[Mailman-Users] Is mailman vulnerable to the httpoxy bug?

Mark Sapiro mark at msapiro.net
Sat Jul 23 11:33:12 EDT 2016

On 7/23/16 8:19 AM, Perry E. Metzger wrote:
> Well, there are implicit things that use HTTP_PROXY. If mailman makes
> any http requests itself, or calls anything that does, it might cause
> trouble that it is in the environment. I take it that this is *not*
> the case?

Yes. That is not the case. In more than one post in this thread it has
been affirmed that no Mailman 2.1 CGI issues any kind of HTTP request.
They only write HTML to stdout. You can find the code at
if you wish to verify this for yourself.

And, as also has been posted more than once, Mailman 3's web UI
components, Postorius and HyperKitty, are Django WSGI applications, not
CGIs at all.

Mark Sapiro <mark at msapiro.net>        The highway is for gamblers,
San Francisco Bay Area, California    better use your sense - B. Dylan

More information about the Mailman-Users mailing list