Re: [oss-security] 3 new CVE's in old branch of GNU mailman

We at cPanel have investigated these claimed vulnerabilities, both internally and via third-party subject-matter experts. We are unable to reproduce the claims using the information provided by the reporter. We do not consider these vulnerabilities to be valid, and we’re in the process of disput

Re: [oss-security] 3 new CVE's in old branch of GNU mailman

On Mon, 2025-04-21 at 20:45 +0300, Valtteri Vuorikoski wrote: > > So at the moment it seems to me that the correct interpretation is c). Hard to > tell because the modified source doesn't seem to be available in despite > Mailman > being GPL. Maybe someone needs to ask cPanel LLC to mail them a C

Re: [oss-security] 3 new CVE's in old branch of GNU mailman

Mats Wichmann writes: > On 4/21/25 10:08, Alan Coopersmith wrote: >> 3 new CVE's have been published for GNU Mailman 2.1.39, as bundled with >> cPanel and WHM, credited to Firudin Davudzada and Musazada Aydan. Note >> that upstream declared GNU Mailman 2.1 (which requires Python 2), to be >> end

Re: [oss-security] 3 new CVE's in old branch of GNU mailman

On Mon, Apr 21, 2025 at 12:52:24PM -0400, Thomas Ward wrote: > Direct quoting the CVE: > > > *Affected Software:* GNU Mailman 2.1.39 (bundled with cPanel/WHM) > > I think that this would be a modified bundled version based on "Affected > Software" specifically mentioning the GNU Mailman 2.1.39 th

Re: [oss-security] 3 new CVE's in old branch of GNU mailman

On 4/21/25 10:08, Alan Coopersmith wrote: 3 new CVE's have been published for GNU Mailman 2.1.39, as bundled with cPanel and WHM, credited to Firudin Davudzada and Musazada Aydan. Note that upstream declared GNU Mailman 2.1 (which requires Python 2), to be end of life back in 2020, and recomm

Re: [oss-security] 3 new CVE's in old branch of GNU mailman

On 2025-04-21 12:48, Valtteri Vuorikoski wrote: Are these vulnerabilities due to modifications made by the vendor (cPanel LLC) to their distributed version? -Valtteri Direct quoting the CVE: *Affected Software:* GNU Mailman 2.1.39 (bundled with cPanel/WHM) I think that this would be a m

Re: [oss-security] 3 new CVE's in old branch of GNU mailman

On Mon, Apr 21, 2025 at 09:08:33AM -0700, Alan Coopersmith wrote: > 3 new CVE's have been published for GNU Mailman 2.1.39, as bundled with cPanel > and WHM, credited to Firudin Davudzada and Musazada Aydan. > > CVE-2025-43919: Directory Traversal in GNU Mailman 2.1.39 (cPanel/WHM Bundle) > Detail

[oss-security] 3 new CVE's in old branch of GNU mailman

3 new CVE's have been published for GNU Mailman 2.1.39, as bundled with cPanel and WHM, credited to Firudin Davudzada and Musazada Aydan. Note that upstream declared GNU Mailman 2.1 (which requires Python 2), to be end of life back in 2020, and recommends migrations to Mailman 3 (which uses Pytho