Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package ansible-core for openSUSE:Factory checked in at 2026-06-12 19:27:10 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/ansible-core (Old) and /work/SRC/openSUSE:Factory/.ansible-core.new.1981 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "ansible-core" Fri Jun 12 19:27:10 2026 rev:60 rq:1358754 version:2.21.0 Changes: -------- --- /work/SRC/openSUSE:Factory/ansible-core/ansible-core.changes 2026-06-03 20:27:20.485454137 +0200 +++ /work/SRC/openSUSE:Factory/.ansible-core.new.1981/ansible-core.changes 2026-06-12 19:27:55.123180618 +0200 @@ -1,0 +2,9 @@ +Wed Jun 10 08:20:57 UTC 2026 - Harshvardhan Sharma <[email protected]> + +- