Your message dated Thu, 08 Feb 2018 21:18:15 +0000 with message-id <e1ejtab-000hcg...@fasolo.debian.org> and subject line Bug#889450: fixed in django-anymail 0.8-2+deb9u1 has caused the Debian Bug report #889450, regarding django-anymail: CVE-2018-6596: Security issue with timing attack on WEBHOOK_AUTHORIZATION to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 889450: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=889450 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Package: src:django-anymail Version: 0.8-2 Severity: serious Tags: security upstream Justification: security This affects 0.8-2 in stable and 1.2 in unstable: https://github.com/anymail/django-anymail/commit/c07998304b4a31df4c61deddcb03d3607a04691b Security: prevent timing attack on WEBHOOK_AUTHORIZATION secret Anymail's webhook validation was vulnerable to a timing attack. An attacker could have used this to recover your WEBHOOK_AUTHORIZATION shared secret, potentially allowing them to post fabricated or malicious email tracking events to your app. There have not been any reports of attempted exploit in the wild. (The vulnerability was discovered through code review.) Attempts would be visible in http logs as a very large number of 400 responses on Anymail's webhook urls, or in Python error monitoring as a very large number of AnymailWebhookValidationFailure exceptions. If you are using Anymail's webhooks, you should upgrade to this release. In addition, you may want to rotate to a new WEBHOOK_AUTHORIZATION secret ([docs](http://anymail.readthedocs.io/en/stable/tips/securing_webhooks/#use-a-shared-authorization-secret)), particularly if your logs indicate attempted exploit.
--- End Message ---
--- Begin Message ---Source: django-anymail Source-Version: 0.8-2+deb9u1 We believe that the bug you reported is fixed in the latest version of django-anymail, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 889...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Scott Kitterman <sc...@kitterman.com> (supplier of updated django-anymail package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Format: 1.8 Date: Tue, 06 Feb 2018 22:44:27 -0500 Source: django-anymail Binary: python-django-anymail python3-django-anymail Architecture: source all Version: 0.8-2+deb9u1 Distribution: stretch-security Urgency: high Maintainer: Debian Python Modules Team <python-modules-t...@lists.alioth.debian.org> Changed-By: Scott Kitterman <sc...@kitterman.com> Description: python-django-anymail - Django email backend for multiple ESPs (Python 2) python3-django-anymail - Django email backend for multiple ESPs (Python 3) Closes: 889450 Changes: django-anymail (0.8-2+deb9u1) stretch-security; urgency=high . * Security fix for timing attack on WEBHOOK_AUTHORIZATION secret (CVE-2018- 6596) as described in https://github.com/anymail/django-anymail/releases/ tag/v1.2.1 (Closes: #889450) Checksums-Sha1: cfa9505607506e4faafac1b5cae581a865b30358 2208 django-anymail_0.8-2+deb9u1.dsc 8561666686c4ac3eefc154b788eb7c05f98b971a 41671 django-anymail_0.8.orig.tar.gz c05e6c40e7c79f1c0cda107519a96913101a0298 4712 django-anymail_0.8-2+deb9u1.debian.tar.xz c0fd412da729c2e01fc69c54c2000fa5bb636e30 5886 django-anymail_0.8-2+deb9u1_amd64.buildinfo 1539294f1959412f90b2d9da615b26d67f10d1cf 41254 python-django-anymail_0.8-2+deb9u1_all.deb 7d2bd9b1c2b2ee04b3fdb168932c442dc1109f76 41320 python3-django-anymail_0.8-2+deb9u1_all.deb Checksums-Sha256: 6c47b08d6f06daba4e0fbb945e6d275b96449bd652c4be6e7874da7b19e87161 2208 django-anymail_0.8-2+deb9u1.dsc 64b5ae56823925de69b09615bb737001b2604a80ba1fcf2cb43b00d91fec0b32 41671 django-anymail_0.8.orig.tar.gz 010428555a84c141197ec184194a973b301975718cb023967311e45d1dfc89ca 4712 django-anymail_0.8-2+deb9u1.debian.tar.xz cea033aa323fbd72515c1b3ed2a3ff4794535ec957f5bad579711e5a17330496 5886 django-anymail_0.8-2+deb9u1_amd64.buildinfo ad9ec36435ce3b4ddf3fa0fa06dce5d29698b6a54f0bf36aa4b78bfd7461e1b2 41254 python-django-anymail_0.8-2+deb9u1_all.deb 8eb07666ea05647588caaa8753e7143182d30de2c2d5dec0cb2c18c3d50bac20 41320 python3-django-anymail_0.8-2+deb9u1_all.deb Files: e9f92b3d8992e0eb91dabb0c8c7f7782 2208 contrib/python optional django-anymail_0.8-2+deb9u1.dsc adaf3b352d5a90f909560a0ed2b2d3c5 41671 contrib/python optional django-anymail_0.8.orig.tar.gz d39682b0c2aef632cc1c4c1d62d393e2 4712 contrib/python optional django-anymail_0.8-2+deb9u1.debian.tar.xz 716dd6aa21c7f5c1a87aa344eaca9728 5886 contrib/python optional django-anymail_0.8-2+deb9u1_amd64.buildinfo c898f7af2f28d8e8e92ed27982596d3f 41254 contrib/python optional python-django-anymail_0.8-2+deb9u1_all.deb 3864352c28b8afd43b7ec7e1237d9126 41320 contrib/python optional python3-django-anymail_0.8-2+deb9u1_all.deb -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIcBAEBCAAGBQJaen/rAAoJEHjX3vua1ZrxW4UQALs2jrqDUJhw9plUz+B4D96l JrW0/5sI2ChZx1E853e1IcT1ObTiNvlGQx2hBVfOytfHpfuZBrstD7CDRCmGiXgX a7Fk/0I68tpfhlIuIsyfOyl7ZJFMi7K0lYOkLL0PxnPhWdpLf7fFjFxvwf3OONhD E+m0Zkgs8xhZf+Fqt5r86rLNAGZm3fEWLjfj03OmfdajWcdvE3eK9kLbe6e/f9qG kYNnJ5BVAUoyleONui86M7JfpZp8C/xnldtUz1Rko/PX/GGUlJxvr/Wtn0T4owzd Hrofj8TH4SbJoFHHxIGRM/aeFDS5RvvbQdn/3bTpB9Mab7P3fDmhQRcp+6gOz33n bNGuMbZjump4dgjJlfOSH+TjRTiXAPKQwTZaMbxo2OG9MFbyVMrdoWHiz/Qcmg5Y +lfOARw0tuk8qxqXZl1LW/lSOKTC99/bbByYKhs1h/wdEDrfV7GI8RuYgme5p161 fw+AUcED9PdvRUIDAi0bi82CIUjOiQVhdYTaJaeoXqQSANMf/5YmUKCS+1n5lf9t tgGQJUCK1j76SPnKHHlXgV5kmfocqt/A8Mw76IctKtm9RMWgQNtidGhFHzobvpM4 sgkMhHMMaHpi54XKk/WnZwAeeYikpPQ4fYltfe++LgIPVj6DKBKzySOtNQ2PV3tR EoE4WrV3qtn2c3uPXgBK =DbVn -----END PGP SIGNATURE-----
--- End Message ---
