-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 - ------------------------------------------------------------------------- Debian Security Advisory DSA-4107-1 security@xxxxxxxxxx https://www.debian.org/security/ Salvatore Bonaccorso February 07, 2018 https://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : django-anymail CVE ID : CVE-2018-6596 Debian Bug : 889450 It was discovered that the webhook validation of Anymail, a Django email backends for multiple ESPs, is prone to a timing attack. A remote attacker can take advantage of this flaw to obtain a WEBHOOK_AUTHORIZATION secret and post arbitrary email tracking events. For the stable distribution (stretch), this problem has been fixed in version 0.8-2+deb9u1. We recommend that you upgrade your django-anymail packages. For the detailed security status of django-anymail please refer to its security tracker page at: https://security-tracker.debian.org/tracker/django-anymail Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/ Mailing list: debian-security-announce@xxxxxxxxxxxxxxxx -----BEGIN PGP SIGNATURE----- iQKTBAEBCgB9FiEERkRAmAjBceBVMd3uBUy48xNDz0QFAlp7dTRfFIAAAAAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2 NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQACgkQBUy48xND z0QXHQ//Wg7cVA6F4jaTXbWJOWh7misVrTlw16sHiyF+qsc0oAmtOpqVuTMgtYXa ClJKpme7TMsy8rVkb//cJCFrkz2KQ2YF2Rj7keH2QZqzYG8aU2aDOT8H6l8R7iS9 Fvwx37Pzf2O+NTOhWwuw3EPFoWnNmkfKDNwYIw3gW2pRxuTUuAR7DjEP1qjVsO83 o81VLnrjFVmyBEkfKpFGhfddYx3RnIK/XZiwJ+VAdx+J0F29x9+lmUqB7d7XeU2p 5NOWa6r14xnAQOgfEFU/edv6v6Dd4wo0tUT6k05MBTgex+yOuxaCiuiHKnvVIzhO dGrHUpD/DG8b0//WPg4f39MeSHRr8bBuPs/lcqel5OpmyaIJf/1mekEA9jMZ+HEl 7+uOWbkLoNPo9IBLIqsDQ3L4FxP4rtJcmOr8oKcEjhhI8fda5Se/GTxAJCZax8WU 1cSOJRlEPX1CyryF9WPQuF+o4xrgAO92wa5MeLVK3HcCEQDAGpcpqyLnawp8eHoF ZDoXzBFmUi7Qn8oxBjkjVGhdAinP6oPIRRmtCOSRn25/dQtPhZwAKA+F3E1IW+ZT BOd3dUyoD8IdqASCvPd89RKUFItJ3cydtYPM0E0LVyum9LAzjY2mLCWiY3abNald ATvIdVyPCBg4oCSgeO9WcK/44woT5r1sE7wBTDKmIcfjfrGPgiw= =36tg -----END PGP SIGNATURE-----