dovecot is vulnerable to command injection. On-path attacker could inject plaintext commands before STARTTLS negotiation that would be executed after STARTTLS finished with the client. Only the SMTP submission service is affected.
dovecot.org/security
lists.fedoraproject.org/archives/list/[email protected]/message/JB2VTJ3G2ILYWH5Y2FTY2PUHT2MD6VMI/
lists.fedoraproject.org/archives/list/[email protected]/message/TK424DWFO2TKJYXZ2H3XL633TYJL4GQN/
secdb.alpinelinux.org/edge/main.yaml
security.gentoo.org/glsa/202107-41
www.openwall.com/lists/oss-security/2021/06/28/2