A couple of vulnerabilities have recently been reported. Thanks to Andre
Protas, Richard Cloke and Andy Nuttall of Apple for reporting these and
helping with the development of a fix.
CVE-2021-42096 could allow a list member to discover the list admin
CVE-2021-42097 could allow a list member to create a successful CSRF
attack against another list member enabling takeover of the members account.
These attacks can't be carried out by non-members so may not be of
concern for sites with only trusted list members.
In any case, I am planning to make a 2.1.35 release and to post a patch
for those who don't want to upgrade to address these issues. This is
scheduled for Tuesday, October 19.
Mark Sapiro <mark(a)msapiro.net> The highway is for gamblers,
San Francisco Bay Area, California better use your sense - B. Dylan