On 4/29/25 06:31, Ralf Hildebrandt via Mailman-Users wrote:
Just received word about those three:
https://github.com/0NYX-MY7H/CVE-2025-43921 -- wasn't able to reproduce on 2.1.39
https://github.com/0NYX-MY7H/CVE-2025-43920 -- wasn't able to reproduce on 2.1.39, due to not using an *_EXTERNAL_ARCHIVER
https://github.com/0NYX-MY7H/CVE-2025-43919 -- wasn't able to reproduce on 2.1.39, getting "Access denied" from Mailman
They are bogus. CVE-2025-43919 and CVE-2025-43921 ignore the fact that the attacker would need to provide authentication which the proof of concept attacks do not do and hence do not work. Thus, there is no vulnerability.
CVE-2025-43920 relies on a convoluted configuration with an external archiver and only involves Mailman in the attack as an agent that forwards a message with a crafted Subject: to the external archiver and that attack could just as well be carried out by sending the mail to the archiver directly. There are no plans to address this in Mailman 2.1.
-- Mark Sapiro <mark@msapiro.net> The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan