Debian Bug report logs -
#890097
django-anymail: CVE-2018-1000089: WEBHOOK_AUTHORIZATION secret disclosure when debug enabled
Reported by: Scott Kitterman <debian@kitterman.com>
Date: Sun, 11 Feb 2018 06:12:02 UTC
Severity: important
Tags: fixed-upstream, security, upstream
Found in version django-anymail/0.8-2
Fixed in version django-anymail/1.4-1
Done: Scott Kitterman <scott@kitterman.com>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, Debian Python Modules Team <python-modules-team@lists.alioth.debian.org>:
Bug#890097; Package src:django-anymail.
(Sun, 11 Feb 2018 06:12:05 GMT) (full text, mbox, link).
Acknowledgement sent
to Scott Kitterman <debian@kitterman.com>:
New Bug report received and forwarded. Copy sent to Debian Python Modules Team <python-modules-team@lists.alioth.debian.org>.
(Sun, 11 Feb 2018 06:12:05 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Package: src:django-anymail
Version: 0.8-2
Severity: important
Tags: upstream,security
Security fix
This fixes a low severity security issue affecting Anymail v0.2–v1.3. (CVE
Pending)
Django error reporting includes the value of your Anymail
WEBHOOK_AUTHORIZATION setting. In a properly-configured deployment, this
should not be cause for concern. But if you have somehow exposed your Django
error reports (e.g., by mis-deploying with DEBUG=True or by sending error
reports through insecure channels), anyone who gains access to those reports
could discover your webhook shared secret. An attacker could use this to post
fabricated or malicious Anymail tracking/inbound events to your app, if you
are using those Anymail features.
The fix renames Anymail's webhook shared secret setting so that Django's error
reporting mechanism will sanitize it.
If you are using Anymail's event tracking and/or inbound webhooks, you should
upgrade to this release and change "WEBHOOK_AUTHORIZATION" to "WEBHOOK_SECRET"
in the ANYMAIL section of your settings.py. You may also want to rotate the
shared secret value, particularly if you have ever exposed your Django error
reports to untrusted individuals.
If you are only using Anymail's EmailBackends for sending email and have not
set up Anymail's webhooks, this issue does not affect you.
The old WEBHOOK_AUTHORIZATION setting is still allowed in this release, but
will issue a system-check warning when running most Django management
commands. It will be removed completely in a near-future release, as a
breaking change.
Thanks to Charlie DeTar (@yourcelf) for responsibly reporting this security
issue through private channels.
https://github.com/anymail/django-anymail/commit/1a6086f2b58478d71f89bf27eb034ed81aefe5ef
Given that the fix for this is problematic from a backward compatility
perspective and that it requires a misconfigured django app before it is a
problem, recommend No DSA for the security team.
Reply sent
to Scott Kitterman <scott@kitterman.com>:
You have taken responsibility.
(Sun, 11 Feb 2018 06:51:03 GMT) (full text, mbox, link).
Notification sent
to Scott Kitterman <debian@kitterman.com>:
Bug acknowledged by developer.
(Sun, 11 Feb 2018 06:51:03 GMT) (full text, mbox, link).
Message #10 received at 890097-close@bugs.debian.org (full text, mbox, reply):
Source: django-anymail
Source-Version: 1.4-1
We believe that the bug you reported is fixed in the latest version of
django-anymail, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 890097@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Scott Kitterman <scott@kitterman.com> (supplier of updated django-anymail package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Sun, 11 Feb 2018 01:21:39 -0500
Source: django-anymail
Binary: python-django-anymail python3-django-anymail
Architecture: source all
Version: 1.4-1
Distribution: unstable
Urgency: high
Maintainer: Debian Python Modules Team <python-modules-team@lists.alioth.debian.org>
Changed-By: Scott Kitterman <scott@kitterman.com>
Description:
python-django-anymail - Django email backend for multiple ESPs (Python 2)
python3-django-anymail - Django email backend for multiple ESPs (Python 3)
Closes: 890097
Changes:
django-anymail (1.4-1) unstable; urgency=high
.
