Hello Lee, hello security team, I have been working on security updates of ansible in Stretch and my intention was to fix the remaining issues in Buster as well. However testing those upstream patches proved to be rather difficult in older releases. I believe it is generally possible to fix most of the unresolved vulnerabilities with targeted fixes but this requires some effort for both distributions. First of all, are there any plans to update Buster in the foreseeable future, is anyone working on that right now? I saw that newer versions of ansible were uploaded to stretch-, and buster- backports? What do you think of updating ansible in oldstable and stable instead, to fix the remaining security vulnerabilities properly? How big is the risk of breaking existing installations of ansible in oldstable and stable? I have successfully built ansible 2.9.16+dfsg-1.1 from Bullseye, there is only a minor problem with building the documentation, and it seems the same version should work in Stretch too. All in all, we could try to backport the latest version to older stable releases or we could walk a middle way and base the patches all on Buster or the newer buster-backports version or something in between. This would certainly reduce the maintenance costs in those older releases. What are your thoughts? Regards, Markus
Attachment:
signature.asc
Description: This is a digitally signed message part