X-Git-Url: https://git.netwichtig.de/gitweb/?a=blobdiff_plain;f=doc%2Fdoc-txt%2FNewStuff;h=2986b2cdd9ccb7af902293067727eb74e6f99cad;hb=2b68e140a846db4f24f4e29dfa16db73dc35c37f;hp=3555d8c1202eef86d4c09a898cfdef783c8ee23a;hpb=19fdbfb4a2b6ca4a6a96ef52be848f0a23e2414f;p=user%2Fhenk%2Fcode%2Fexim.git

diff --git a/doc/doc-txt/NewStuff b/doc/doc-txt/NewStuff
index 3555d8c12..2986b2cdd 100644
--- a/doc/doc-txt/NewStuff
+++ b/doc/doc-txt/NewStuff
@@ -17,13 +17,18 @@ Version 4.96
 
  4. An event for failing TLS connects to the daemon.
 
- 5. Tainted data used for a query-style lookup should be quoted using the
-    expansion item for the lookup type.  If not, a warning will be written to
-    the main and panic logs.  A future release will enforce this by failing
-    the lookup.
+ 5. The ACL "debug" control gains options "stop", "pretrigger" and "trigger".
 
- 6. The ACL "debug" control gains options "stop", "pretrigger" and "trigger".
+ 6. Query-style lookups are now checked for quoting, if the query string is
+    built using untrusted data ("tainted").  For now lack of quoting is merely
+    logged; a future release will upgrade this to an error.
 
+ 7. The expansion conditions match_<list-type> and inlist now set $value for
+    the expansion of the "true" result of the ${if}.  With a static list, this
+    can be used for de-tainting.
+
+ 8. Recipient verify callouts now set $domain_data & $local_part_data, with
+    de-tainted values.
 
 Version 4.95
 ------------