—–BEGIN PGP SIGNED MESSAGE—–
Hash: SHA512
– ————————————————————————-
Debian Security Advisory DSA-4107-1 security@debian.org
https://www.debian.org/security/ Salvatore Bonaccorso
February 07, 2018 https://www.debian.org/security/faq
– ————————————————————————-
Package : django-anymail
CVE ID : CVE-2018-6596
Debian Bug : 889450
It was discovered that the webhook validation of Anymail, a Django email
backends for multiple ESPs, is prone to a timing attack. A remote
attacker can take advantage of this flaw to obtain a
WEBHOOK_AUTHORIZATION secret and post arbitrary email tracking events.
For the stable distribution (stretch), this problem has been fixed in
version 0.8-2+deb9u1.
We recommend that you upgrade your django-anymail packages.
For the detailed security status of django-anymail please refer to its
security tracker page at:
https://security-tracker.debian.org/tracker/django-anymail
Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/
Mailing list: debian-security-announce@lists.debian.org
—–BEGIN PGP SIGNATURE—–
iQKTBAEBCgB9FiEERkRAmAjBceBVMd3uBUy48xNDz0QFAlp7dTRfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2
NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQACgkQBUy48xND
z0QXHQ//Wg7cVA6F4jaTXbWJOWh7misVrTlw16sHiyF+qsc0oAmtOpqVuTMgtYXa
ClJKpme7TMsy8rVkb//cJCFrkz2KQ2YF2Rj7keH2QZqzYG8aU2aDOT8H6l8R7iS9
Fvwx37Pzf2O+NTOhWwuw3EPFoWnNmkfKDNwYIw3gW2pRxuTUuAR7DjEP1qjVsO83
o81VLnrjFVmyBEkfKpFGhfddYx3RnIK/XZiwJ+VAdx+J0F29x9+lmUqB7d7XeU2p
5NOWa6r14xnAQOgfEFU/edv6v6Dd4wo0tUT6k05MBTgex+yOuxaCiuiHKnvVIzhO
dGrHUpD/DG8b0//WPg4f39MeSHRr8bBuPs/lcqel5OpmyaIJf/1mekEA9jMZ+HEl
7+uOWbkLoNPo9IBLIqsDQ3L4FxP4rtJcmOr8oKcEjhhI8fda5Se/GTxAJCZax8WU
1cSOJRlEPX1CyryF9WPQuF+o4xrgAO92wa5MeLVK3HcCEQDAGpcpqyLnawp8eHoF
ZDoXzBFmUi7Qn8oxBjkjVGhdAinP6oPIRRmtCOSRn25/dQtPhZwAKA+F3E1IW+ZT
BOd3dUyoD8IdqASCvPd89RKUFItJ3cydtYPM0E0LVyum9LAzjY2mLCWiY3abNald
ATvIdVyPCBg4oCSgeO9WcK/44woT5r1sE7wBTDKmIcfjfrGPgiw=
=36tg
—–END PGP SIGNATURE—–