Quick follow-up: I don't have a patch for CVE-2018-10875. However, the patch
in question I have is for CVE-2018-10855, which is already checked in on the
stretch branch of the packaging repo.

For some reason the security tracker has this CVE marked as "not affected",
although I could reproduce the issue on stretch.


On 08/11/2018 11:51, Lee Garrett wrote:
> Hi,
> 
> sorry for the late response. CVE-2018-16837 should be fairly straight-forward
> to fix in stretch and jessie.
> 
> For CVE-2018-10875 I have a patch in my work dir that should fix it. I'll push
> it to the git stretch branch tomorrow (not on my work machine right now).
> 
> For CVE-2018-10874, it's not clear if it affects stable. The inventory module
> was completely rewritten in (IIRC) ansible 2.5, so it won't be a
> straight-forward patch.
> 
> Regards,
> Lee
> 
> On 07/11/2018 22:55, Moritz Mühlenhoff wrote:
>> On Tue, Oct 30, 2018 at 12:35:05AM -0400, Chris Lamb wrote:
>>> Hi Ivo,
>>>
>>>> From the upstream changelog for 2.7.1+dfsg-1 (already in unstable):
>>> [..]
>>>> - user module - do not pass ssh_key_passphrase on cmdline
>>>>   (CVE-2018-16837)
>>>
>>> Thanks for providing this and no problem that this wasn't in the
>>> changelog.
>>>
>>> Security team: This still affects stretch and jessie as I unless
>>> I'm missing something - would you like me to prepare an upload for
>>> stable? I'm happy to take the LTS side of things.
>>
>> We can fix that one in a DSA, but should also fix CVE-2018-10875
>> and CVE-2018-10874, then.
>>
>> Cheers,
>>         Moritz
>>
> 

Reply via email to