It was discovered that the webhook validation of Anymail, a Django email backends for multiple ESPs, is prone to a timing attack. A remote attacker can take advantage of this flaw to obtain a WEBHOOK_AUTHORIZATION secret and post arbitrary email tracking events. For the stable distribution (stretch), this problem has been fixed in version 0.8-2+deb9u1. We recommend that you upgrade your django-anymail packages. For the detailed security status of django-anymail please refer to its security tracker page at: https://security-tracker.debian.org/tracker/django-anymail
It was discovered that the webhook validation of Anymail, a Django email backends for multiple ESPs, is prone to a timing attack. A remote attacker can take advantage of this flaw to obtain a WEBHOOK_AUTHORIZATION secret and post arbitrary email tracking events.
For the stable distribution (stretch), this problem has been fixed in version 0.8-2+deb9u1.
We recommend that you upgrade your django-anymail packages.
For the detailed security status of django-anymail please refer to its security tracker page at: https://security-tracker.debian.org/tracker/django-anymail