On 4/21/25 10:08, Alan Coopersmith wrote:
3 new CVE's have been published for GNU Mailman 2.1.39, as bundled with
cPanel
and WHM, credited to Firudin Davudzada and Musazada Aydan.
Note that upstream declared GNU Mailman 2.1 (which requires Python 2),
to be
end of life back in 2020, and recommends migrations to Mailman 3 (which
uses Python 3 instead):
Sadly, a lot of people are stuck with these bundled environments from
hosting services where the provider isn't going to provide any kind of
upgrade path to Mailman 3. That's neither here nor there as to the
vulnerabilities, just an observation (e.g. an open source project I work
on gets free mailing list services from Pair Networks, a feature they've
deprecated, although they promised at the time not to cut off existing
lists. 2.1.39 only...).
