On 07/22/2016 08:55 AM, Perry E. Metzger wrote:
On Wed, 20 Jul 2016 12:02:13 -0700 Mark Sapiro <mark@msapiro.net>
I am not an expert on httpoxy at all, but quoting from <https://httpoxy.org/#top>
"httpoxy is a vulnerability for server-side web applications. If you’re not deploying code, you don’t need to worry."
Mailman's web UI serves end user HTML pages. It does not deploy code.
Er, it uses CGI scripts, doesn't it? That's what it means to "deploy code" in this context.
That's not the way I read it, but if you think that's the case, then you've already decided that Mailman 2.1 is vulnerable depending on the specific web server configuration. GNU Mailman has no control over how you set up your web server to serve Mailman's CGI output, so your question should be "is my web server configuration vulnerable?".
-- Mark Sapiro <mark@msapiro.net> The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan