Security Information / 2018 / Security Information -- DSA-4107-1 django-anymail

Debian Security Advisory

DSA-4107-1 django-anymail -- security update

Date Reported:

07 Feb 2018

Affected Packages:

django-anymail

Vulnerable:

Yes

Security database references:

In the Debian bugtracking system: Bug 889450.
In Mitre's CVE dictionary: CVE-2018-6596.

More information:

It was discovered that the webhook validation of Anymail, a Django email backends for multiple ESPs, is prone to a timing attack. A remote attacker can take advantage of this flaw to obtain a WEBHOOK_AUTHORIZATION secret and post arbitrary email tracking events.

For the stable distribution (stretch), this problem has been fixed in version 0.8-2+deb9u1.

We recommend that you upgrade your django-anymail packages.

For the detailed security status of django-anymail please refer to its security tracker page at: https://security-tracker.debian.org/tracker/django-anymail