diff -Nru mailman-mhonarc-2.1.39+final/debian/bzr-builder.manifest mailman-mhonarc-2.1.39+final/debian/bzr-builder.manifest
--- mailman-mhonarc-2.1.39+final/debian/bzr-builder.manifest	2023-04-26 21:01:43.000000000 +0000
+++ mailman-mhonarc-2.1.39+final/debian/bzr-builder.manifest	2023-05-22 20:31:22.000000000 +0000
@@ -1,3 +1,3 @@
-# bzr-builder format 0.4 deb-version 2:2.1.39+final-202304262101
-lp:~msapiro/mailman/mhonarc revid:mark@msapiro.net-20230426205154-3dal5ycxfda1gfmx
+# bzr-builder format 0.4 deb-version 2:2.1.39+final-202305222031
+lp:~msapiro/mailman/mhonarc revid:mark@msapiro.net-20230522202645-wh2hnvjjg3qhf638
 merge mailman-mhonarc-ppa-recipe lp:~mailman-administrivia/mailman/mailman-mhonarc-ppa-recipe revid:jimpop@domainmail.org-20200413211845-112w66dv6cf6io6z
diff -Nru mailman-mhonarc-2.1.39+final/debian/changelog mailman-mhonarc-2.1.39+final/debian/changelog
--- mailman-mhonarc-2.1.39+final/debian/changelog	2023-04-26 21:01:43.000000000 +0000
+++ mailman-mhonarc-2.1.39+final/debian/changelog	2023-05-22 20:31:22.000000000 +0000
@@ -1,8 +1,8 @@
-mailman-mhonarc (2:2.1.39+final-202304262101~ubuntu18.04.1) bionic; urgency=low
+mailman-mhonarc (2:2.1.39+final-202305222031~ubuntu18.04.1) bionic; urgency=low
 
   * Auto build.
 
- -- Mailman Administration <mailman-cabal@python.org>  Wed, 26 Apr 2023 21:01:43 +0000
+ -- Mailman Administration <mailman-cabal@python.org>  Mon, 22 May 2023 20:31:22 +0000
 
 mailman-mhonarc (2:2.1.29) unreleased; urgency=medium
 
diff -Nru mailman-mhonarc-2.1.39+final/Mailman/Cgi/options.py mailman-mhonarc-2.1.39+final/Mailman/Cgi/options.py
--- mailman-mhonarc-2.1.39+final/Mailman/Cgi/options.py	2023-04-26 21:01:36.000000000 +0000
+++ mailman-mhonarc-2.1.39+final/Mailman/Cgi/options.py	2023-05-22 20:31:19.000000000 +0000
@@ -194,8 +194,8 @@
             doc.addError(msgd, tag='')
             user = None
         # We get here with a non-None user in the case of a non-member with
-        # private rosters.  user should be None in every case.
-        user = None
+        # private rosters.  This creates a possible membership leak, but we
+        # fix that a different way. See LP: #2017813.
         loginpage(mlist, doc, user, language)
         print doc.Format()
         return
@@ -313,7 +313,7 @@
                 syslog('mischief',
                        'Login failure with private rosters: %s from %s',
                        user, remote)
-                user = None
+                # Don't clear user here. See LP: #2017813.
             # give an HTTP 401 for authentication failure
             if mlist.private_roster == 0:
                 # Only add error with public rosters lp: #2015416
diff -Nru mailman-mhonarc-2.1.39+final/NEWS mailman-mhonarc-2.1.39+final/NEWS
--- mailman-mhonarc-2.1.39+final/NEWS	2023-04-26 21:01:36.000000000 +0000
+++ mailman-mhonarc-2.1.39+final/NEWS	2023-05-22 20:31:19.000000000 +0000
@@ -23,7 +23,7 @@
     - Another possible list membership leak via the user options CGI is fixed.
       (LP: #2015416)
     - Yet another possible list membership leak via the user options CGI is
-      fixed.  (LP:#2017813)
+      fixed.  (LP: #2017813)
 
 2.1.39 (13-Dec-2021)