[$] The mystery of the Mailman 2 CVEs

Many eyebrows were raised recently when three vulnerabilities were announcedthat allegedly impact GNUMailman 2.1,since many folks assumed that it was no longer being supported. That'snot quite the case. Even though version3 ofthe GNU Mailman mailing-list manager has been availablesince2015, and version2 was declared (mostly) end of life(EOL) in2020, there are still plenty of users and projects stillusing version2.1.x. There is, as it turns out, a big difference betweenmostly EOL and actually EOL. For example: WebPros, the company behind the cPanel server and web-site-managementplatform, still maintains a port ofMailman2.1.x to Python3 for its customers and wasquick to respond to reports of vulnerabilities. However, thecompany and upstream Mailman project dispute that the CVEs arevalid.