From: Timo Sirainen <timo.sirainen@open-xchange.com>
Date: Mon, 14 Jun 2021 09:47:15 +0000 (+0300)
Subject: NEWS: Updates for v2.3.15
X-Git-Tag: 2.3.15^0
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=refs%2Fheads%2Frelease-2.3.15;p=thirdparty%2Fdovecot%2Fcore.git

NEWS: Updates for v2.3.15
---

diff --git a/NEWS b/NEWS
index ab7b628e77..29e570e9f2 100644
--- a/NEWS
+++ b/NEWS
@@ -1,8 +1,11 @@
-v2.3.15 2021-05-27  Aki Tuomi <aki.tuomi@open-xchange.com>
+v2.3.15 2021-06-21  Aki Tuomi <aki.tuomi@open-xchange.com>
 
 	* CVE-2021-29157: Dovecot does not correctly escape kid and azp fields in
 	  JWT tokens. This may be used to supply attacker controlled keys to
 	  validate tokens, if attacker has local access.
+	* CVE-2021-33515: On-path attacker could have injected plaintext commands
+	  before STARTTLS negotiation that would be executed after STARTTLS
+	  finished with the client.
 	* Disconnection log messages are now more standardized across services.
 	  They also always now start with "Disconnected" prefix.
 	* Dovecot now depends on libsystemd for systemd integration.
@@ -65,6 +68,8 @@ v2.3.15 2021-05-27  Aki Tuomi <aki.tuomi@open-xchange.com>
 	- fts-tika: v2.3.11 regression: Indexing messages with fts-tika may have
 	  resulted in Panic: file message-parser.c: line 802 (message_parser_deinit_from_parts):
 	  assertion failed: (ctx->nested_parts_count == 0 || i_stream_have_bytes_left(ctx->input))
+	- imap: SETMETADATA could not be used to unset metadata values.
+	  Instead NIL was handled as a "NIL" string. v2.3.14 regression.
 	- imap: IMAP BINARY FETCH crashes at least on empty base64 body:
 	  Panic: file index-mail-binary.c: line 358 (blocks_count_lines):
 	  assertion failed: (block_count == 0 || block_idx+1 == block_count)