[Mailman-Users] Mailman-2.1.x vulnerabilities found
Just received word about those three: https://github.com/0NYX-MY7H/CVE-2025-43921 -- wasn't able to reproduce on 2.1.39 https://github.com/0NYX-MY7H/CVE-2025-43920 -- wasn't able to reproduce on 2.1.39, due to not using an *_EXTERNAL_ARCHIVER https://github.com/0NYX-MY7H/CVE-2025-43919 -- wasn't able to reproduce on 2.1.39, getting "Access denied" from Mailman -- Ralf Hildebrandt Charité - Universitätsmedizin Berlin Geschäftsbereich IT | Abteilung Netz | Netzwerk-Administration Invalidenstraße 120/121 | D-10115 Berlin Tel. +49 30 450 570 155 ralf.hildebra...@charite.de https://www.charite.de -- Mailman-Users mailing list -- mailman-users@python.org To unsubscribe send an email to mailman-users-le...@python.org https://mail.python.org/mailman3/lists/mailman-users.python.org/ Mailman FAQ: http://wiki.list.org/x/AgA3 Security Policy: http://wiki.list.org/x/QIA9 Searchable Archives: https://www.mail-archive.com/mailman-users@python.org/ https://mail.python.org/archives/list/mailman-users@python.org/ Member address: arch...@mail-archive.com
[Mailman-Users] Re: Mailman-2.1.x vulnerabilities found
On Tue, Apr 29, 2025 at 9:32 AM Ralf Hildebrandt via Mailman-Users < mailman-users@python.org> wrote: > Just received word about those three: > > https://github.com/0NYX-MY7H/CVE-2025-43921 > -- wasn't able to reproduce on 2.1.39 > Same for me. All this "exploit" gets me is the list creation page, which still requires an admin password to execute the creation of the list. > > https://github.com/0NYX-MY7H/CVE-2025-43920 > -- wasn't able to reproduce on 2.1.39, due to not using an > *_EXTERNAL_ARCHIVER > Also can't test this one, same reason. > > https://github.com/0NYX-MY7H/CVE-2025-43919 > -- wasn't able to reproduce on 2.1.39, getting "Access denied" from Mailman > > I get back the standard private archives authentication page. It seems like these exploits were only tested on the cPanel fork of mailman 2.x, but the CVEs are ambiguous on that point. I'd be interested in hearing back from the maintainers what they think. We were already planning a 3.x migration, and can move faster if we have to, but if this doesn't affect us we can just proceed on our planned schedule. -- Mailman-Users mailing list -- mailman-users@python.org To unsubscribe send an email to mailman-users-le...@python.org https://mail.python.org/mailman3/lists/mailman-users.python.org/ Mailman FAQ: http://wiki.list.org/x/AgA3 Security Policy: http://wiki.list.org/x/QIA9 Searchable Archives: https://www.mail-archive.com/mailman-users@python.org/ https://mail.python.org/archives/list/mailman-users@python.org/ Member address: arch...@mail-archive.com
[Mailman-Users] Re: Mailman-2.1.x vulnerabilities found
On 4/29/25 06:31, Ralf Hildebrandt via Mailman-Users wrote: Just received word about those three: https://github.com/0NYX-MY7H/CVE-2025-43921 -- wasn't able to reproduce on 2.1.39 https://github.com/0NYX-MY7H/CVE-2025-43920 -- wasn't able to reproduce on 2.1.39, due to not using an *_EXTERNAL_ARCHIVER https://github.com/0NYX-MY7H/CVE-2025-43919 -- wasn't able to reproduce on 2.1.39, getting "Access denied" from Mailman They are bogus. CVE-2025-43919 and CVE-2025-43921 ignore the fact that the attacker would need to provide authentication which the proof of concept attacks do not do and hence do not work. Thus, there is no vulnerability. CVE-2025-43920 relies on a convoluted configuration with an external archiver and only involves Mailman in the attack as an agent that forwards a message with a crafted Subject: to the external archiver and that attack could just as well be carried out by sending the mail to the archiver directly. There are no plans to address this in Mailman 2.1. -- Mark Sapiro The highway is for gamblers, San Francisco Bay Area, Californiabetter use your sense - B. Dylan -- Mailman-Users mailing list -- mailman-users@python.org To unsubscribe send an email to mailman-users-le...@python.org https://mail.python.org/mailman3/lists/mailman-users.python.org/ Mailman FAQ: http://wiki.list.org/x/AgA3 Security Policy: http://wiki.list.org/x/QIA9 Searchable Archives: https://www.mail-archive.com/mailman-users@python.org/ https://mail.python.org/archives/list/mailman-users@python.org/ Member address: arch...@jab.org
