[Dovecot-news] Dovecot v2.3.14.1 released

This is an “important fixes only” release in case you don’t want to upgrade to v2.3.15. There is no matching Pigeonhole release – use the same v2.3.14 instead.
dovecot.org/releases/2.3/dovecot- <dovecot.org/releases/2.3/dovecot-> dovecot.org/releases/2.3/dovecot- <dovecot.org/releases/2.3/dovecot->
Binary packages in repo.dovecot.org/ <repo.dovecot.org/> Docker images in hub.docker.com/r/dovecot/dovecot <hub.docker.com/r/dovecot/dovecot>
* CVE-2021-29157: Dovecot does not correctly escape kid and azp fields in JWT tokens. This may be used to supply attacker controlled keys to validate tokens, if attacker has local access. * CVE-2021-33515: On-path attacker could have injected plaintext commands before STARTTLS negotiation that would be executed after STARTTLS finished with the client. – lib-index: Corrupted mime.parts in dovecot.index.cache may have resulted in Panic: file imap-bodystructure.c: line 206 (part_write_body): assertion failed: (text == ((part->flags & MESSAGE_PART_FLAG_TEXT) != 0)) – imap: SETMETADATA could not be used to unset metadata values. Instead NIL was handled as a “NIL” string. v2.3.14 regression.
_______________________________________________ Dovecot-news mailing list Dovecot-news@dovecot.org dovecot.org/mailman/listinfo/dovecot-news