This is an automated email from the ASF dual-hosted git repository. rcordier pushed a commit to branch master in repository https://gitbox.apache.org/repos/asf/james-project.git
commit 860b091b924e20d505ac35a2a5ccb94784ce7417 Author: Benoit Tellier <[email protected]> AuthorDate: Mon Jan 24 16:41:25 2022 +0700 [RELEASE] Disclose CVEs in 3.6.1 announce + changelog This was not done yet... --- CHANGELOG.md | 9 +++++++++ src/homepage/_posts/2021-12-02-james-3.6.1.markdown | 9 ++++++++- 2 files changed, 17 insertions(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 5a3912b..3807afd 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -306,6 +306,15 @@ The format is based on [Keep a Changelog](http://keepachangelog.com/en/1.0.0/) ## [3.6.1] - 2021-12-02 +### Security + +This release fixes the following vulnerability issues, that are present prior to 3.6.1: + + - *CVE-2021-38542*: Apache James vulnerable to STARTTLS command injection (IMAP and POP3) + - *CVE-2021-40110*: Apache James IMAP vulnerable to a ReDoS + - *CVE-2021-40111*: Apache James IMAP parsing Denial Of Service + - *CVE-2021-40525*: Apache James: Sieve file storage vulnerable to path traversal attacks + ### Fixed - JAMES-3676 Avoid S3 connection leaks - JAMES-3477 Mail::duplicate did lead to file leak in various places diff --git a/src/homepage/_posts/2021-12-02-james-3.6.1.markdown b/src/homepage/_posts/2021-12-02-james-3.6.1.markdown index 1304006..15d4e73 100644 --- a/src/homepage/_posts/2021-12-02-james-3.6.1.markdown +++ b/src/homepage/_posts/2021-12-02-james-3.6.1.markdown @@ -11,7 +11,14 @@ Early adopters can [download it][download], any issue can be reported on our iss ## Announcements -[More announcements to follow this release] +This release fixes the following vulnerability issues, that are present prior to 3.6.1: + + - *CVE-2021-38542*: Apache James vulnerable to STARTTLS command injection (IMAP and POP3) + - *CVE-2021-40110*: Apache James IMAP vulnerable to a ReDoS + - *CVE-2021-40111*: Apache James IMAP parsing Denial Of Service + - *CVE-2021-40525*: Apache James: Sieve file storage vulnerable to path traversal attacks + +We recommend users to upgrade to this version. ## Release changelog --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
