From the third-party advisory at https://secunia.com/advisories/46886/:
A security issue has been reported in Dovecot, which can be exploited by malicious people to conduct spoofing attacks.
The security issue is caused due the application not properly checking if the "Common Name" field provided inside SSL server certificates matches the requested hostname of a server. This can be exploited to e.g. conduct Man-in-the-Middle (MitM) attacks.
Successful exploitation requires that the application is configured to check for certificates.
The security issue is reported in versions prior to 2.0.16.
@Eray or @net-mail, 2.0.16 is already in the tree. Ok to stabilize it? Thanks.
@security: Please stabilize =net-mail/dovecot-2.0.16. Thank you.
Arches, please test and mark stable:
Target keywords : "alpha amd64 arm hppa ia64 ppc ppc64 sparc x86"
Stable for HPPA.
Second ago; amd64 ok
amd64 done. Thanks Agostino and Michael
Thanks, folks. GLSA Vote: yes.
2.0.16 broken server with vpopmail
from changelog 2.0.17 "vpopmail support was broken in v2.0.16"