Hi! I released devpi-ldap 2.1.1 with a potentially security relevant fix. If ``user_search`` or ``group_search`` is configured, it may be possible to trigger an LDAP search exploit. The original reporter got a traceback, but it may be possible to craft a username that bypasses the old incomplete escaping of special characters which was only used for the user search, but not the follow up search that is triggered in some cases. Regards, Florian Schulze