Mailman before version 2.1.28 has a vulnerability in the Utils.py:GetPathPieces() function that allows an attacker to submit URLs with long listnames resulting in arbitrary text to be echoed in "No such list" error responses. This can be used to make a potential victim think the phishing text comes from a trusted site.
Created mailman tracking bugs for this issue:
Affects: fedora-all [bug 1609091]
This issue has been addressed in the following products:
Red Hat Enterprise Linux 7
Via RHSA-2020:1054 https://access.redhat.com/errata/RHSA-2020:1054
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):