Comment 1 for bug 1939870

This RCE is only possible if an attacker can control the results from the whois server - which is not very likely IMO. Thus I don't think this is a high priority issue. Also since the fail2ban package is in universe or multiverse, it is community maintained. If you are able, I suggest coordinating with upstream and posting a debdiff for this issue. When a debdiff is available, members of the security team will review it and publish the package. See the following link for more information: https://wiki.ubuntu.com/SecurityTeam/UpdateProcedures