On 4/29/25 06:31, Ralf Hildebrandt via Mailman-Users wrote:
Just received word about those three:
https://github.com/0NYX-MY7H/CVE-2025-43921
-- wasn't able to reproduce on 2.1.39
https://github.com/0NYX-MY7H/CVE-2025-43920
-- wasn't able to reproduce on 2.1.39, due to not using an *_EXTERNAL_ARCHIVER
https://github.com/0NYX-MY7H/CVE-2025-43919
-- wasn't able to reproduce on 2.1.39, getting "Access denied" from Mailman
They are bogus. CVE-2025-43919 and CVE-2025-43921 ignore the fact that
the attacker would need to provide authentication which the proof of
concept attacks do not do and hence do not work. Thus, there is no
vulnerability.
CVE-2025-43920 relies on a convoluted configuration with an external
archiver and only involves Mailman in the attack as an agent that
forwards a message with a crafted Subject: to the external archiver and
that attack could just as well be carried out by sending the mail to the
archiver directly. There are no plans to address this in Mailman 2.1.
--
Mark Sapiro <m...@msapiro.net> The highway is for gamblers,
San Francisco Bay Area, California better use your sense - B. Dylan
------------------------------------------------------
Mailman-Users mailing list -- mailman-users@python.org
To unsubscribe send an email to mailman-users-le...@python.org
https://mail.python.org/mailman3/lists/mailman-users.python.org/
Mailman FAQ: http://wiki.list.org/x/AgA3
Security Policy: http://wiki.list.org/x/QIA9
Searchable Archives: https://www.mail-archive.com/mailman-users@python.org/
https://mail.python.org/archives/list/mailman-users@python.org/
Member address: arch...@jab.org