[Mailman-Users] Is mailman vulnerable to the httpoxy bug?

Mark Sapiro mark at msapiro.net
Fri Jul 22 12:48:34 EDT 2016

On 07/22/2016 08:55 AM, Perry E. Metzger wrote:
> On Wed, 20 Jul 2016 12:02:13 -0700 Mark Sapiro <mark at msapiro.net>
>> I am not an expert on httpoxy at all, but quoting from
>> <https://httpoxy.org/#top>
>> "httpoxy is a vulnerability for server-side web applications. If
>> you’re not deploying code, you don’t need to worry."
>> Mailman's web UI serves end user HTML pages. It does not deploy
>> code.
> Er, it uses CGI scripts, doesn't it? That's what it means to "deploy
> code" in this context.

That's not the way I read it, but if you think that's the case, then
you've already decided that Mailman 2.1 is vulnerable depending on the
specific web server configuration. GNU Mailman has no control over how
you set up your web server to serve Mailman's CGI output, so your
question should be "is my web server configuration vulnerable?".

Mark Sapiro <mark at msapiro.net>        The highway is for gamblers,
San Francisco Bay Area, California    better use your sense - B. Dylan

More information about the Mailman-Users mailing list