On 4/29/25 06:31, Ralf Hildebrandt via Mailman-Users wrote:
Just received word about those three:

https://github.com/0NYX-MY7H/CVE-2025-43921
-- wasn't able to reproduce on 2.1.39

https://github.com/0NYX-MY7H/CVE-2025-43920
-- wasn't able to reproduce on 2.1.39, due to not using an *_EXTERNAL_ARCHIVER

https://github.com/0NYX-MY7H/CVE-2025-43919
-- wasn't able to reproduce on 2.1.39, getting "Access denied" from Mailman


They are bogus. CVE-2025-43919 and CVE-2025-43921 ignore the fact that the attacker would need to provide authentication which the proof of concept attacks do not do and hence do not work. Thus, there is no vulnerability.

CVE-2025-43920 relies on a convoluted configuration with an external archiver and only involves Mailman in the attack as an agent that forwards a message with a crafted Subject: to the external archiver and that attack could just as well be carried out by sending the mail to the archiver directly. There are no plans to address this in Mailman 2.1.


--
Mark Sapiro <m...@msapiro.net>        The highway is for gamblers,
San Francisco Bay Area, California    better use your sense - B. Dylan

------------------------------------------------------
Mailman-Users mailing list -- mailman-users@python.org
To unsubscribe send an email to mailman-users-le...@python.org
https://mail.python.org/mailman3/lists/mailman-users.python.org/
Mailman FAQ: http://wiki.list.org/x/AgA3
Security Policy: http://wiki.list.org/x/QIA9
Searchable Archives: https://www.mail-archive.com/mailman-users@python.org/
   https://mail.python.org/archives/list/mailman-users@python.org/
Member address: arch...@jab.org

Reply via email to