[Mailman-Users] Is mailman vulnerable to the httpoxy bug?

Jim Popovitch jimpop at gmail.com
Tue Jul 19 17:25:00 EDT 2016

On Tue, Jul 19, 2016 at 5:10 PM, Perry E. Metzger <perry at piermont.com> wrote:
> https://httpoxy.org/ seems to impact any python program (among many
> others) that runs under cgi. Does it cause trouble for mailman? What
> is a reasonable mitigation?

If I understand the issue correctly (and admittedly It's kinda a new
issue) this only affects proxied HTTP transactions, not HTTPS ones.
Most mailman installations should be running HTTPS in order to protect
user data, if not now is a good time to do so.

It's worth pointing out that if you are using nginx with mailman that
this only affects you if you are using fastcgi.  It does not seem to
affect you if you are using nginx+uwsgi+mailman.

-Jim P.

More information about the Mailman-Users mailing list