Debian Security Advisory

DSA-4107-1 django-anymail -- security update

Date Reported:
07 Feb 2018
Affected Packages:
Security database references:
In the Debian bugtracking system: Bug 889450.
In Mitre's CVE dictionary: CVE-2018-6596.
More information:

It was discovered that the webhook validation of Anymail, a Django email backends for multiple ESPs, is prone to a timing attack. A remote attacker can take advantage of this flaw to obtain a WEBHOOK_AUTHORIZATION secret and post arbitrary email tracking events.

For the stable distribution (stretch), this problem has been fixed in version 0.8-2+deb9u1.

We recommend that you upgrade your django-anymail packages.

For the detailed security status of django-anymail please refer to its security tracker page at: