On 07/22/2016 08:55 AM, Perry E. Metzger wrote: > On Wed, 20 Jul 2016 12:02:13 -0700 Mark Sapiro <[email protected]> >> >> I am not an expert on httpoxy at all, but quoting from >> <https://httpoxy.org/#top> >> >> "httpoxy is a vulnerability for server-side web applications. If >> you’re not deploying code, you don’t need to worry." >> >> Mailman's web UI serves end user HTML pages. It does not deploy >> code. >> > > Er, it uses CGI scripts, doesn't it? That's what it means to "deploy > code" in this context.
That's not the way I read it, but if you think that's the case, then you've already decided that Mailman 2.1 is vulnerable depending on the specific web server configuration. GNU Mailman has no control over how you set up your web server to serve Mailman's CGI output, so your question should be "is my web server configuration vulnerable?". -- Mark Sapiro <[email protected]> The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan ------------------------------------------------------ Mailman-Users mailing list [email protected] https://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://wiki.list.org/x/AgA3 Security Policy: http://wiki.list.org/x/QIA9 Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ Unsubscribe: https://mail.python.org/mailman/options/mailman-users/archive%40jab.org
