On Tue, Jul 19, 2016 at 05:25:00PM -0400, Jim Popovitch wrote: > On Tue, Jul 19, 2016 at 5:10 PM, Perry E. Metzger <[email protected]> wrote: > > https://httpoxy.org/ seems to impact any python program (among many > > others) that runs under cgi. Does it cause trouble for mailman? What > > is a reasonable mitigation? > > If I understand the issue correctly (and admittedly It's kinda a new > issue) this only affects proxied HTTP transactions, not HTTPS ones. > Most mailman installations should be running HTTPS in order to protect > user data, if not now is a good time to do so. I wouldn't say it's new, it was first detected in 2001[1] > > It's worth pointing out that if you are using nginx with mailman that > this only affects you if you are using fastcgi. It does not seem to > affect you if you are using nginx+uwsgi+mailman. > For anyone concerned, I suggest you take a look at [2] to decide what to do. The exploit involves HTTP_PROXY and the fix does depend on what you're using at the server end. Almost all work on the basis of unsetting any Proxy: header as early as possible in request processing.
Good luck Lesley [1] https://httpoxy.org/#history [2] https://httpoxy.org/#fix-now > -Jim P. > ------------------------------------------------------ > Mailman-Users mailing list [email protected] > https://mail.python.org/mailman/listinfo/mailman-users > Mailman FAQ: http://wiki.list.org/x/AgA3 > Security Policy: http://wiki.list.org/x/QIA9 > Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ > Unsubscribe: > https://mail.python.org/mailman/options/mailman-users/lesleyb%40herlug.org.uk ------------------------------------------------------ Mailman-Users mailing list [email protected] https://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://wiki.list.org/x/AgA3 Security Policy: http://wiki.list.org/x/QIA9 Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ Unsubscribe: https://mail.python.org/mailman/options/mailman-users/archive%40jab.org
