django-anymail (2.0-1) unstable; urgency=medium

  Breaking change: Drop support for WEBHOOK_AUTHORIZATION setting. If you are
  using webhooks and still have this Anymail setting, you must rename it to
  WEBHOOK_SECRET.

  This completes the fix for a low severity security issue affecting Anymail
  v0.2–v1.3. (CVE-2018-1000089).

  Django error reporting includes the value of your Anymail
  WEBHOOK_AUTHORIZATION setting. In a properly-configured deployment, this
  should not be cause for concern. But if you have somehow exposed your Django
  error reports (e.g., by mis-deploying with DEBUG=True or by sending error
  reports through insecure channels), anyone who gains access to those reports
  could discover your webhook shared secret. An attacker could use this to
  post fabricated or malicious Anymail tracking/inbound events to your app,
  if you are using those Anymail features.

  The fix renames Anymail's webhook shared secret setting so that Django's
  error reporting mechanism will sanitize it.

  If you are using Anymail's event tracking and/or inbound webhooks, you must
  change "WEBHOOK_AUTHORIZATION" to "WEBHOOK_SECRET" in the ANYMAIL section of
  your settings.py. You may also want to rotate the shared secret value,
  particularly if you have ever exposed your Django error reports to untrusted
  individuals.

  If you are only using Anymail's EmailBackends for sending email and have not
  set up Anymail's webhooks, this issue does not affect you.

 -- Scott Kitterman <scott@kitterman.com>  Sun, 11 Mar 2018 03:44:33 -0400
