Quick follow-up: I don't have a patch for CVE-2018-10875. However, the patch in question I have is for CVE-2018-10855, which is already checked in on the stretch branch of the packaging repo.
For some reason the security tracker has this CVE marked as "not affected", although I could reproduce the issue on stretch. On 08/11/2018 11:51, Lee Garrett wrote: > Hi, > > sorry for the late response. CVE-2018-16837 should be fairly straight-forward > to fix in stretch and jessie. > > For CVE-2018-10875 I have a patch in my work dir that should fix it. I'll push > it to the git stretch branch tomorrow (not on my work machine right now). > > For CVE-2018-10874, it's not clear if it affects stable. The inventory module > was completely rewritten in (IIRC) ansible 2.5, so it won't be a > straight-forward patch. > > Regards, > Lee > > On 07/11/2018 22:55, Moritz Mühlenhoff wrote: >> On Tue, Oct 30, 2018 at 12:35:05AM -0400, Chris Lamb wrote: >>> Hi Ivo, >>> >>>> From the upstream changelog for 2.7.1+dfsg-1 (already in unstable): >>> [..] >>>> - user module - do not pass ssh_key_passphrase on cmdline >>>> (CVE-2018-16837) >>> >>> Thanks for providing this and no problem that this wasn't in the >>> changelog. >>> >>> Security team: This still affects stretch and jessie as I unless >>> I'm missing something - would you like me to prepare an upload for >>> stable? I'm happy to take the LTS side of things. >> >> We can fix that one in a DSA, but should also fix CVE-2018-10875 >> and CVE-2018-10874, then. >> >> Cheers, >> Moritz >> >