+JH/02 Add transaction support for hintsdbs. The providers supported are tdb and
+ sqlite. Transactions are used for the wait-transport and retry DBs.
+ They imply locking internal to the DB. We no longer need a separate
+ lockfile, can keep the DB handle open for extended periods, yet
+ potentially benefit from concurrency on non-conflicting record uses.
+
+JH/03 With dkim_verify_minimal, avoid calling the DKIM ACL after the first
+ good verify.
+
+JH/04 Remove the docs and support scripts dealing with conversion of Exim
+ version 3 installations.
+
+JH/05 Fix hintsdb support for dbmjz when compiled using sqlite3. Previously
+ the backend support assumed keys would be simple C strings, but dbmjz
+ uses keys with embedded NUL bytes. The builtin hintsdb use is unaffected,
+ but installations using dbmjz will need to rebuild those DBs.
+
+JH/06 Bug 1141: When operating a continued-connection transport, verify that
+ the interface option, if specified, evaluates to match the connection.
+ Previously, a queued message for the same host was sent without checking.
+
+JH/07 Bug 3106: Fix coding in SPA authenticator. A macro argument was not
+ properly parenthesized, resulting in a logic error. While the simple
+ fix was provided by Andrew Aitchison, the over-large code block resulting
+ from this macro made me want to replace it with a real function so more
+ extensive rework becamse needed.
+
+JH/08 The output of "exim -bV" now includes lookup types built as dynamic-load
+ modules.
+
+JH/09 Not a change, but worthy of note: There is no test coverage of the
+ heimdall-gssapi authenticator driver. It does build, though with (on at
+ least one platform) library version conflicts with the gsasl auth
+ driver). Confidence in its operation is lacking.
+
+JH/10 Bug 3108: On platforms not providing strchrnul() [OpenBSD] supply a proper
+ prototype (as well as implementaton). Previously, a return type "int"
+ was assumed, resulting in type-conversion bugs when int and pointer had
+ different size. This resulted in crashes while processing DKIM signatures
+ of received messages. Identification and fix from Qualys Security.
+
+JH/11 Lookups built as dynamic-load modules which support a single lookup
+ type are now only loaded if required by the config. Previously all lookup
+ modules present in the modules directory were loaded; this now applies
+ only to those supporting multiple types.
+
+JH/12 Bug 3112: Fix logging of config-file position for "obsolete lookup
+ syntax". Previously, the end of the top-level file was reported.
+
+JH/13 Bug 3120: Fix parsing of DKIM pubkey DNS record. Previously a crafted
+ record could crash the meesage recieve process. Investigation by
+ Maxim Galaganov.
+
+JH/14 Bug 3116: Fix crash in dkim signing. On kernels supporting immutable
+ memory segments, a write was done into one when a constant string was
+ configured for a transport's dkim private key.
+
+JH/15 Disallow tainted metadata in lists.
+ - Change-of-separator prefixes are handled specially when they are
+ explicit text; only the remainder of the list is expanded. A change-of-
+ separator resulting from expansion will not take effect if tainted.
+ - Elements starting with a plus-sign (named-list inclusion,
+ case-interpretation etc) and (hostlist) @[] (et al) are not handled
+ specially and are still operative at this time - but warnings are logged;
+ if any of these are needed in a list with a tainted element (which taints
+ the entire list at string-expansion time) then a named-list can be used
+ for that element.
+ - Exclamation-marks ("!" signifying negation) are not checked for taint
+ at this time.