commit 56453a952d86912d8c577728712a18cad7fcd08e
author David Pursehouse <dpursehouse@collab.net> Wed Nov 07 11:44:21 2018 +0900
committer David Pursehouse <dpursehouse@collab.net> Wed Nov 07 11:44:21 2018 +0900
tree 4c26df7c9feb5fa8a9798a350254877e20d74021
parent dcb4f356734194c1ea67126de945a1b28936fb92

Start release notes for 2.14.17

Change-Id: I2ed9febe8e1935fd6aebfe1da76cb619204cdf64

pages/site/releases/2.14.md

diff --git a/pages/site/releases/2.14.md b/pages/site/releases/2.14.md
index c8c3045..6fed3ef 100644
--- a/pages/site/releases/2.14.md
+++ b/pages/site/releases/2.14.md
@@ -320,10 +320,10 @@
 ## Dependency Updates
 
 * Update auto-value to 1.4 (updated to 1.6.2 in 2.14.12)
-* Update Bouncy Castle to 1.56
+* Update Bouncy Castle to 1.56 (updated to 1.60 in 2.14.17)
 * Update codemirror to 5.25.0
 * Update commons-compress to 1.12
-* Update Guava to 21.0 (updated to 22.0 in 2.14.6)
+* Update Guava to 21.0 (updated to 24.1.1-jre in 2.14.17)
 * Update Guice to 4.1.0 (updated to 4.2.0 in 2.14.11)
 * Update GWT to 2.8.0 (updated to 2.8.2 in 2.14.6)
 * Update gwtjsonrpc to 1.11
@@ -331,7 +331,7 @@
 * Update JavaEWAH to 1.1.6
 * Update JGit to 4.7.0.201704051617-r (updated to 4.7.6.201810191618-r in 2.14.16)
 * Update jsch to 0.1.54
-* Update Lucene to 5.5.2
+* Update Lucene to 5.5.2 (updated to 5.5.5 in 2.14.17)
 * Update mina to 2.0.16
 * Update ow2-asm to 5.1
 * Update prolog-cafe to 1.4.2
@@ -339,6 +339,48 @@
 
 ## Bugfix Releases
 
+### 2.14.17
+
+* [Issue 9952](https://bugs.chromium.org/p/gerrit/issues/detail?id=9952):
+Upgrade dependencies to newer versions to fix CVEs.
+
+  * [CVE-2015-1832](https://nvd.nist.gov/vuln/detail/CVE-2015-1832):
+  Upgrade Apache Derby to 10.12.1.1
+  * [CVE-2018-10936](https://nvd.nist.gov/vuln/detail/CVE-2018-10936):
+  Upgrade postgresql to 42.2.5
+  * [CVE-2017-12629](https://nvd.nist.gov/vuln/detail/CVE-2017-12629):
+  Upgrade Lucene to 5.5.5
+  * [CVE-2018-10237](https://nvd.nist.gov/vuln/detail/CVE-2018-10237):
+  Upgrade guava to 24.1.1-jre
+  * [CVE-2018-1000180](https://nvd.nist.gov/vuln/detail/CVE-2018-1000180),
+  [CVE-2018-1000613](https://nvd.nist.gov/vuln/detail/CVE-2018-1000613):
+  Upgrade Bouncycastle to 1.60
+  * [CVE-2017-7656](https://nvd.nist.gov/vuln/detail/CVE-2017-7656),
+  [CVE-2017-7657](https://nvd.nist.gov/vuln/detail/CVE-2017-7657),
+  [CVE-2017-7658](https://nvd.nist.gov/vuln/detail/CVE-2017-7658),
+  [CVE-2017-9735](https://nvd.nist.gov/vuln/detail/CVE-2017-9735),
+  [CVE-2018-12536](https://nvd.nist.gov/vuln/detail/CVE-2018-12536):
+  Upgrade Jetty to 9.3.24.v20180605
+
+* [Issue 9969](https://bugs.chromium.org/p/gerrit/issues/detail?id=9969):
+Fix incorrect dependency on httpcore-nio for Elasticsearch.
+
+  The Elasticsearch REST client depends on version 4.4.5 of httpcore-nio,
+  but the version provided by Gerrit was 4.4.1.
+
+* Remove dependency on httpmime.
+
+  httpmime was a dependency of Apache Solr, which was removed from Gerrit
+  some time ago.
+
+* Fix unnecessary reads of change note refs when NoteDb is disabled.
+
+  Change notes packed refs were unnecessarily being read and parsed when
+  NoteDb was disabled.
+
+  See the [mailing list discussion](https://groups.google.com/d/msg/repo-discuss/2JgaofWQYpY/wdLY5tiWAgAJ)
+  for more information.
+
 ### 2.14.16
 
 * [Issue 9836](https://bugs.chromium.org/p/gerrit/issues/detail?id=9836):