[Mailman-Users] Is mailman vulnerable to the httpoxy bug?
jackhill at duke.edu
Fri Jul 22 13:08:50 EDT 2016
On Fri, 22 Jul 2016, Mark Sapiro wrote:
> That's not the way I read it, but if you think that's the case, then
> you've already decided that Mailman 2.1 is vulnerable depending on the
> specific web server configuration. GNU Mailman has no control over how
> you set up your web server to serve Mailman's CGI output, so your
> question should be "is my web server configuration vulnerable?".
As I understand it, even with a potentially vulnerable httpd configuration
(i.e. one that uses the HTTP Proxy: header to set the HTTP_PROXY
environment variable for CGI scripts) the CGI application needs to make
outgoing HTTP requests, and check the HTTP_PROXY env var to see if it
should use a proxy to do so to be affected by httpoxy.
I'm not aware of Mailman 2.1 doing this. If that is correct, then httpoxy
shouldn't cause problems for us.
More information about the Mailman-Users