Date: Sun, 4 Feb 2018 09:08:12 +0100 From: Salvatore Bonaccorso <carnil@...ian.org> To: OSS Security Mailinglist <oss-security@...ts.openwall.com> Subject: Anymail: CVE-2018-6596: timing attack on WEBHOOK_AUTHORIZATION secret Hi MITRE has assigned CVE-2018-6596 for the following issue in Anymail, a Django email backends for multiple ESPs: https://github.com/anymail/django-anymail/releases/tag/v1.2.1 > Prevent timing attack on WEBHOOK_AUTHORIZATION secret > > If you are using Anymail's tracking webhooks, you should upgrade to > this release, and you may want to rotate to a new > WEBHOOK_AUTHORIZATION shared secret (see docs). You should > definitely change your webhook auth if your logs indicate attempted > exploit. > > More information > > Anymail's webhook validation was vulnerable to a timing attack. An > attacker could have used this to obtain your WEBHOOK_AUTHORIZATION > shared secret, potentially allowing them to post fabricated or > malicious email tracking events to your app. > > There have not been any reports of attempted exploit. (The > vulnerability was discovered through code review.) Attempts would be > visible in HTTP logs as a very large number of 400 responses on > Anymail's webhook urls (by default "/anymail/esp_name/tracking/"), > and in Python error monitoring as a very large number of > AnymailWebhookValidationFailure exceptions. There is the upstream fix for v1.3 https://github.com/anymail/django-anymail/commit/db586ede1fbb41dce21310ea28ae15a1cf1286c5 and v1.2.1 https://github.com/anymail/django-anymail/commit/c07998304b4a31df4c61deddcb03d3607a04691b Regards, Salvatore
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