Hi everyone,
In January I worked on backporting the patch for CVE-2024-11079
ansible/bullseye. Due to changes in the templating engine between ansible 2.10
(bullseye) and 2.16 (the oldest version that got an upstream by backport) a
direct backport of the changes were not possible and elaborate debugging was
needed. Jochen and I spent some time last Thursday on debugging it and he agreed
to continue the work for this patch.
I evaluated CVE-2025-14010 and conclude that buster and older are not affected.
I also prepared fixes for the following CVEs in buster:
- CVE-2020-1737
- CVE-2023-4237
Thanks to our sponsors for financing this work, and to Freexian for
coordinating!
Regards,
Lee Garrett,
Debian LTS Team
