CVE-2021-29157: Dovecot does not correctly escape kid and azp fields in
JWT tokens. This may be used to supply attacker controlled keys to
validate tokens, if attacker has local access.
CVE-2021-33515: On-path attacker could have injected plaintext commands
before STARTTLS negotiation that would be executed after STARTTLS
finished with the client.
Add TSLv1.3 support to min_protocols.
Allow configuring ssl_cipher_suites. (for TLSv1.3+)
use OpenSSL's implementation of HMAC
Remove autocreate, expire, snarf and mail-filter plugins.
Remove cydir storage driver.
Remove XZ/LZMA write support. Read support will be removed in future release.
CVE-2020-24386: Specially crafted command can cause IMAP hibernate to
allow logged in user to access other people's emails and filesystem
information.
Metric filter and global event filter variable syntax changed to a
SQL-like format.
auth: Added new aliases for %{variables}. Usage of the old ones is
possible, but discouraged.
auth: Removed RPA auth mechanism, SKEY auth mechanism, NTLM auth
mechanism and related password schemes.
auth: Removed passdb-sia, passdb-vpopmail and userdb-vpopmail.
auth: Removed postfix postmap socket
CVE-2020-24386: Specially crafted command can cause IMAP hibernate to
allow logged in user to access other people's emails and filesystem
information.
Metric filter and global event filter variable syntax changed to a
SQL-like format.
auth: Added new aliases for %{variables}. Usage of the old ones is
possible, but discouraged.
auth: Removed RPA auth mechanism, SKEY auth mechanism, NTLM auth
mechanism and related password schemes.
auth: Removed passdb-sia, passdb-vpopmail and userdb-vpopmail.
auth: Removed postfix postmap socket
have resulted in excessive CPU usage or a crash due to running out of
stack memory.
CVE-2020-12673: Dovecot's NTLM implementation does not correctly check
message buffer size, which leads to reading past allocation which can
lead to crash.
CVE-2020-10967: lmtp/submission: Issuing the RCPT command with an
address that has the empty quoted string as local-part causes the lmtp
service to crash.
CVE-2020-12674: Dovecot's RPA mechanism implementation accepts
zero-length message, which leads to assert-crash later on.
fixes CVE-2020-7046: Truncated UTF-8 can be used to DoS
submission-login and lmtp processes.
fixes CVE-2020-7957: Specially crafted mail can crash snippet generation.
fixes CVE-2019-11500: IMAP protocol parser does not properly handle NUL byte
when scanning data in quoted strings, leading to out of bounds heap
memory writes
