On Sun, 11 Feb 2018 01:08:01 -0500 Scott Kitterman <deb...@kitterman.com> wrote: > Package: src:django-anymail > Version: 0.8-2 > Severity: important > Tags: upstream,security > > Security fix > > This fixes a low severity security issue affecting Anymail v0.2–v1.3. (CVE > Pending) > > Django error reporting includes the value of your Anymail > WEBHOOK_AUTHORIZATION setting. In a properly-configured deployment, this > should not be cause for concern. But if you have somehow exposed your Django > error reports (e.g., by mis-deploying with DEBUG=True or by sending error > reports through insecure channels), anyone who gains access to those reports > could discover your webhook shared secret. An attacker could use this to post > fabricated or malicious Anymail tracking/inbound events to your app, if you > are using those Anymail features. > > The fix renames Anymail's webhook shared secret setting so that Django's error > reporting mechanism will sanitize it. > > If you are using Anymail's event tracking and/or inbound webhooks, you should > upgrade to this release and change "WEBHOOK_AUTHORIZATION" to "WEBHOOK_SECRET" > in the ANYMAIL section of your settings.py. You may also want to rotate the > shared secret value, particularly if you have ever exposed your Django error > reports to untrusted individuals. > > If you are only using Anymail's EmailBackends for sending email and have not > set up Anymail's webhooks, this issue does not affect you. > > The old WEBHOOK_AUTHORIZATION setting is still allowed in this release, but > will issue a system-check warning when running most Django management > commands. It will be removed completely in a near-future release, as a > breaking change. > > Thanks to Charlie DeTar (@yourcelf) for responsibly reporting this security > issue through private channels. > > https://github.com/anymail/django-anymail/commit/1a6086f2b58478d71f89bf27eb034ed81aefe5ef > > Given that the fix for this is problematic from a backward compatility > perspective and that it requires a misconfigured django app before it is a > problem, recommend No DSA for the security team.
This is now assigned CVE-2018-1000089. https://github.com/anymail/django-anymail/releases/tag/v1.4 Scott K