SECURITY:
[Composer] CVE-2021-29472 command injection vulnerability.

NEW:
[admin] collect() now accepts domains for $site parameter.
[Bootstrapper] sshd_permit_root_login, fine tune always permitting or rejecting root login.
[cgroup] CPU pinning via cpupin service variable.
[cgroup] Freezer support, cgroup:freeze($anything). Freezing a site immediately suspends any userspace code for the affected site. Compare with suspending an account, which allows userspace code to complete but does not permit further logins or site interactivity.
[Dashboard] User Administrators may now unban selves when [rampart] => user_discovery=true (default=True).
[Nexus] Resource sorting.
[Settings] "external opener" feature now configurable under Account > Settings > Theme.
[Web Apps] Default update notification policy configurable via [webapps] => notify_update.

FIXED:
[Aliases] Removing a domain from aliases,aliasesd preserves the domain in the account's domainmap.
[apnscpd] Backend boundary writes result in hang.
[Argos] ruamel incompatibility on CentOS 7.
[Bootstrapper] Dormant IPv4/6 configuration.
[Datastream] Incomplete writes on transitional buffers that would result in a hang.
[email] Renaming an inbox for a non-numeric destination performs an incorrect default substitution.
[PageSpeed] TTFB response variable renamed.
[PHP] Creating a site without a dedicated webuser prevents switching to one later.
[rspamd] Dictionary key interpolation breaks resulting in literal templated key writes.
[Scopes] apache.system-directive strips surrounding whitespace.
[UI] invalid null coalescence check break comparison.
[Web Apps] Circular references restrict snapshot intake.
[Web Apps] Busted transient property check.
[Web Apps] Bogus index checks results in duplicate listings.
[Web Apps] Various transient property checks.

CHANGED:
[apnscp] Additional checks to confirm frontend responsiveness on restart via cp.restart.
[apnscp] Apply restart synchronously.
[apnscp.js] apnscp.highlight() supports live binding events.
[build] disable apnscp repos at dessication stage. Prevents false alarms during image checks from unreachable repos.
[Dovecot] 2.3 compatibility
[helpers] deferred() is now queue-based working off an SplStack-derived class, \Deferred.
[FTP] user_enabled() checks [ftp] => enabled.
[Metrics] TimescaleDB v2 compatibility.
[multiPHP] Prevent multiPHP builds that duplicate system_php_version.
[Network] my_ip()- cleanup output when multiple records are returned from NAT'd interface.
[Nexus] memory usage normalized to site configuration in Nexus.
[rampart] User Administrators may now query is_banned(). Corresponding Dashboard feature added.
[Storage Usage] include /tmp in storage list.
[Theme] @lang macro is now reserved.
[UI] Improve "Select"  verbiage.
[WordPress] Raise WP-CLI memory limit from 128 => 256 (constrained by cgroup usage) to allow large WooCommerce catalogs to update.
[WordPress] wp-content/cache/ fortified in max mode. Create directory automatically to facilitate usage

REMOVED:
[cgroup] Cleanup API requirement of passing afi instance on account import.
[Dispatcher] Handling of svg/css/js/png requests, ~25% speedup.
[file] Top-level pollution courtesy a naieve caching strategy.
This tag has no release notes.