[Python-modules-team] Bug#889450: src:django-anymail: Security issue with timing attack on WEBHOOK_AUTHORIZATION
Scott Kitterman
debian at kitterman.com
Sat Feb 3 16:34:56 UTC 2018
Package: src:django-anymail
Version: 0.8-2
Severity: serious
Tags: security upstream
Justification: security
This affects 0.8-2 in stable and 1.2 in unstable:
https://github.com/anymail/django-anymail/commit/c07998304b4a31df4c61deddcb03d3607a04691b
Security: prevent timing attack on WEBHOOK_AUTHORIZATION secret
Anymail's webhook validation was vulnerable to a timing attack.
An attacker could have used this to recover your WEBHOOK_AUTHORIZATION
shared secret, potentially allowing them to post fabricated or malicious
email tracking events to your app.
There have not been any reports of attempted exploit in the wild. (The
vulnerability was discovered through code review.) Attempts would be
visible in http logs as a very large number of 400 responses on
Anymail's webhook urls, or in Python error monitoring as a very large
number of AnymailWebhookValidationFailure exceptions.
If you are using Anymail's webhooks, you should upgrade to this release.
In addition, you may want to rotate to a new WEBHOOK_AUTHORIZATION
secret ([docs](http://anymail.readthedocs.io/en/stable/tips/securing_webhooks/#use-a-shared-authorization-secret)),
particularly if your logs indicate attempted exploit.
More information about the Python-modules-team
mailing list