Debian Bug report logs -
#889450
django-anymail: CVE-2018-6596: Security issue with timing attack on WEBHOOK_AUTHORIZATION
Reported by: Scott Kitterman <debian@kitterman.com>
Date: Sat, 3 Feb 2018 16:36:22 UTC
Severity: serious
Tags: security, upstream
Found in version django-anymail/0.8-2
Fixed in versions django-anymail/1.3-1, django-anymail/0.8-2+deb9u1
Done: Scott Kitterman <scott@kitterman.com>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Debian Python Modules Team <python-modules-team@lists.alioth.debian.org>:
Bug#889450; Package src:django-anymail.
(Sat, 03 Feb 2018 16:36:25 GMT) (full text, mbox, link).
Acknowledgement sent
to Scott Kitterman <debian@kitterman.com>:
New Bug report received and forwarded. Copy sent to team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Debian Python Modules Team <python-modules-team@lists.alioth.debian.org>.
(Sat, 03 Feb 2018 16:36:25 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Package: src:django-anymail
Version: 0.8-2
Severity: serious
Tags: security upstream
Justification: security
This affects 0.8-2 in stable and 1.2 in unstable:
https://github.com/anymail/django-anymail/commit/c07998304b4a31df4c61deddcb03d3607a04691b
Security: prevent timing attack on WEBHOOK_AUTHORIZATION secret
Anymail's webhook validation was vulnerable to a timing attack.
An attacker could have used this to recover your WEBHOOK_AUTHORIZATION
shared secret, potentially allowing them to post fabricated or malicious
email tracking events to your app.
There have not been any reports of attempted exploit in the wild. (The
vulnerability was discovered through code review.) Attempts would be
visible in http logs as a very large number of 400 responses on
Anymail's webhook urls, or in Python error monitoring as a very large
number of AnymailWebhookValidationFailure exceptions.
If you are using Anymail's webhooks, you should upgrade to this release.
In addition, you may want to rotate to a new WEBHOOK_AUTHORIZATION
secret ([docs](http://anymail.readthedocs.io/en/stable/tips/securing_webhooks/#use-a-shared-authorization-secret)),
particularly if your logs indicate attempted exploit.
Added tag(s) pending.
Request was from Scott Kitterman <scott@kitterman.com>
to control@bugs.debian.org.
(Sat, 03 Feb 2018 16:45:19 GMT) (full text, mbox, link).
Message sent on
to Scott Kitterman <debian@kitterman.com>:
Bug#889450.
(Sat, 03 Feb 2018 16:45:22 GMT) (full text, mbox, link).
Message #10 received at 889450-submitter@bugs.debian.org (full text, mbox, reply):
tag 889450 pending
thanks
Hello,
Bug #889450 reported by you has been fixed in the Git repository. You can
see the changelog below, and you can check the diff of the fix at:
https://anonscm.debian.org/cgit/python-modules/packages/django-anymail.git/commit/?id=a31e71b
---
commit a31e71b74b775b60c7c89a408457c18231c5c193
Author: Scott Kitterman <scott@kitterman.com>
Date: Sat Feb 3 11:43:48 2018 -0500
Add bug number to changelog
diff --git a/debian/changelog b/debian/changelog
index ef01178..394c0dc 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,6 +1,6 @@
django-anymail (1.3-1) unstable; urgency=medium
- * New upstream release
+ * New upstream release (Closes: #889450)
- Includes security fix for timing attack on WEBHOOK_AUTHORIZATION secret
(no CVE assigned) as described in
https://github.com/anymail/django-anymail/releases/tag/v1.2.1
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian Python Modules Team <python-modules-team@lists.alioth.debian.org>:
Bug#889450; Package src:django-anymail.
(Sat, 03 Feb 2018 16:54:15 GMT) (full text, mbox, link).
Acknowledgement sent
to Scott Kitterman <debian@kitterman.com>:
Extra info received and forwarded to list. Copy sent to Debian Python Modules Team <python-modules-team@lists.alioth.debian.org>.
(Sat, 03 Feb 2018 16:54:15 GMT) (full text, mbox, link).
Message #15 received at 889450@bugs.debian.org (full text, mbox, reply):
On Sat, 03 Feb 2018 11:34:56 -0500 Scott Kitterman <debian@kitterman.com>
wrote:
> Package: src:django-anymail
> Version: 0.8-2
> Severity: serious
> Tags: security upstream
> Justification: security
>
> This affects 0.8-2 in stable and 1.2 in unstable:
>
> https://github.com/anymail/django-anymail/commit/c07998304b4a31df4c61deddcb03d3607a04691b
I've checked and the commit should apply directly to 0.8.
