Anymail: CVE-2018-6596: timing attack on WEBHOOK_AUTHORIZATION secret

[Salvatore Bonaccorso <carnil () debian org>]

Hi

MITRE has assigned CVE-2018-6596 for the following issue in Anymail, a
Django email backends for multiple ESPs:

https://github.com/anymail/django-anymail/releases/tag/v1.2.1
> Prevent timing attack on WEBHOOK_AUTHORIZATION secret
>
> If you are using Anymail's tracking webhooks, you should upgrade to
> this release, and you may want to rotate to a new
> WEBHOOK_AUTHORIZATION shared secret (see docs). You should
> definitely change your webhook auth if your logs indicate attempted
> exploit.
>
> More information
>
> Anymail's webhook validation was vulnerable to a timing attack. An
> attacker could have used this to obtain your WEBHOOK_AUTHORIZATION
> shared secret, potentially allowing them to post fabricated or
> malicious email tracking events to your app.
>
> There have not been any reports of attempted exploit. (The
> vulnerability was discovered through code review.) Attempts would be
> visible in HTTP logs as a very large number of 400 responses on
> Anymail's webhook urls (by default "/anymail/esp_name/tracking/"),
> and in Python error monitoring as a very large number of
> AnymailWebhookValidationFailure exceptions.

There is the upstream fix for v1.3
https://github.com/anymail/django-anymail/commit/db586ede1fbb41dce21310ea28ae15a1cf1286c5
and v1.2.1
https://github.com/anymail/django-anymail/commit/c07998304b4a31df4c61deddcb03d3607a04691b

Regards,
Salvatore