* New upstream release (Closes: #890097)
- Fixes new WEBHOOK_AUTHORIZATION secret security issue (CVE pending)
* Update Vcs-* for move to salsa.d.o
* Bump standards-version to 4.1.3 without further change
* Added missing disclaimer on why django-anymail is in contrib
Checksums-Sha1:
732e22efd45f27376303fefcb291c15df3cb1f2f 2159 django-anymail_1.4-1.dsc
e9e91f00eb0744f83eb9e0a2a61d94d4bd7706e9 57218 django-anymail_1.4.orig.tar.gz
10632bf14e6394c266f10aedaf2e3559cdde5dfd 3472 django-anymail_1.4-1.debian.tar.xz
d3b75c3f34ce8254023652b8de96b7d162b4fc68 6083 django-anymail_1.4-1_amd64.buildinfo
f91b66bbae2771031eb160429c15621970825acf 54368 python-django-anymail_1.4-1_all.deb
004dec58ca5461ec3b25dc70b6529744fc7fb809 54456 python3-django-anymail_1.4-1_all.deb
Checksums-Sha256:
fedbcd9c4f05dfabcd9afd7e1a75930142c7dec42df846720d934f66403c9131 2159 django-anymail_1.4-1.dsc
f534ab2ca82b6e1155d02d656db28d17d1f4e832f641b537539a4ebbcdee7e39 57218 django-anymail_1.4.orig.tar.gz
6f60a7f889114fce8a76cb805a283ffb50dad375fa609175a1006ab20451a072 3472 django-anymail_1.4-1.debian.tar.xz
413669bb439f2107e87ce81cefa3a348d3c543088f3b30ed1a58818d76bc58c4 6083 django-anymail_1.4-1_amd64.buildinfo
e0fc4c7c8a310df50cebdb6854410b07d4fd928368e9a3b0f983fc7cebb97740 54368 python-django-anymail_1.4-1_all.deb
0b2ac97d7209d05fec57c5086fddd8343f77df245fd584ae72c3641b58523800 54456 python3-django-anymail_1.4-1_all.deb
Files:
609e70f7ca96eb80c5492db56582bfa5 2159 contrib/python optional django-anymail_1.4-1.dsc
06e0085983448f461ac63f648a748d66 57218 contrib/python optional django-anymail_1.4.orig.tar.gz
3c9e41cd277884f63966b8a6bddfdd6f 3472 contrib/python optional django-anymail_1.4-1.debian.tar.xz
ef8be568a03e7a4de9ae80f1d4f49201 6083 contrib/python optional django-anymail_1.4-1_amd64.buildinfo
0507c62460c62fb44df6642075fb57c4 54368 contrib/python optional python-django-anymail_1.4-1_all.deb
75b43274ef1b2d845c7f1b745005fe4f 54456 contrib/python optional python3-django-anymail_1.4-1_all.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIcBAEBCAAGBQJaf+G8AAoJEHjX3vua1ZrxiDoP/RIirJbyaAZmQ6XxlGLZkKtt
haQJJqageoxo2M01pXuMOmk6GRIJkF10gaHb03zddAuSrelpxVUYRKVNd0RvmAH4
a0NprTp4UUX9yq26+/TjYGVFmMjSfOUPjPefDA30ECPpJRho7knIp1/VHUHaL0Ci
jmYTDODHPlNyQw2oFrR7I2rMGGCI7Xd8QQW6ljlgYulkoJdT+dARzNr6CPuzBXHl
sToYTs9fLcgBslT4nyEclhvtPAAFenDBYbAiNYemiI9UUJE+D+d8JVFGd5VxAtiC
McowPvzjpQKFRM2oNfpXjv8Pi2YNjldJbBEHkVx6rZ8LQH+kKwOtK87z0r4nAoo8
r5mKHSgwojYg8p2G5NaDaQgVV9SrqqSzJZuMgz8zwn2dbY9ntpcXaqlFNuf85D4g
cqQufLFAMLDurXTaFScde1hRYI2IO02pGqILQ1YJWd8Wpk4wnaMWX3jTQ+V4G8t3
T4skcFwSTGXoEQSXwJMgamfHQ8fiUpVtVVLf8SiARFzL7pq/dlLyRKd6E3KYUXgS
zyv6dKcLbbD+3viENwy8dszMQoBOjYd+QHJDxgyh/aSVqKaS574magVBnPmOS/bP
fr6A1TBsvtnSOyI2R2/2ppl2Y8I4CtyYD4C6NWzmp1phJ1/Zd40jBuKSUBE2TrDz
0DazbdpDjtDTtoZnazSX
=yzro
-----END PGP SIGNATURE-----
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian Python Modules Team <python-modules-team@lists.alioth.debian.org>:
Bug#890097; Package src:django-anymail.
(Fri, 23 Feb 2018 07:24:02 GMT) (full text, mbox, link).
Acknowledgement sent
to Scott Kitterman <debian@kitterman.com>:
Extra info received and forwarded to list. Copy sent to Debian Python Modules Team <python-modules-team@lists.alioth.debian.org>.
(Fri, 23 Feb 2018 07:24:02 GMT) (full text, mbox, link).
Message #15 received at 890097@bugs.debian.org (full text, mbox, reply):
On Sun, 11 Feb 2018 01:08:01 -0500 Scott Kitterman <debian@kitterman.com>
wrote:
> Package: src:django-anymail
> Version: 0.8-2
> Severity: important
> Tags: upstream,security
>
> Security fix
>
> This fixes a low severity security issue affecting Anymail v0.2–v1.3. (CVE
> Pending)
>
> Django error reporting includes the value of your Anymail
> WEBHOOK_AUTHORIZATION setting. In a properly-configured deployment, this
> should not be cause for concern. But if you have somehow exposed your Django
> error reports (e.g., by mis-deploying with DEBUG=True or by sending error
> reports through insecure channels), anyone who gains access to those reports
> could discover your webhook shared secret. An attacker could use this to
post
> fabricated or malicious Anymail tracking/inbound events to your app, if you
> are using those Anymail features.
>
> The fix renames Anymail's webhook shared secret setting so that Django's
error
> reporting mechanism will sanitize it.
>
> If you are using Anymail's event tracking and/or inbound webhooks, you
should
> upgrade to this release and change "WEBHOOK_AUTHORIZATION" to
"WEBHOOK_SECRET"
> in the ANYMAIL section of your settings.py. You may also want to rotate the
> shared secret value, particularly if you have ever exposed your Django error
> reports to untrusted individuals.
>
> If you are only using Anymail's EmailBackends for sending email and have not
> set up Anymail's webhooks, this issue does not affect you.
>
> The old WEBHOOK_AUTHORIZATION setting is still allowed in this release, but
> will issue a system-check warning when running most Django management
> commands. It will be removed completely in a near-future release, as a
> breaking change.
>
> Thanks to Charlie DeTar (@yourcelf) for responsibly reporting this security
> issue through private channels.
>
> https://github.com/anymail/django-anymail/commit/1a6086f2b58478d71f89bf27eb034ed81aefe5ef
>
> Given that the fix for this is problematic from a backward compatility
> perspective and that it requires a misconfigured django app before it is a
> problem, recommend No DSA for the security team.
This is now assigned CVE-2018-1000089.
https://github.com/anymail/django-anymail/releases/tag/v1.4
Scott K
Changed Bug title to 'django-anymail: CVE-2018-1000089: WEBHOOK_AUTHORIZATION secret disclosure when debug enabled' from 'src:django-anymail: New, minor WEBHOOK_AUTHORIZATION security issue'.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Sat, 10 Mar 2018 15:21:06 GMT) (full text, mbox, link).
Added tag(s) fixed-upstream.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Sat, 10 Mar 2018 15:21:07 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian Python Modules Team <python-modules-team@lists.alioth.debian.org>:
Bug#890097; Package src:django-anymail.
(Sat, 10 Mar 2018 15:24:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian Python Modules Team <python-modules-team@lists.alioth.debian.org>.
(Sat, 10 Mar 2018 15:24:03 GMT) (full text, mbox, link).
Message #24 received at 890097@bugs.debian.org (full text, mbox, reply):
Hi,
On Sun, Feb 11, 2018 at 01:08:01AM -0500, Scott Kitterman wrote:
> Given that the fix for this is problematic from a backward compatility
> perspective and that it requires a misconfigured django app before it is a
> problem, recommend No DSA for the security team.
Scott, sorry we did not respond earlier. Yes agree, and marked it as
no-dsa.
Regards,
Salvatore
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Sun, 08 Apr 2018 07:37:55 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 13:08:49 2019;
Machine Name:
beach
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon