Tom Rini of Konsulko announced the latest release of U-Boot, including a bit of info about the two recent CVEs:
[…]I’m going to mention here as well that both CVE-2018-18439 and CVE-2018-18440 exist and are issues. As a community we’re still working on more robust fixes to them, but I want to thank Simon Goldschmidt for taking the lead on coming up with code changes for them. In the immediate term (and for older releases) note that the filesystem-based attack can be mitigated by passing a maximum size to the load command.[…]
https://lists.denx.de/pipermail/u-boot/2018-November/347424.html
Wolfgang Denk of DENX has some stats about the release at:
https://lists.denx.de/pipermail/u-boot/2018-November/347506.html
Firmware Security 