Scott K
Reply sent
to Scott Kitterman <scott@kitterman.com>:
You have taken responsibility.
(Sat, 03 Feb 2018 17:09:11 GMT) (full text, mbox, link).
Notification sent
to Scott Kitterman <debian@kitterman.com>:
Bug acknowledged by developer.
(Sat, 03 Feb 2018 17:09:11 GMT) (full text, mbox, link).
Message #20 received at 889450-close@bugs.debian.org (full text, mbox, reply):
Source: django-anymail
Source-Version: 1.3-1
We believe that the bug you reported is fixed in the latest version of
django-anymail, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 889450@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Scott Kitterman <scott@kitterman.com> (supplier of updated django-anymail package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Sat, 03 Feb 2018 11:23:43 -0500
Source: django-anymail
Binary: python-django-anymail python3-django-anymail
Architecture: source all
Version: 1.3-1
Distribution: unstable
Urgency: medium
Maintainer: Debian Python Modules Team <python-modules-team@lists.alioth.debian.org>
Changed-By: Scott Kitterman <scott@kitterman.com>
Description:
python-django-anymail - Django email backend for multiple ESPs (Python 2)
python3-django-anymail - Django email backend for multiple ESPs (Python 3)
Closes: 889450
Changes:
django-anymail (1.3-1) unstable; urgency=medium
.
* New upstream release (Closes: #889450)
- Includes security fix for timing attack on WEBHOOK_AUTHORIZATION secret
(no CVE assigned) as described in
https://github.com/anymail/django-anymail/releases/tag/v1.2.1
* Update debian/watch and debian/copyright to use secure URIs
Checksums-Sha1:
76bca39bc107637152b322760be833f637b6af88 2182 django-anymail_1.3-1.dsc
53f8410e7a3d49d41d3b7e06fd81971856037da8 56653 django-anymail_1.3.orig.tar.gz
4b66f150af5589c74db99c115835bbf8eed459e8 3304 django-anymail_1.3-1.debian.tar.xz
9871e2e92e6f1174bc0c9eaa2ef179777cbb5d7d 5974 django-anymail_1.3-1_amd64.buildinfo
d6b1468af29edb14a578b207af1492ff90846dbe 53764 python-django-anymail_1.3-1_all.deb
cae0a4d73c3a632ccc3b68061f305eea541102e1 53848 python3-django-anymail_1.3-1_all.deb
Checksums-Sha256:
04d2aa883c7733e9b999e018d1cdff619c361b11cd25abc3d191c12dd3bb50f0 2182 django-anymail_1.3-1.dsc
6868f65ea15ea958591aecf222ddc3cf37970ca5441a035ddac285168720ed52 56653 django-anymail_1.3.orig.tar.gz
128bb179440d1537700a4b8d4617fc3c35f749bc311b89cbf0f0ccd5d5389669 3304 django-anymail_1.3-1.debian.tar.xz
1ce4b73781ac91f33c6ccbb9e4a8cb46c47cb9ee3efbbc4149a80ee19acae947 5974 django-anymail_1.3-1_amd64.buildinfo
5d3a9d11de9f0121efb6e0f1f46e9c0edb7eb12aa8ce9b23b3142abdc1b325f3 53764 python-django-anymail_1.3-1_all.deb
2bc621df179d371166c5fadad8fdb076662f9d6409a529d7db373031ca2e4e23 53848 python3-django-anymail_1.3-1_all.deb
Files:
ce717c1c27dcf9c4d6d326fabccec44e 2182 contrib/python optional django-anymail_1.3-1.dsc
2138d056b8523bf91f7d67c6fb041e14 56653 contrib/python optional django-anymail_1.3.orig.tar.gz
6dc93d1d36823793cd65a8c7a4fab1b3 3304 contrib/python optional django-anymail_1.3-1.debian.tar.xz
428511e511583f239dd6a07694593372 5974 contrib/python optional django-anymail_1.3-1_amd64.buildinfo
