[Mailman-Users] Is mailman vulnerable to the httpoxy bug?
Perry E. Metzger
perry at piermont.com
Fri Jul 22 11:55:32 EDT 2016
On Wed, 20 Jul 2016 12:02:13 -0700 Mark Sapiro <mark at msapiro.net>
wrote:
> On 07/19/2016 02:10 PM, Perry E. Metzger wrote:
> > https://httpoxy.org/ seems to impact any python program (among
> > many others) that runs under cgi. Does it cause trouble for
> > mailman? What is a reasonable mitigation?
>
>
> I am not an expert on httpoxy at all, but quoting from
> <https://httpoxy.org/#top>
>
> "httpoxy is a vulnerability for server-side web applications. If
> you’re not deploying code, you don’t need to worry."
>
> Mailman's web UI serves end user HTML pages. It does not deploy
> code.
>
Er, it uses CGI scripts, doesn't it? That's what it means to "deploy
code" in this context.
Perry
--
Perry E. Metzger perry at piermont.com
More information about the Mailman-Users
mailing list