Update Gerrit v3.3.1 Release Notes
Change-Id: Ie980f3f8d369346dbcefe50eac3a27e59bd2f694
diff --git a/pages/site/releases/3.3.md b/pages/site/releases/3.3.md
index 0f6d4dd..07ed3f0 100644
--- a/pages/site/releases/3.3.md
+++ b/pages/site/releases/3.3.md
@@ -509,3 +509,74 @@
* Speaking of which, support for 7.0 and 7.1 is discontinued too, as both
elasticsearch versions also became [EOL](https://www.elastic.co/support/eol)
recently.
+
+* Security Fixes
+
+ * [Issue 12629](https://bugs.chromium.org/p/gerrit/issues/detail?id=12629):
+ Verify hostname when sending emails via SMTP server with SMTPSClient.
+
+ The SMTP server's certificate and hostname must be verified if
+ encryption is enabled with SSL verification in the host settings
+ (`sendemail.smtpEncryption` and `sendemail.sslVerify`).
+
+* PolyGerrit Fixes
+
+ * Remove requesting DETAILED_LABELS for the dashboard.
+
+ * [Issue 13785](https://bugs.chromium.org/p/gerrit/issues/detail?id=13785)
+ Add z-index to gr-main-header to avoid the box shadows being hidden behind the content.
+
+* Bug Fixes
+
+ * [Issue 13544](https://bugs.chromium.org/p/gerrit/issues/detail?id=13544)
+ Ensure that GC#deleteOrphans respects pack lock:
+
+ If pack or index files are guarded by a pack lock (.keep file)
+ deleteOrphans() should not touch the respective files protected by the
+ lock file.
+
+ * [Issue 13775](https://bugs.chromium.org/p/gerrit/issues/detail?id=13775)
+ Honor `toogleWipState` permission for `%ready` `%wip` push options:
+
+ * [Issue 13781](https://bugs.chromium.org/p/gerrit/issues/detail?id=13781)
+ Compact the REST-API output JSON unconditionally:
+
+ The output JSON was initially compacted only when
+ the Accept header was set to `application/json`: the compaction is now
+ done unconditionally, unless the `pp=1` query parameter is specified.
+
+ * [Issue 13786](https://bugs.chromium.org/p/gerrit/issues/detail?id=13786)
+ ForRef#check should permit internal users to read all refs:
+
+ [Make `PermissionBackend#ForRef` authoritative change](https://gerrit-review.googlesource.com/c/gerrit/+/288925)
+ introduced a regression where gerrit `internal users` (e.g. plugins) were
+ not taken into consideration when checking READ permission. As consequence
+ the `All-Users.git` repository did not get any of the user's refs replicated
+ to the slaves. After the upgrade it is required to trigger a forced replication
+ of the `All-Users.git` repository manually.
+
+ * Avoid logging ssh exception for __stream is already closed__ when length=0
+ if present in the stacktrace.
+
+ * Adapt Bazel/RBE build to produce Java 11 language level.
+
+ * Make UI experiments configurable from gerrit.config.
+
+ Allows users who upgrade Gerrit to make use of experimental features or
+ temporarily revert to previous behavior in case the new behavior breaks them
+ (e.g. turn off patch-set-level comments in 3.3 which breaks some CI workflows).
+
+ * [Issue 13800](https://bugs.chromium.org/p/gerrit/issues/detail?id=13800)
+ Expose patch set level comment in stream event.
+
+* Documentation Updates
+
+ * Clarify that 'm' push option sets patch set description.
+
+ * Clarify that disk cache metrics require `cache.enableDiskStatMetrics`.
+
+* Dependency Updates
+
+ * Upgrade commons-io to 2.4.
+
+ * Upgrade testcontainers to 1.15.1.