ESB-2018.0386 - [Win][UNIX/Linux][Debian] django-anymail: Access privileged data - Remote/unauthenticated 2018-02-08

Printable version
PGP/GPG verifiable version

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2018.0386
                      django-anymail security update
                              8 February 2018

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           django-anymail
Publisher:         Debian
Operating System:  Debian GNU/Linux 9
                   UNIX variants (UNIX, Linux, OSX)
                   Windows
Impact/Access:     Access Privileged Data         -- Remote/Unauthenticated
                   Provide Misleading Information -- Remote/Unauthenticated
Resolution:        Patch/Upgrade
CVE Names:         CVE-2018-6596  

Original Bulletin: 
   http://www.debian.org/security/2018/dsa-4107

Comment: This advisory references vulnerabilities in products which run on 
         platforms other than Debian. It is recommended that administrators 
         running django-anymail check for an updated version of the software
         for their operating system.

- --------------------------BEGIN INCLUDED TEXT--------------------

- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

- - -------------------------------------------------------------------------
Debian Security Advisory DSA-4107-1                   security@debian.org
https://www.debian.org/security/                     Salvatore Bonaccorso
February 07, 2018                     https://www.debian.org/security/faq
- - -------------------------------------------------------------------------

Package        : django-anymail
CVE ID         : CVE-2018-6596
Debian Bug     : 889450

It was discovered that the webhook validation of Anymail, a Django email
backends for multiple ESPs, is prone to a timing attack. A remote
attacker can take advantage of this flaw to obtain a
WEBHOOK_AUTHORIZATION secret and post arbitrary email tracking events.

For the stable distribution (stretch), this problem has been fixed in
version 0.8-2+deb9u1.

We recommend that you upgrade your django-anymail packages.

For the detailed security status of django-anymail please refer to its
security tracker page at:
https://security-tracker.debian.org/tracker/django-anymail

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/

Mailing list: debian-security-announce@lists.debian.org
- -----BEGIN PGP SIGNATURE-----

iQKTBAEBCgB9FiEERkRAmAjBceBVMd3uBUy48xNDz0QFAlp7dTRfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2
NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQACgkQBUy48xND
z0QXHQ//Wg7cVA6F4jaTXbWJOWh7misVrTlw16sHiyF+qsc0oAmtOpqVuTMgtYXa
ClJKpme7TMsy8rVkb//cJCFrkz2KQ2YF2Rj7keH2QZqzYG8aU2aDOT8H6l8R7iS9
Fvwx37Pzf2O+NTOhWwuw3EPFoWnNmkfKDNwYIw3gW2pRxuTUuAR7DjEP1qjVsO83
o81VLnrjFVmyBEkfKpFGhfddYx3RnIK/XZiwJ+VAdx+J0F29x9+lmUqB7d7XeU2p
5NOWa6r14xnAQOgfEFU/edv6v6Dd4wo0tUT6k05MBTgex+yOuxaCiuiHKnvVIzhO
dGrHUpD/DG8b0//WPg4f39MeSHRr8bBuPs/lcqel5OpmyaIJf/1mekEA9jMZ+HEl
7+uOWbkLoNPo9IBLIqsDQ3L4FxP4rtJcmOr8oKcEjhhI8fda5Se/GTxAJCZax8WU
1cSOJRlEPX1CyryF9WPQuF+o4xrgAO92wa5MeLVK3HcCEQDAGpcpqyLnawp8eHoF
ZDoXzBFmUi7Qn8oxBjkjVGhdAinP6oPIRRmtCOSRn25/dQtPhZwAKA+F3E1IW+ZT
BOd3dUyoD8IdqASCvPd89RKUFItJ3cydtYPM0E0LVyum9LAzjY2mLCWiY3abNald
ATvIdVyPCBg4oCSgeO9WcK/44woT5r1sE7wBTDKmIcfjfrGPgiw=
=36tg
- -----END PGP SIGNATURE-----

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBWnu72Yx+lLeg9Ub1AQhYWw/8C47ND+Zwd5oXJVsncPKXWO14XKNxBkNH
aDbnpPzmD54N9ztNCyStuO4GkzB5XrVp7ysnpGwla2NC/O9FNfIF+nG17IsVWbV3
IjbAbRMOYCUtPEkoOUIh3NU8dkMRN1Adn4E1TEavLQ3amsL7F3ADg8UEi6M2EhA8
knxFwntkvTrvTh6p59eVUT3JEMDLV7cwCE0ilFTcYK2UM00gyBME+124uCKSlp7b
vw0VJDytRIWDE9zjzPKoKPWY+XM3a7I/fDir+RRK0TjCfEATleqnRZ0VFRn2GU6C
9pktaJE95PSuEVQZbDesVUEQP484R1jvuJk589jpAnRhmJWfQJW96ifnHmga6S7x
qjzLSfFbXdSkposuBwcZ01A3XlXB7HhDL5O0yrOzrsawuNcX8xK30xusKzvZpoYw
20tkKL+Tk7kfeFmzl/xVGRD5JsIWVPm5NZ4AphEmGpC5Uhb7ANw/ZYOtpXJPHhC0
W1UXa8319Om1C7gzZW9cZauWnI1/GDQoQPZgYzT1OaSL7FmIieWsOmZEFMnsP+E7
8Ds3jZSBm3TO9nf6o4oRaqxDB8bX58S+Spjm4+HQ7x+NUhqC6q1bSSinDIt1v/KF
8v3ZfxKbBKydO1BJKTxmSFV9PlnsA+h8FFLpTiDmCgk30NL6+mWtg7Zop9X06TLG
om4lFiL+B5w=
=zlwW
-----END PGP SIGNATURE-----

« Back to bulletins