Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [day] [month] [year] [list]
Date: Sun, 4 Feb 2018 09:08:12 +0100
From: Salvatore Bonaccorso <>
To: OSS Security Mailinglist <>
Subject: Anymail: CVE-2018-6596: timing attack on WEBHOOK_AUTHORIZATION secret


MITRE has assigned CVE-2018-6596 for the following issue in Anymail, a
Django email backends for multiple ESPs:
> Prevent timing attack on WEBHOOK_AUTHORIZATION secret
> If you are using Anymail's tracking webhooks, you should upgrade to
> this release, and you may want to rotate to a new
> WEBHOOK_AUTHORIZATION shared secret (see docs). You should
> definitely change your webhook auth if your logs indicate attempted
> exploit.
> More information
> Anymail's webhook validation was vulnerable to a timing attack. An
> attacker could have used this to obtain your WEBHOOK_AUTHORIZATION
> shared secret, potentially allowing them to post fabricated or
> malicious email tracking events to your app.
> There have not been any reports of attempted exploit. (The
> vulnerability was discovered through code review.) Attempts would be
> visible in HTTP logs as a very large number of 400 responses on
> Anymail's webhook urls (by default "/anymail/esp_name/tracking/"),
> and in Python error monitoring as a very large number of
> AnymailWebhookValidationFailure exceptions.

There is the upstream fix for v1.3
and v1.2.1


Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