On Sun, 11 Feb 2018 01:08:01 -0500 Scott Kitterman <deb...@kitterman.com>
> Package: src:django-anymail
> Version: 0.8-2
> Severity: important
> Tags: upstream,security
> Security fix
> This fixes a low severity security issue affecting Anymail v0.2–v1.3. (CVE
> Django error reporting includes the value of your Anymail
> WEBHOOK_AUTHORIZATION setting. In a properly-configured deployment, this
> should not be cause for concern. But if you have somehow exposed your Django
> error reports (e.g., by mis-deploying with DEBUG=True or by sending error
> reports through insecure channels), anyone who gains access to those reports
> could discover your webhook shared secret. An attacker could use this to
> fabricated or malicious Anymail tracking/inbound events to your app, if you
> are using those Anymail features.
> The fix renames Anymail's webhook shared secret setting so that Django's
> reporting mechanism will sanitize it.
> If you are using Anymail's event tracking and/or inbound webhooks, you
> upgrade to this release and change "WEBHOOK_AUTHORIZATION" to
> in the ANYMAIL section of your settings.py. You may also want to rotate the
> shared secret value, particularly if you have ever exposed your Django error
> reports to untrusted individuals.
> If you are only using Anymail's EmailBackends for sending email and have not
> set up Anymail's webhooks, this issue does not affect you.
> The old WEBHOOK_AUTHORIZATION setting is still allowed in this release, but
> will issue a system-check warning when running most Django management
> commands. It will be removed completely in a near-future release, as a
> breaking change.
> Thanks to Charlie DeTar (@yourcelf) for responsibly reporting this security
> issue through private channels.
> Given that the fix for this is problematic from a backward compatility
> perspective and that it requires a misconfigured django app before it is a
> problem, recommend No DSA for the security team.
This is now assigned CVE-2018-1000089.