Dovecot v2.3.14.1 released
Timo Sirainen
timo at sirainen.com
Mon Jun 21 14:21:11 EEST 2021
Hi,
This is an "important fixes only" release in case you don't want to upgrade to v2.3.15. There is no matching Pigeonhole release - use the same v2.3.14 instead.
https://dovecot.org/releases/2.3/dovecot-2.3.14.1.tar.gz <https://dovecot.org/releases/2.3/dovecot-2.3.14.1.tar.gz>
https://dovecot.org/releases/2.3/dovecot-2.3.14.1.tar.gz.sig <https://dovecot.org/releases/2.3/dovecot-2.3.14.1.tar.gz.sig>
Binary packages in https://repo.dovecot.org/ <https://repo.dovecot.org/>
Docker images in https://hub.docker.com/r/dovecot/dovecot <https://hub.docker.com/r/dovecot/dovecot>
* CVE-2021-29157: Dovecot does not correctly escape kid and azp fields in
JWT tokens. This may be used to supply attacker controlled keys to
validate tokens, if attacker has local access.
* CVE-2021-33515: On-path attacker could have injected plaintext commands
before STARTTLS negotiation that would be executed after STARTTLS
finished with the client.
- lib-index: Corrupted mime.parts in dovecot.index.cache may have
resulted in Panic: file imap-bodystructure.c: line 206 (part_write_body):
assertion failed: (text == ((part->flags & MESSAGE_PART_FLAG_TEXT) != 0))
- imap: SETMETADATA could not be used to unset metadata values.
Instead NIL was handled as a "NIL" string. v2.3.14 regression.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://dovecot.org/pipermail/dovecot/attachments/20210621/3c63262d/attachment.html>
More information about the dovecot
mailing list