On Tue, Apr 29, 2025 at 9:32 AM Ralf Hildebrandt via Mailman-Users < [email protected]> wrote:
> Just received word about those three: > > https://github.com/0NYX-MY7H/CVE-2025-43921 > -- wasn't able to reproduce on 2.1.39 > Same for me. All this "exploit" gets me is the list creation page, which still requires an admin password to execute the creation of the list. > > https://github.com/0NYX-MY7H/CVE-2025-43920 > -- wasn't able to reproduce on 2.1.39, due to not using an > *_EXTERNAL_ARCHIVER > Also can't test this one, same reason. > > https://github.com/0NYX-MY7H/CVE-2025-43919 > -- wasn't able to reproduce on 2.1.39, getting "Access denied" from Mailman > > I get back the standard private archives authentication page. It seems like these exploits were only tested on the cPanel fork of mailman 2.x, but the CVEs are ambiguous on that point. I'd be interested in hearing back from the maintainers what they think. We were already planning a 3.x migration, and can move faster if we have to, but if this doesn't affect us we can just proceed on our planned schedule. <[email protected]> ------------------------------------------------------ Mailman-Users mailing list -- [email protected] To unsubscribe send an email to [email protected] https://mail.python.org/mailman3/lists/mailman-users.python.org/ Mailman FAQ: http://wiki.list.org/x/AgA3 Security Policy: http://wiki.list.org/x/QIA9 Searchable Archives: https://www.mail-archive.com/[email protected]/ https://mail.python.org/archives/list/[email protected]/ Member address: [email protected]