e8fa49a66cba54f677c97ada8f725d4c 53764 contrib/python optional python-django-anymail_1.3-1_all.deb
9d8fb2ca1a8fee668a900f0c6c4cba97 53848 contrib/python optional python3-django-anymail_1.3-1_all.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIcBAEBCAAGBQJadeeUAAoJEHjX3vua1ZrxNgYP/2YX55Zxw9a0Ug7jV7OFwu3v
u13ql2eKvQRIgT8EJfTUp93Whw8Ygc0Zhae8x3MS7c2djg9vVBab3neO7pimJZNw
O1hNKvh9qic5ZZIH0Yo9mW7hVUwjw0oEqOWnSTi/Cb4LbUFRYWzZZSSHv0eL1Z7C
h+fifa0+WJ1j0C9eLED01jMdbzSNp4/PdpFbT3RCJF9Z0zTeGQ3Tb+ZNiLaM4RlP
gGyptJUuscRJl0WHN8KNMKBE6pP2wkoNrPxrWa/H80scmJPIDfQVnfMPUuOE9F6J
onMjmCO0setnqg9rSvd7pWoCIKnKRv55zyWppKhxYQUEcM/KpKK/17xkMb8UlPIk
6v6dibybgcd//hstydFEzFn0zT+anOidfwLQPzvO8x1EvRYBbu+9iZee3aKk/HYa
xDizrTZzOZ6h4m987ys0mVABNsiP//Dc0UF1zP1Ke2d0tu1SR90GvUlXCtDZABQR
Fh51tYLl21gu1AGIajhrTM3WioWZeYDf/l8HB4YCdOwpWXLuZKbJ5UbVzZ6VPUlz
JICNgrcbSaFJqAbtOvs9rqrQak39kBO3pFZJhuWmWv97Jl1j/TE0459sd7SEQ4/j
woixMBB0FiBuUgheEeTIwAL20sEKgFv6LAhKrMju61ZfZ4J5hIXVbh5bStvpC6GP
XY6pMUw/0YBVMvhSmGyM
=1AvG
-----END PGP SIGNATURE-----
Changed Bug title to 'django-anymail: CVE-2018-6596: Security issue with timing attack on WEBHOOK_AUTHORIZATION' from 'src:django-anymail: Security issue with timing attack on WEBHOOK_AUTHORIZATION'.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Sun, 04 Feb 2018 08:06:03 GMT) (full text, mbox, link).
Bug reopened
Request was from Scott Kitterman <scott@kitterman.com>
to control@bugs.debian.org.
(Tue, 06 Feb 2018 05:51:03 GMT) (full text, mbox, link).
No longer marked as fixed in versions django-anymail/1.3-1.
Request was from Scott Kitterman <scott@kitterman.com>
to control@bugs.debian.org.
(Tue, 06 Feb 2018 05:51:03 GMT) (full text, mbox, link).
Marked as fixed in versions django-anymail/1.3-1.
Request was from Scott Kitterman <scott@kitterman.com>
to control@bugs.debian.org.
(Tue, 06 Feb 2018 06:03:02 GMT) (full text, mbox, link).
Reply sent
to Scott Kitterman <scott@kitterman.com>:
You have taken responsibility.
(Thu, 08 Feb 2018 21:21:31 GMT) (full text, mbox, link).
Notification sent
to Scott Kitterman <debian@kitterman.com>:
Bug acknowledged by developer.
(Thu, 08 Feb 2018 21:21:31 GMT) (full text, mbox, link).
Message #33 received at 889450-close@bugs.debian.org (full text, mbox, reply):
Source: django-anymail
Source-Version: 0.8-2+deb9u1
We believe that the bug you reported is fixed in the latest version of
django-anymail, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 889450@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Scott Kitterman <scott@kitterman.com> (supplier of updated django-anymail package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Tue, 06 Feb 2018 22:44:27 -0500
Source: django-anymail
Binary: python-django-anymail python3-django-anymail
Architecture: source all
Version: 0.8-2+deb9u1
Distribution: stretch-security
Urgency: high
Maintainer: Debian Python Modules Team <python-modules-team@lists.alioth.debian.org>
Changed-By: Scott Kitterman <scott@kitterman.com>
Description:
python-django-anymail - Django email backend for multiple ESPs (Python 2)
python3-django-anymail - Django email backend for multiple ESPs (Python 3)
Closes: 889450
Changes:
django-anymail (0.8-2+deb9u1) stretch-security; urgency=high
.
