[Python-modules-team] Bug#890097: src:django-anymail: New, minor WEBHOOK_AUTHORIZATION security issue
Scott Kitterman
debian at kitterman.com
Sun Feb 11 06:08:01 UTC 2018
Package: src:django-anymail
Version: 0.8-2
Severity: important
Tags: upstream,security
Security fix
This fixes a low severity security issue affecting Anymail v0.2–v1.3. (CVE
Pending)
Django error reporting includes the value of your Anymail
WEBHOOK_AUTHORIZATION setting. In a properly-configured deployment, this
should not be cause for concern. But if you have somehow exposed your Django
error reports (e.g., by mis-deploying with DEBUG=True or by sending error
reports through insecure channels), anyone who gains access to those reports
could discover your webhook shared secret. An attacker could use this to post
fabricated or malicious Anymail tracking/inbound events to your app, if you
are using those Anymail features.
The fix renames Anymail's webhook shared secret setting so that Django's error
reporting mechanism will sanitize it.
If you are using Anymail's event tracking and/or inbound webhooks, you should
upgrade to this release and change "WEBHOOK_AUTHORIZATION" to "WEBHOOK_SECRET"
in the ANYMAIL section of your settings.py. You may also want to rotate the
shared secret value, particularly if you have ever exposed your Django error
reports to untrusted individuals.
If you are only using Anymail's EmailBackends for sending email and have not
set up Anymail's webhooks, this issue does not affect you.
The old WEBHOOK_AUTHORIZATION setting is still allowed in this release, but
will issue a system-check warning when running most Django management
commands. It will be removed completely in a near-future release, as a
breaking change.
Thanks to Charlie DeTar (@yourcelf) for responsibly reporting this security
issue through private channels.
https://github.com/anymail/django-anymail/commit/1a6086f2b58478d71f89bf27eb034ed81aefe5ef
Given that the fix for this is problematic from a backward compatility
perspective and that it requires a misconfigured django app before it is a
problem, recommend No DSA for the security team.
More information about the Python-modules-team
mailing list