Debian Security Advisory
DSA-4107-1 django-anymail -- security update
- Date Reported:
- 07 Feb 2018
- Affected Packages:
- Security database references:
- In the Debian bugtracking system: Bug 889450.
In Mitre's CVE dictionary: CVE-2018-6596.
- More information:
It was discovered that the webhook validation of Anymail, a Django email backends for multiple ESPs, is prone to a timing attack. A remote attacker can take advantage of this flaw to obtain a WEBHOOK_AUTHORIZATION secret and post arbitrary email tracking events.
For the stable distribution (stretch), this problem has been fixed in version 0.8-2+deb9u1.
We recommend that you upgrade your django-anymail packages.
For the detailed security status of django-anymail please refer to its security tracker page at: https://security-tracker.debian.org/tracker/django-anymail