Skip to content

v1.2.1

Compare
Choose a tag to compare
@medmunds medmunds released this 02 Feb 20:17

Security fix

This release fixes a moderate severity security issue affecting Anymail v0.2–v1.2:
Prevent timing attack on WEBHOOK_AUTHORIZATION secret (CVE-2018-6596)

If you are using Anymail's tracking webhooks, you should upgrade to this release, and you may want to rotate to a new WEBHOOK_AUTHORIZATION shared secret (see docs). You should definitely change your webhook auth if your logs indicate attempted exploit.

(If you are only sending email using an Anymail EmailBackend, and have not set up Anymail's event tracking webhooks, this issue does not affect you.)

More information

Anymail's webhook validation was vulnerable to a timing attack. A remote attacker could use this to obtain your WEBHOOK_AUTHORIZATION shared secret, potentially allowing them to post fabricated or malicious email tracking events to your app.

There have not been any reports of attempted exploit. (The vulnerability was discovered through code review.) Attempts would be visible in HTTP logs as a very large number of 400 responses on Anymail's webhook urls (by default "/anymail/esp_name/tracking/"), and in Python error monitoring as a very large number of AnymailWebhookValidationFailure exceptions.