Hi, sorry for the late response. CVE-2018-16837 should be fairly straight-forward to fix in stretch and jessie.
For CVE-2018-10875 I have a patch in my work dir that should fix it. I'll push it to the git stretch branch tomorrow (not on my work machine right now). For CVE-2018-10874, it's not clear if it affects stable. The inventory module was completely rewritten in (IIRC) ansible 2.5, so it won't be a straight-forward patch. Regards, Lee On 07/11/2018 22:55, Moritz Mühlenhoff wrote: > On Tue, Oct 30, 2018 at 12:35:05AM -0400, Chris Lamb wrote: >> Hi Ivo, >> >>> From the upstream changelog for 2.7.1+dfsg-1 (already in unstable): >> [..] >>> - user module - do not pass ssh_key_passphrase on cmdline >>> (CVE-2018-16837) >> >> Thanks for providing this and no problem that this wasn't in the >> changelog. >> >> Security team: This still affects stretch and jessie as I unless >> I'm missing something - would you like me to prepare an upload for >> stable? I'm happy to take the LTS side of things. > > We can fix that one in a DSA, but should also fix CVE-2018-10875 > and CVE-2018-10874, then. > > Cheers, > Moritz >