[Mailman-Users] Is mailman vulnerable to the httpoxy bug?

Stephen J. Turnbull turnbull.stephen.fw at u.tsukuba.ac.jp
Sat Jul 23 18:26:30 EDT 2016


Perry E. Metzger writes:

 > > Note the *in a server-side CGI*.  AFAICS, we're done: we're safe.
 > 
 > You're misinterpreting. The issue is that some server side systems
 > also use web APIs of various kinds.
 > 
 > > Mailman (as we distribute it) doesn't make *outgoing* HTTP
 > > connections, it sends responses to incoming requests.
 > 
 > So that makes it invulnerable, yes.

Note that in my post, my three sentences above were one paragraph.  So
I wasn't misinterpreting after all.  I know you're trying to help, but
this is just FUD.  The same is true for the WGSI applications.  "Pure"
WSGI applications like Postorius and HyperKitty don't use CGIhandler.

 > What I meant was that you can do things on the web server side like
 > altering your handling of http_proxy (which is what I did on my web
 > servers as soon as this came out).

Sure, but that is covered by Mark's point that it's the rest of the
webserver configuration that site admins should worry about.

If you want to do people a favor, explain the necessary configuration
magic for the webservers you use.  That will protect them, both
Mailman from the vanishing probability that there's something in
Mailman that makes HTTP requests that we don't know about, as well as
any other CGI applications that they happen to run.



More information about the Mailman-Users mailing list