[$] The mystery of the Mailman 2 CVEs
Many eyebrows were raised recently when three vulnerabilities were announced
that allegedly impact https://www.gnu.org/software/mailman/
2.1,
since many folks assumed that it was no longer being supported. That's
not quite the case. Even though https://wiki.list.org/DEV/Mailman%203.0
of
the GNU Mailman mailing-list manager has been available
since 2015, and version 2 was declared (mostly) end of life
(EOL) in 2020, there are still plenty of users and projects still
using version 2.1.x. There is, as it turns out, a big difference between
mostly EOL and actually EOL. For example: https://www.webpros.com/
server and web-site-management
platform, still maintains a port of
Mailman 2.1.x to Python 3 for its customers and was
quick to respond to reports of vulnerabilities. However, the
company and upstream Mailman project dispute that the CVEs are
valid.