On Tue, Apr 29, 2025 at 9:32 AM Ralf Hildebrandt via Mailman-Users < mailman-users@python.org> wrote:
Just received word about those three:
https://github.com/0NYX-MY7H/CVE-2025-43921 -- wasn't able to reproduce on 2.1.39
Same for me. All this "exploit" gets me is the list creation page, which still requires an admin password to execute the creation of the list.
https://github.com/0NYX-MY7H/CVE-2025-43920 -- wasn't able to reproduce on 2.1.39, due to not using an *_EXTERNAL_ARCHIVER
Also can't test this one, same reason.
https://github.com/0NYX-MY7H/CVE-2025-43919 -- wasn't able to reproduce on 2.1.39, getting "Access denied" from Mailman
I get back the standard private archives authentication page.
It seems like these exploits were only tested on the cPanel fork of mailman 2.x, but the CVEs are ambiguous on that point. I'd be interested in hearing back from the maintainers what they think. We were already planning a 3.x migration, and can move faster if we have to, but if this doesn't affect us we can just proceed on our planned schedule. <matt@conundrum.com>