Start release notes for 2.14.17
Change-Id: I2ed9febe8e1935fd6aebfe1da76cb619204cdf64
diff --git a/pages/site/releases/2.14.md b/pages/site/releases/2.14.md
index c8c3045..6fed3ef 100644
--- a/pages/site/releases/2.14.md
+++ b/pages/site/releases/2.14.md
@@ -320,10 +320,10 @@
## Dependency Updates
* Update auto-value to 1.4 (updated to 1.6.2 in 2.14.12)
-* Update Bouncy Castle to 1.56
+* Update Bouncy Castle to 1.56 (updated to 1.60 in 2.14.17)
* Update codemirror to 5.25.0
* Update commons-compress to 1.12
-* Update Guava to 21.0 (updated to 22.0 in 2.14.6)
+* Update Guava to 21.0 (updated to 24.1.1-jre in 2.14.17)
* Update Guice to 4.1.0 (updated to 4.2.0 in 2.14.11)
* Update GWT to 2.8.0 (updated to 2.8.2 in 2.14.6)
* Update gwtjsonrpc to 1.11
@@ -331,7 +331,7 @@
* Update JavaEWAH to 1.1.6
* Update JGit to 4.7.0.201704051617-r (updated to 4.7.6.201810191618-r in 2.14.16)
* Update jsch to 0.1.54
-* Update Lucene to 5.5.2
+* Update Lucene to 5.5.2 (updated to 5.5.5 in 2.14.17)
* Update mina to 2.0.16
* Update ow2-asm to 5.1
* Update prolog-cafe to 1.4.2
@@ -339,6 +339,48 @@
## Bugfix Releases
+### 2.14.17
+
+* [Issue 9952](https://bugs.chromium.org/p/gerrit/issues/detail?id=9952):
+Upgrade dependencies to newer versions to fix CVEs.
+
+ * [CVE-2015-1832](https://nvd.nist.gov/vuln/detail/CVE-2015-1832):
+ Upgrade Apache Derby to 10.12.1.1
+ * [CVE-2018-10936](https://nvd.nist.gov/vuln/detail/CVE-2018-10936):
+ Upgrade postgresql to 42.2.5
+ * [CVE-2017-12629](https://nvd.nist.gov/vuln/detail/CVE-2017-12629):
+ Upgrade Lucene to 5.5.5
+ * [CVE-2018-10237](https://nvd.nist.gov/vuln/detail/CVE-2018-10237):
+ Upgrade guava to 24.1.1-jre
+ * [CVE-2018-1000180](https://nvd.nist.gov/vuln/detail/CVE-2018-1000180),
+ [CVE-2018-1000613](https://nvd.nist.gov/vuln/detail/CVE-2018-1000613):
+ Upgrade Bouncycastle to 1.60
+ * [CVE-2017-7656](https://nvd.nist.gov/vuln/detail/CVE-2017-7656),
+ [CVE-2017-7657](https://nvd.nist.gov/vuln/detail/CVE-2017-7657),
+ [CVE-2017-7658](https://nvd.nist.gov/vuln/detail/CVE-2017-7658),
+ [CVE-2017-9735](https://nvd.nist.gov/vuln/detail/CVE-2017-9735),
+ [CVE-2018-12536](https://nvd.nist.gov/vuln/detail/CVE-2018-12536):
+ Upgrade Jetty to 9.3.24.v20180605
+
+* [Issue 9969](https://bugs.chromium.org/p/gerrit/issues/detail?id=9969):
+Fix incorrect dependency on httpcore-nio for Elasticsearch.
+
+ The Elasticsearch REST client depends on version 4.4.5 of httpcore-nio,
+ but the version provided by Gerrit was 4.4.1.
+
+* Remove dependency on httpmime.
+
+ httpmime was a dependency of Apache Solr, which was removed from Gerrit
+ some time ago.
+
+* Fix unnecessary reads of change note refs when NoteDb is disabled.
+
+ Change notes packed refs were unnecessarily being read and parsed when
+ NoteDb was disabled.
+
+ See the [mailing list discussion](https://groups.google.com/d/msg/repo-discuss/2JgaofWQYpY/wdLY5tiWAgAJ)
+ for more information.
+
### 2.14.16
* [Issue 9836](https://bugs.chromium.org/p/gerrit/issues/detail?id=9836):