On Fri, 22 Jul 2016, Mark Sapiro wrote:
That's not the way I read it, but if you think that's the case, then you've already decided that Mailman 2.1 is vulnerable depending on the specific web server configuration. GNU Mailman has no control over how you set up your web server to serve Mailman's CGI output, so your question should be "is my web server configuration vulnerable?".
As I understand it, even with a potentially vulnerable httpd configuration (i.e. one that uses the HTTP Proxy: header to set the HTTP_PROXY environment variable for CGI scripts) the CGI application needs to make outgoing HTTP requests, and check the HTTP_PROXY env var to see if it should use a proxy to do so to be affected by httpoxy.
I'm not aware of Mailman 2.1 doing this. If that is correct, then httpoxy shouldn't cause problems for us.
Best, Jack ------------------------------------------------------ Mailman-Users mailing list [email protected] https://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://wiki.list.org/x/AgA3 Security Policy: http://wiki.list.org/x/QIA9 Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ Unsubscribe: https://mail.python.org/mailman/options/mailman-users/archive%40jab.org
