing RFC2047 encoded mail headers. Use
+  backported version of my proposed changes to
+  email.header.decode_header in http://bugs.python.org/issue1079
+  (Ralf)
+- issue2550684 Fix XSS vulnerability when username contains HTML code,
+  thanks to Thomas Arendsen Hein for reporting and patch. (Ralf)
+- issue2550711 Fix XSS vulnerability in @action parameter,
+  thanks to "om" for reporting. (Ralf)
+- issue2550535 In some cases even when keep_quoted_text=yes is
+  configured we would strip quoted sections. This hit the python
+  bug-tracker especially for python interpreter examples with leading
+  '>>>' strings. The fix is slightly different compared to the proposal
+  as this broke keep_quoted_text=no in certain cases. We also fix a bug
+  where keep_quoted_text=no would drop the last line of a non-quoted
+  section if there wasn't an empty line between the next quotes. (Ralf)
+- issue2431638 wrong registration link in bounce mail for non-registered
+  users reported *years* ago by anonymous (Ralf)
+- Fix doc/upgrading.txt which produces errors with latest docutils about
+  wrong block structure. Fix .gitignore in doc directory. Thanks to
+  Cheer Xiao for the patches. (Ralf)
+- Fix wrong execute permissions on some files, thanks to Cheer Xiao for
+  the patch. (Ralf)
+- Fix override of TemplatingUtils in instance.py, thanks to Cheer Xiao
+  for the patch. (Ralf)
+- Fix another XSS with the "otk" parameter, thanks to Jesse Ruderman for
+  reporting. (Ralf)
+- Mark cookies HttpOnly and -- if https is used -- secure. Fixes
+  issue2550689, but is untested if this really works in browsers.
+  Thanks to Joseph Myers for reporting. (Ralf)
+- Fix another XSS with the ok- and error message, see issue2550724. We
+  solve this differently from the proposals in the bug-report by not
+  allowing *any* html-tags in ok/error messages anymore. Thanks to 
+  David Benjamin for the bug-report and to Ezio Melotti for several
+  proposed fixes. (Ralf)
 
 If you're upgrading from an older version of Roundup you *must* follow
 the "Software Upgrade" guidelines given in the maintenance documentation.
 
-Roundup requires python 2.4 or later (but not 3+) for correct operation.
+Roundup requires python 2.5 or later (but not 3+) for correct operation.
 
 To give Roundup a try, just download (see below), unpack and run::
 
@@ -85,7 +137,7 @@ Roundup manages a number of issues (with flexible properties such as
 The system will facilitate communication among the participants by managing
 discussions and notifying interested parties when issues are edited. One of
 the major design goals for Roundup that it be simple to get going. Roundup
-is therefore usable "out of the box" with any python 2.4+ (but not 3+)
+is therefore usable "out of the box" with any python 2.5+ (but not 3+)
 installation. It doesn't even need to be "installed" to be operational,
 though an install script is provided.
 

roundup/__init__.py

@@ -67,6 +67,6 @@
 '''
 __docformat__ = 'restructuredtext'
 
-__version__ = '1.4.19'
+__version__ = '1.4.20'
 
 # vim: set filetype=python ts=4 sw=4 et si