From: Aki Tuomi <aki.tuomi@open-xchange.com>
Date: Mon, 24 May 2021 11:03:57 +0000 (+0300)
Subject: NEWS: Add news for 2.3.14.1
X-Git-Tag: 2.3.14.1~1
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=62d2271961b2406666a73167f8164d4d8067496f;p=thirdparty%2Fdovecot%2Fcore.git

NEWS: Add news for 2.3.14.1
---

diff --git a/NEWS b/NEWS
index 363e210e3a..b0591bb294 100644
--- a/NEWS
+++ b/NEWS
@@ -1,3 +1,17 @@
+v2.3.14.1 2021-06-21  Aki Tuomi <aki.tuomi@open-xchange.com>
+
+	* CVE-2021-29157: Dovecot does not correctly escape kid and azp fields in
+	  JWT tokens. This may be used to supply attacker controlled keys to
+	  validate tokens, if attacker has local access.
+	* CVE-2021-33515: On-path attacker could have injected plaintext commands
+	  before STARTTLS negotiation that would be executed after STARTTLS
+	  finished with the client.
+	- lib-index: Corrupted mime.parts in dovecot.index.cache may have
+	  resulted in Panic: file imap-bodystructure.c: line 206 (part_write_body):
+	  assertion failed: (text == ((part->flags & MESSAGE_PART_FLAG_TEXT) != 0))
+	- imap: SETMETADATA could not be used to unset metadata values.
+	  Instead NIL was handled as a "NIL" string. v2.3.14 regression.
+
 V2.3.14 2021-03-04  Aki Tuomi <aki.tuomi@open-xchange.com>
 
 	* Added new aliases for some variables. Usage of the old ones is possible,