On Thu, Nov 08, 2018 at 11:51:49AM +0100, Lee Garrett wrote:
> Hi,
>
> sorry for the late response. CVE-2018-16837 should be fairly straight-forward
> to fix in stretch and jessie.
>
> For CVE-2018-10875 I have a patch in my work dir that should fix it. I'll push
> it to the git stretch branch tomorrow (not on my work machine right now).
Thanks, can you ping us when ready?
> For CVE-2018-10874, it's not clear if it affects stable. The inventory module
> was completely rewritten in (IIRC) ansible 2.5, so it won't be a
> straight-forward patch.
I looked into this and 2.2.x in fact doesn't seem to be affected (as opposed to
2.4 onwards). I'll update the security tracker.
Cheers,
Moritz
