[Mailman-Users] Is mailman vulnerable to the httpoxy bug?

'lesleyb' lesleyb at herlug.org.uk
Wed Jul 20 05:52:57 EDT 2016

On Tue, Jul 19, 2016 at 05:25:00PM -0400, Jim Popovitch wrote:
> On Tue, Jul 19, 2016 at 5:10 PM, Perry E. Metzger <perry at piermont.com> wrote:
> > https://httpoxy.org/ seems to impact any python program (among many
> > others) that runs under cgi. Does it cause trouble for mailman? What
> > is a reasonable mitigation?
> If I understand the issue correctly (and admittedly It's kinda a new
> issue) this only affects proxied HTTP transactions, not HTTPS ones.
> Most mailman installations should be running HTTPS in order to protect
> user data, if not now is a good time to do so.
I wouldn't say it's new, it was first detected in 2001[1]
> It's worth pointing out that if you are using nginx with mailman that
> this only affects you if you are using fastcgi.  It does not seem to
> affect you if you are using nginx+uwsgi+mailman.
For anyone concerned, I suggest you take a look at [2] to decide what to
do.  The exploit involves HTTP_PROXY and the fix does depend on what you're
using at the server end. Almost all work on the basis of unsetting any Proxy:
header as early as possible in request processing.

Good luck

[1] https://httpoxy.org/#history
[2] https://httpoxy.org/#fix-now

> -Jim P.
> ------------------------------------------------------
> Mailman-Users mailing list Mailman-Users at python.org
> https://mail.python.org/mailman/listinfo/mailman-users
> Mailman FAQ: http://wiki.list.org/x/AgA3
> Security Policy: http://wiki.list.org/x/QIA9
> Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/
> Unsubscribe: https://mail.python.org/mailman/options/mailman-users/lesleyb%40herlug.org.uk

More information about the Mailman-Users mailing list