Merge branch 'stable-2.5' into stable-2.6

* stable-2.5:
  Release notes for 2.5.4
  Require preferred email to be a verified address
  Corrections in the 2.5.x release notes

Conflicts:
	ReleaseNotes/ReleaseNotes-2.5.2.txt
	gerrit-httpd/src/main/java/com/google/gerrit/httpd/rpc/account/AccountSecurityImpl.java

Change-Id: I08731949f0e7a87604ca003b81e6dbe63678bd82

ReleaseNotes/ReleaseNotes-2.5.1.txt

@@ -7,7 +7,7 @@ link:http://code.google.com/p/gerrit/downloads/detail?name=gerrit-full-2.5.1.war
 
 There are no schema changes from 2.5, or 2.5.1.
 
-However, if upgrading from anything earlier version, follow the upgrade
+However, if upgrading from a version older than 2.5, follow the upgrade
 procedure in the 2.5 link:ReleaseNotes-2.5.html[Release Notes].
 
 Security Fixes

ReleaseNotes/ReleaseNotes-2.5.3.txt

@@ -5,9 +5,9 @@ Gerrit 2.5.3 is now available:
 
 link:http://code.google.com/p/gerrit/downloads/detail?name=gerrit-2.5.3.war[http://code.google.com/p/gerrit/downloads/detail?name=gerrit-2.5.3.war]
 
-There are no schema changes from any member of the 2.5.x versions.
+There are no schema changes from any of the 2.5.x versions.
 
-However, if upgrading from anything earlier version, follow the upgrade
+However, if upgrading from a version older than 2.5, follow the upgrade
 procedure in the 2.5 link:ReleaseNotes-2.5.html[Release Notes].
 
 Security Fixes

ReleaseNotes/ReleaseNotes-2.5.4.txt

@@ -0,0 +1,22 @@
+Release notes for Gerrit 2.5.4
+==============================
+
+Gerrit 2.5.4 is now available:
+
+link:http://code.google.com/p/gerrit/downloads/detail?name=gerrit-2.5.4.war[http://code.google.com/p/gerrit/downloads/detail?name=gerrit-2.5.4.war]
+
+There are no schema changes from any of the 2.5.x versions.
+
+However, if upgrading from a version older than 2.5, follow the upgrade
+procedure in the 2.5 link:ReleaseNotes-2.5.html[Release Notes].
+
+Bug Fixes
+---------
+* Require preferred email to be verified
++
+Some users were able to select a preferred email address that was
+not previously verified. This may have allowed the server to send
+notifications to an invalid destination, resulting in higher than
+usual bounce rates.
+
+No other changes since 2.5.3.

ReleaseNotes/index.txt

@@ -9,6 +9,7 @@ Version 2.6.x
 [[2_5]]
 Version 2.5.x
 -------------
+* link:ReleaseNotes-2.5.4.html[2.5.4]
 * link:ReleaseNotes-2.5.3.html[2.5.3]
 * link:ReleaseNotes-2.5.2.html[2.5.2]
 * link:ReleaseNotes-2.5.1.html[2.5.1]

gerrit-httpd/src/main/java/com/google/gerrit/httpd/rpc/account/AccountSecurityImpl.java

@@ -14,6 +14,7 @@
 
 package com.google.gerrit.httpd.rpc.account;
 
+import com.google.common.base.Strings;
 import com.google.gerrit.common.ChangeHooks;
 import com.google.gerrit.common.data.AccountSecurity;
 import com.google.gerrit.common.data.ContributorAgreement;
@@ -217,12 +218,17 @@ class AccountSecurityImpl extends BaseServiceImplementation implements
       final ContactInformation info, final AsyncCallback<Account> callback) {
     run(callback, new Action<Account>() {
       public Account run(ReviewDb db) throws OrmException, Failure {
-        final Account me = db.accounts().get(user.get().getAccountId());
+        IdentifiedUser self = user.get();
+        final Account me = db.accounts().get(self.getAccountId());
         final String oldEmail = me.getPreferredEmail();
         if (realm.allowsEdit(Account.FieldName.FULL_NAME)) {
-          me.setFullName(name != null && !name.isEmpty() ? name : null);
+          me.setFullName(Strings.emptyToNull(name));
         }
-        me.setPreferredEmail(emailAddr);
+        if (!Strings.isNullOrEmpty(emailAddr)
+            && !self.getEmailAddresses().contains(emailAddr)) {
+          throw new Failure(new PermissionDeniedException("Email address must be verified"));
+        }
+        me.setPreferredEmail(Strings.emptyToNull(emailAddr));
         if (useContactInfo) {
           if (ContactInformation.hasAddress(info)
               || (me.isContactFiled() && ContactInformation.hasData(info))) {