Fedora has issued an advisory on July 12:
The issues are fixed upstream in 2.4.6, 2.5.6, and 2.6.1:
Mageia 5 and Mageia 6 are also affected.
ansible 2.7.0 pushed to cauldron
ansible 184.108.40.206 pushed to mga6 testing
Updated ansible package fixes security vulnerabilities:
It was found that inventory variables are loaded from current working directory
when running ad-hoc command which are under attacker's control, allowing to run
arbitrary code as a result (CVE-2018-10874).
It was found that ansible.cfg is being read from the current working directory,
which can be made to point to plugin or module paths that are under control of
the attacker. This could allow an attacker to execute arbitrary code
Updated packages in core/updates_testing: