Your message dated Sat, 03 Feb 2018 17:04:48 +0000 with message-id <e1ei1fa-000cb9...@fasolo.debian.org> and subject line Bug#889450: fixed in django-anymail 1.3-1 has caused the Debian Bug report #889450, regarding src:django-anymail: Security issue with timing attack on WEBHOOK_AUTHORIZATION to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 889450: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=889450 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Package: src:django-anymail Version: 0.8-2 Severity: serious Tags: security upstream Justification: security This affects 0.8-2 in stable and 1.2 in unstable: https://github.com/anymail/django-anymail/commit/c07998304b4a31df4c61deddcb03d3607a04691b Security: prevent timing attack on WEBHOOK_AUTHORIZATION secret Anymail's webhook validation was vulnerable to a timing attack. An attacker could have used this to recover your WEBHOOK_AUTHORIZATION shared secret, potentially allowing them to post fabricated or malicious email tracking events to your app. There have not been any reports of attempted exploit in the wild. (The vulnerability was discovered through code review.) Attempts would be visible in http logs as a very large number of 400 responses on Anymail's webhook urls, or in Python error monitoring as a very large number of AnymailWebhookValidationFailure exceptions. If you are using Anymail's webhooks, you should upgrade to this release. In addition, you may want to rotate to a new WEBHOOK_AUTHORIZATION secret ([docs](http://anymail.readthedocs.io/en/stable/tips/securing_webhooks/#use-a-shared-authorization-secret)), particularly if your logs indicate attempted exploit.
--- End Message ---
--- Begin Message ---Source: django-anymail Source-Version: 1.3-1 We believe that the bug you reported is fixed in the latest version of django-anymail, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 889...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Scott Kitterman <sc...@kitterman.com> (supplier of updated django-anymail package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Format: 1.8 Date: Sat, 03 Feb 2018 11:23:43 -0500 Source: django-anymail Binary: python-django-anymail python3-django-anymail Architecture: source all Version: 1.3-1 Distribution: unstable Urgency: medium Maintainer: Debian Python Modules Team <python-modules-team@lists.alioth.debian.org> Changed-By: Scott Kitterman <sc...@kitterman.com> Description: python-django-anymail - Django email backend for multiple ESPs (Python 2) python3-django-anymail - Django email backend for multiple ESPs (Python 3) Closes: 889450 Changes: django-anymail (1.3-1) unstable; urgency=medium . * New upstream release (Closes: #889450) - Includes security fix for timing attack on WEBHOOK_AUTHORIZATION secret (no CVE assigned) as described in https://github.com/anymail/django-anymail/releases/tag/v1.2.1 * Update debian/watch and debian/copyright to use secure URIs Checksums-Sha1: 76bca39bc107637152b322760be833f637b6af88 2182 django-anymail_1.3-1.dsc 53f8410e7a3d49d41d3b7e06fd81971856037da8 56653 django-anymail_1.3.orig.tar.gz 4b66f150af5589c74db99c115835bbf8eed459e8 3304 django-anymail_1.3-1.debian.tar.xz 9871e2e92e6f1174bc0c9eaa2ef179777cbb5d7d 5974 django-anymail_1.3-1_amd64.buildinfo d6b1468af29edb14a578b207af1492ff90846dbe 53764 python-django-anymail_1.3-1_all.deb cae0a4d73c3a632ccc3b68061f305eea541102e1 53848 python3-django-anymail_1.3-1_all.deb Checksums-Sha256: 04d2aa883c7733e9b999e018d1cdff619c361b11cd25abc3d191c12dd3bb50f0 2182 django-anymail_1.3-1.dsc 6868f65ea15ea958591aecf222ddc3cf37970ca5441a035ddac285168720ed52 56653 django-anymail_1.3.orig.tar.gz 128bb179440d1537700a4b8d4617fc3c35f749bc311b89cbf0f0ccd5d5389669 3304 django-anymail_1.3-1.debian.tar.xz 1ce4b73781ac91f33c6ccbb9e4a8cb46c47cb9ee3efbbc4149a80ee19acae947 5974 django-anymail_1.3-1_amd64.buildinfo 5d3a9d11de9f0121efb6e0f1f46e9c0edb7eb12aa8ce9b23b3142abdc1b325f3 53764 python-django-anymail_1.3-1_all.deb 2bc621df179d371166c5fadad8fdb076662f9d6409a529d7db373031ca2e4e23 53848 python3-django-anymail_1.3-1_all.deb Files: ce717c1c27dcf9c4d6d326fabccec44e 2182 contrib/python optional django-anymail_1.3-1.dsc 2138d056b8523bf91f7d67c6fb041e14 56653 contrib/python optional django-anymail_1.3.orig.tar.gz 6dc93d1d36823793cd65a8c7a4fab1b3 3304 contrib/python optional django-anymail_1.3-1.debian.tar.xz 428511e511583f239dd6a07694593372 5974 contrib/python optional django-anymail_1.3-1_amd64.buildinfo e8fa49a66cba54f677c97ada8f725d4c 53764 contrib/python optional python-django-anymail_1.3-1_all.deb 9d8fb2ca1a8fee668a900f0c6c4cba97 53848 contrib/python optional python3-django-anymail_1.3-1_all.deb -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIcBAEBCAAGBQJadeeUAAoJEHjX3vua1ZrxNgYP/2YX55Zxw9a0Ug7jV7OFwu3v u13ql2eKvQRIgT8EJfTUp93Whw8Ygc0Zhae8x3MS7c2djg9vVBab3neO7pimJZNw O1hNKvh9qic5ZZIH0Yo9mW7hVUwjw0oEqOWnSTi/Cb4LbUFRYWzZZSSHv0eL1Z7C h+fifa0+WJ1j0C9eLED01jMdbzSNp4/PdpFbT3RCJF9Z0zTeGQ3Tb+ZNiLaM4RlP gGyptJUuscRJl0WHN8KNMKBE6pP2wkoNrPxrWa/H80scmJPIDfQVnfMPUuOE9F6J onMjmCO0setnqg9rSvd7pWoCIKnKRv55zyWppKhxYQUEcM/KpKK/17xkMb8UlPIk 6v6dibybgcd//hstydFEzFn0zT+anOidfwLQPzvO8x1EvRYBbu+9iZee3aKk/HYa xDizrTZzOZ6h2m987ys0mVABNsiP//Dc0UF1zP1Ke2d0tu1SR90GvUlXCtDZABQR Fh51tYLl21gu1AGIajhrTM3WioWZeYDf/l8HB4YCdOwpWXLuZKbJ5UbVzZ6VPUlz JICNgrcbSaFJqAbtOvs9rqrQak39kBO3pFZJhuWmWv97Jl1j/TE0459sd7SEQ4/j woixMBB0FiBuUgheEeTIwAL20sEKgFv6LAhKrMju61ZfZ4J5hIXVbh5bStvpC6GP XY6pMUw/0YBVMvhSmGyM =1AvG -----END PGP SIGNATURE-----
--- End Message ---
_______________________________________________ Python-modules-team mailing list Python-modules-team@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/python-modules-team
