Mats Wichmann <m...@wichmann.us> writes: > On 4/21/25 10:08, Alan Coopersmith wrote:
>> 3 new CVE's have been published for GNU Mailman 2.1.39, as bundled with >> cPanel and WHM, credited to Firudin Davudzada and Musazada Aydan. Note >> that upstream declared GNU Mailman 2.1 (which requires Python 2), to be >> end of life back in 2020, and recommends migrations to Mailman 3 (which >> uses Python 3 instead): > Sadly, a lot of people are stuck with these bundled environments from > hosting services where the provider isn't going to provide any kind of > upgrade path to Mailman 3. Also, I would not really describe Mailman 3 as an upgrade from Mailman 2. It is a different mailing list manager with a different architecture, different dependencies, a much different UI, a different archiving system, a completely different authentication mechanism, etc. It's essentially a different piece of software that has a roughly similar feature set and automated migration tools for Mailman 2. For planning purposes, it's probably more realistic to view Mailman 2 as orphaned, end-of-life software with known security vulnerabilities that will require a major migration to retire. Mailman 3 has some useful support for that migration and a similar feature set, so it's a good candidate for a new mailing list manager to migrate to, but (speaking from personal experience) that's what the experience is like: migrating to an entirely new mailing list manager. People will probably want to do some due diligence first to see if they want to migrate to a different mailing list manager instead, want to separate archiving from mailing list management (there are now a bunch of good archiving tools that don't also need to manage the list), and so forth. -- Russ Allbery (ea...@eyrie.org) <https://www.eyrie.org/~eagle/>
