2.1.35 (19-Oct-2021)

  Security

    - A potential for for a list member to carry out an off-line brute force
      attack to obtain the list admin password has been reported by Andre
      Protas, Richard Cloke and Andy Nuttall of Apple.  This is fixed.
      CVE-2021-42096  (LP:#1947639)

    - A CSRF attack via the user options page could allow takeover of a users
      account.  This is fixed.  CVE-2021-42097  (LP:#1947640)

  Bug Fixes and other patches

    - Fixed an issue where sometimes the wrapper message for DMARC mitigation
      Wrap Message has no Subject:.  (LP: #1915655)

    - Plain text message bodies with Content-Disposition: and no declared
      charset are no longer scrubbed.  (LP: #1917968)

    - CommandRunner now recodes message bodies in the charset of the user's
      or list's language to avoid a possible UnicodeError when including the
      message body in the reply.  (LP: #1921682)

    - Delivery disabled by bounce notices to admins now have 'disabled'
      properly translated.  (LP: #1922843)

    - DMARC policy discovery ignores domains with multiple DMARC records per
      RFC 7849,  (LP: 1931029)