The only supported version is the latest minor version released. As soon as a new minor version is released, support for the older one drops.
In order to report a security vulnerability, please contact me at [email protected]. Use GPG if possible.
If the vulnerability is confirmed, I will work on a fix and a new version as soon as possible. Since maintaining this package isn't my day job, this could take a few days.