<html><head><meta http-equiv="Content-Type" content="text/html; charset=us-ascii"></head><body style="word-wrap: break-word; -webkit-nbsp-mode: space; line-break: after-white-space;" class=""><div class="">Hi,</div><div class=""><br class=""></div><div class="">This is an "important fixes only" release in case you don't want to upgrade to v2.3.15. There is no matching Pigeonhole release - use the same v2.3.14 instead.</div><div class=""><br class=""></div><a href="https://dovecot.org/releases/2.3/dovecot-2.3.14.1.tar.gz" class="">https://dovecot.org/releases/2.3/dovecot-2.3.14.1.tar.gz</a><br class=""><a href="https://dovecot.org/releases/2.3/dovecot-2.3.14.1.tar.gz.sig" class="">https://dovecot.org/releases/2.3/dovecot-2.3.14.1.tar.gz.sig</a><br class=""><br class=""><div class="">Binary packages in <a href="https://repo.dovecot.org/" class="">https://repo.dovecot.org/</a><br class="">Docker images in <a href="https://hub.docker.com/r/dovecot/dovecot" class="">https://hub.docker.com/r/dovecot/dovecot</a></div><div class=""><br class=""></div><div class=""><div class=""> * CVE-2021-29157: Dovecot does not correctly escape kid and azp fields in</div><div class=""> JWT tokens. This may be used to supply attacker controlled keys to</div><div class=""> validate tokens, if attacker has local access.</div><div class=""> * CVE-2021-33515: On-path attacker could have injected plaintext commands</div><div class=""> before STARTTLS negotiation that would be executed after STARTTLS</div><div class=""> finished with the client.</div><div class=""> - lib-index: Corrupted mime.parts in dovecot.index.cache may have</div><div class=""> resulted in Panic: file imap-bodystructure.c: line 206 (part_write_body):</div><div class=""> assertion failed: (text == ((part->flags & MESSAGE_PART_FLAG_TEXT) != 0))</div><div class=""> - imap: SETMETADATA could not be used to unset metadata values.</div><div class=""> Instead NIL was handled as a "NIL" string. v2.3.14 regression.</div></div><div class=""><br class=""></div></body></html>