[Mailman-Users] Is mailman vulnerable to the httpoxy bug?

Jim Popovitch jimpop at gmail.com
Fri Jul 22 12:04:25 EDT 2016


On Fri, Jul 22, 2016 at 11:57 AM, Perry E. Metzger <perry at piermont.com> wrote:
> On Tue, 19 Jul 2016 17:25:00 -0400 Jim Popovitch <jimpop at gmail.com>
> wrote:
>> On Tue, Jul 19, 2016 at 5:10 PM, Perry E. Metzger
>> <perry at piermont.com> wrote:
>> > https://httpoxy.org/ seems to impact any python program (among
>> > many others) that runs under cgi. Does it cause trouble for
>> > mailman? What is a reasonable mitigation?
>>
>> If I understand the issue correctly (and admittedly It's kinda a new
>> issue) this only affects proxied HTTP transactions, not HTTPS ones.
>
> That is incorrect, so far as I can tell.

According to httpoxy.org, HTTPS is not affected by HTTP_PROXY statements.

     "And, of course, another defense-in-depth strategy that works is to
      use HTTPS for internal requests, not just for securing your site’s
      connections to the outside world. Those aren’t affected by HTTP_PROXY."

Of course, that's if you are using a very complicated split-mailman
setup (web on one system, other parts on other hosts),  If not, then
what in your httpd.conf is would be proxying?    And if nothing is
proxying, then why haven't you already disabled proxy statements?  Are
you running anything else on the mailman server, PHP, etc?

-Jim P.


More information about the Mailman-Users mailing list