Package: src:django-anymail Version: 0.8-2 Severity: serious Tags: security upstream Justification: security
This affects 0.8-2 in stable and 1.2 in unstable: https://github.com/anymail/django-anymail/commit/c07998304b4a31df4c61deddcb03d3607a04691b Security: prevent timing attack on WEBHOOK_AUTHORIZATION secret Anymail's webhook validation was vulnerable to a timing attack. An attacker could have used this to recover your WEBHOOK_AUTHORIZATION shared secret, potentially allowing them to post fabricated or malicious email tracking events to your app. There have not been any reports of attempted exploit in the wild. (The vulnerability was discovered through code review.) Attempts would be visible in http logs as a very large number of 400 responses on Anymail's webhook urls, or in Python error monitoring as a very large number of AnymailWebhookValidationFailure exceptions. If you are using Anymail's webhooks, you should upgrade to this release. In addition, you may want to rotate to a new WEBHOOK_AUTHORIZATION secret ([docs](http://anymail.readthedocs.io/en/stable/tips/securing_webhooks/#use-a-shared-authorization-secret)), particularly if your logs indicate attempted exploit.
