[Mailman-Users] Is mailman vulnerable to the httpoxy bug?

Jack Hill jackhill at duke.edu
Fri Jul 22 13:08:50 EDT 2016

On Fri, 22 Jul 2016, Mark Sapiro wrote:

> That's not the way I read it, but if you think that's the case, then
> you've already decided that Mailman 2.1 is vulnerable depending on the
> specific web server configuration. GNU Mailman has no control over how
> you set up your web server to serve Mailman's CGI output, so your
> question should be "is my web server configuration vulnerable?".

As I understand it, even with a potentially vulnerable httpd configuration 
(i.e. one that uses the HTTP Proxy: header to set the HTTP_PROXY 
environment variable for CGI scripts) the CGI application needs to make 
outgoing HTTP requests, and check the HTTP_PROXY env var to see if it 
should use a proxy to do so to be affected by httpoxy.

I'm not aware of Mailman 2.1 doing this. If that is correct, then httpoxy 
shouldn't cause problems for us.


More information about the Mailman-Users mailing list