Only caching access lists after ready, system fires.

This prevents a bug where access lists could be cached
and not cleared during plugin boot while access was disabled,
which could expose entities set to ACCESS_PRIVATE.

1 files changed, 9 insertions, 7 deletions

diff --git a/CHANGES.txt b/CHANGES.txt
index f5cacac29..ae0cdc333 100644
--- a/CHANGES.txt
+++ b/CHANGES.txt
@@ -8,17 +8,19 @@ Version 1.8.5
  Security Enhancements:
   * Fixed possible XSS vulnerability if using a crafted URL.
   * Fixed exploit to bypass new user validation if using a crafted form.
+  * Fixed incorrect caching of access lists that could allow plugins
+    to show private entities to non-admin and non-owning users. (Non-exploitable)
 
  Bugfixes:
-   * Twitter API: New users are forwarded to the correct page after creating 
-                  an account with Twitter.
-   * Files: PDF files are downloaded as "inline" to display in the browser.
-   * Fixed possible duplication errors when writing metadata with multiple values.
-   * Fixed possible upgrade issue if using a plugin uses the system_log hooks.
-   * Fixed problems when enabling more than 50 metadata or annotations.
+  * Twitter API: New users are forwarded to the correct page after creating 
+                 an account with Twitter.
+  * Files: PDF files are downloaded as "inline" to display in the browser.
+  * Fixed possible duplication errors when writing metadata with multiple values.
+  * Fixed possible upgrade issue if using a plugin uses the system_log hooks.
+  * Fixed problems when enabling more than 50 metadata or annotations.
 
  API:
-   * River entries' timestamps use elgg_view_friendly_time() and can be 
+  * River entries' timestamps use elgg_view_friendly_time() and can be 
      overridden with the friendly time output view.
 
 Version 1.8.4