[Mailman-Users] Is mailman vulnerable to the httpoxy bug?

Perry E. Metzger perry at piermont.com
Fri Jul 22 11:55:32 EDT 2016

On Wed, 20 Jul 2016 12:02:13 -0700 Mark Sapiro <mark at msapiro.net>
> On 07/19/2016 02:10 PM, Perry E. Metzger wrote:
> > https://httpoxy.org/ seems to impact any python program (among
> > many others) that runs under cgi. Does it cause trouble for
> > mailman? What is a reasonable mitigation?  
> I am not an expert on httpoxy at all, but quoting from
> <https://httpoxy.org/#top>
> "httpoxy is a vulnerability for server-side web applications. If
> you’re not deploying code, you don’t need to worry."
> Mailman's web UI serves end user HTML pages. It does not deploy
> code.

Er, it uses CGI scripts, doesn't it? That's what it means to "deploy
code" in this context.

Perry E. Metzger		perry at piermont.com

More information about the Mailman-Users mailing list