The fix made in Ansible for CVE-2019-10206 was not sufficient to resolve the problem.
For reference this is https://github.com/ansible/ansible/pull/63351 upstream.
Also note, the backports will be smaller. The fix in devel makes two changes which are independently sufficient to fix the problem. The backport will only include one of them.
Vulnerable code from CVE-2019-10206 was included in the version of Ansible shipped with Ceph and Gluster. Gluster uses Ansible package from Ansible repository and hence it will consume fixes from core Ansible. For Ceph-3 we still maintain Ansible atleast for Ubuntu, Ceph-2 is about to reach end of life in December 2019.
This issue has been addressed in the following products: Red Hat Ansible Engine 2.7 for RHEL 7 Via RHSA-2019:3202 https://access.redhat.com/errata/RHSA-2019:3202
This issue has been addressed in the following products: Red Hat Ansible Engine 2.6 for RHEL 7 Via RHSA-2019:3201 https://access.redhat.com/errata/RHSA-2019:3201
This issue has been addressed in the following products: Red Hat Ansible Engine 2.8 for RHEL 7 Red Hat Ansible Engine 2.8 for RHEL 8 Via RHSA-2019:3203 https://access.redhat.com/errata/RHSA-2019:3203
This issue has been addressed in the following products: Red Hat Ansible Engine 2 for RHEL 7 Red Hat Ansible Engine 2 for RHEL 8 Via RHSA-2019:3207 https://access.redhat.com/errata/RHSA-2019:3207
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2019-14856
Created ansible tracking bugs for this issue: Affects: epel-6 [bug 1775632] Affects: epel-7 [bug 1775633] Affects: fedora-all [bug 1775634] Affects: openstack-rdo [bug 1775635]
RHOSP fixes will be consumed from platforms.
This issue has been addressed in the following products: Red Hat OpenStack Platform 13.0 (Queens) Red Hat OpenStack Platform 13.0 (Queens) for RHEL 7.6 EUS Via RHSA-2020:0756 https://access.redhat.com/errata/RHSA-2020:0756
Red Hat CloudForms 5.10 (4.7) and 5.11 (5.0) do not ship `ansible` package, it is provided by the official Ansible repository.