* Security fix for timing attack on WEBHOOK_AUTHORIZATION secret (CVE-2018-
6596) as described in https://github.com/anymail/django-anymail/releases/
tag/v1.2.1 (Closes: #889450)
Checksums-Sha1:
cfa9505607506e4faafac1b5cae581a865b30358 2208 django-anymail_0.8-2+deb9u1.dsc
8561666686c4ac3eefc154b788eb7c05f98b971a 41671 django-anymail_0.8.orig.tar.gz
c05e6c40e7c79f1c0cda107519a96913101a0298 4712 django-anymail_0.8-2+deb9u1.debian.tar.xz
c0fd412da729c2e01fc69c54c2000fa5bb636e30 5886 django-anymail_0.8-2+deb9u1_amd64.buildinfo
1539294f1959412f90b2d9da615b26d67f10d1cf 41254 python-django-anymail_0.8-2+deb9u1_all.deb
7d2bd9b1c2b2ee04b3fdb168932c442dc1109f76 41320 python3-django-anymail_0.8-2+deb9u1_all.deb
Checksums-Sha256:
6c47b08d6f06daba4e0fbb945e6d275b96449bd652c4be6e7874da7b19e87161 2208 django-anymail_0.8-2+deb9u1.dsc
64b5ae56823925de69b09615bb737001b2604a80ba1fcf2cb43b00d91fec0b32 41671 django-anymail_0.8.orig.tar.gz
010428555a84c141197ec184194a973b301975718cb023967311e45d1dfc89ca 4712 django-anymail_0.8-2+deb9u1.debian.tar.xz
cea033aa323fbd72515c1b3ed2a3ff4794535ec957f5bad579711e5a17330496 5886 django-anymail_0.8-2+deb9u1_amd64.buildinfo
ad9ec36435ce3b4ddf3fa0fa06dce5d29698b6a54f0bf36aa4b78bfd7461e1b2 41254 python-django-anymail_0.8-2+deb9u1_all.deb
8eb07666ea05647588caaa8753e7143182d30de2c2d5dec0cb2c18c3d50bac20 41320 python3-django-anymail_0.8-2+deb9u1_all.deb
Files:
e9f92b3d8992e0eb91dabb0c8c7f7782 2208 contrib/python optional django-anymail_0.8-2+deb9u1.dsc
adaf3b352d5a90f909560a0ed2b2d3c5 41671 contrib/python optional django-anymail_0.8.orig.tar.gz
d39682b0c2aef632cc1c4c1d62d393e2 4712 contrib/python optional django-anymail_0.8-2+deb9u1.debian.tar.xz
716dd6aa21c7f5c1a87aa344eaca9728 5886 contrib/python optional django-anymail_0.8-2+deb9u1_amd64.buildinfo
c898f7af2f28d8e8e92ed27982596d3f 41254 contrib/python optional python-django-anymail_0.8-2+deb9u1_all.deb
3864352c28b8afd43b7ec7e1237d9126 41320 contrib/python optional python3-django-anymail_0.8-2+deb9u1_all.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIcBAEBCAAGBQJaen/rAAoJEHjX3vua1ZrxW4UQALs2jrqDUJhw9plUz+B4D96l
JrW0/5sI2ChZx1E853e1IcT1ObTiNvlGQx2hBVfOytfHpfuZBrstD7CDRCmGiXgX
a7Fk/0I68tpfhlIuIsyfOyl7ZJFMi7K0lYOkLL0PxnPhWdpLf7fFjFxvwf3OONhD
E+m0Zkgs8xhZf+Fqt5r86rLNAGZm3fEWLjfj03OmfdajWcdvE3eK9kLbe6e/f9qG
kYNnJ5BVAUoyleONui86M7JfpZp8C/xnldtUz1Rko/PX/GGUlJxvr/Wtn0T4owzd
Hrofj8TH4SbJoFHHxIGRM/aeFDS5RvvbQdn/3bTpB9Mab7P3fDmhQRcp+6gOz33n
bNGuMbZjump4dgjJlfOSH+TjRTiXAPKQwTZaMbxo2OG9MFbyVMrdoWHiz/Qcmg5Y
+lfOARw0tuk8qxqXZl1LW/lSOKTC99/bbByYKhs1h/wdEDrfV7GI8RuYgme5p161
fw+AUcED9PdvRUIDAi0bi82CIUjOiQVhdYTaJaeoXqQSANMf/5YmUKCS+1n5lf9t
tgGQJUCK1j76SPnKHHlXgV5kmfocqt/A8Mw76IctKtm9RMWgQNtidGhFHzobvpM4
sgkMhHMMaHpi54XKk/WnZwAeeYikpPQ4fYltfe++LgIPVj6DKBKzySOtNQ2PV3tR
EoE4WrV3qtn2c3uPXgBK
=DbVn
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Sun, 11 Mar 2018 07:27:50 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 17:30:41 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon