[Python-modules-team] Bug#890097: src:django-anymail: New, minor WEBHOOK_AUTHORIZATION security issue

Scott Kitterman debian at kitterman.com
Fri Feb 23 07:21:37 UTC 2018 

On Sun, 11 Feb 2018 01:08:01 -0500 Scott Kitterman <debian at kitterman.com> 
wrote:
> Package: src:django-anymail
> Version: 0.8-2
> Severity: important
> Tags: upstream,security
> 
> Security fix
> 
> This fixes a low severity security issue affecting Anymail v0.2–v1.3. (CVE
> Pending)
> 
> Django error reporting includes the value of your Anymail
> WEBHOOK_AUTHORIZATION setting. In a properly-configured deployment, this
> should not be cause for concern. But if you have somehow exposed your Django
> error reports (e.g., by mis-deploying with DEBUG=True or by sending error
> reports through insecure channels), anyone who gains access to those reports
> could discover your webhook shared secret. An attacker could use this to 
post
> fabricated or malicious Anymail tracking/inbound events to your app, if you
> are using those Anymail features.
> 
> The fix renames Anymail's webhook shared secret setting so that Django's 
error
> reporting mechanism will sanitize it.
> 
> If you are using Anymail's event tracking and/or inbound webhooks, you 
should
> upgrade to this release and change "WEBHOOK_AUTHORIZATION" to 
"WEBHOOK_SECRET"
> in the ANYMAIL section of your settings.py. You may also want to rotate the
> shared secret value, particularly if you have ever exposed your Django error
> reports to untrusted individuals.
> 
> If you are only using Anymail's EmailBackends for sending email and have not
> set up Anymail's webhooks, this issue does not affect you.
> 
> The old WEBHOOK_AUTHORIZATION setting is still allowed in this release, but
> will issue a system-check warning when running most Django management
> commands. It will be removed completely in a near-future release, as a
> breaking change.
> 
> Thanks to Charlie DeTar (@yourcelf) for responsibly reporting this security
> issue through private channels.
> 
> https://github.com/anymail/django-anymail/commit/1a6086f2b58478d71f89bf27eb034ed81aefe5ef
> 
> Given that the fix for this is problematic from a backward compatility
> perspective and that it requires a misconfigured django app before it is a
> problem, recommend No DSA for the security team.

This is now assigned CVE-2018-1000089.

https://github.com/anymail/django-anymail/releases/tag/v1.4

Scott K

More information about the Python-modules-team mailing list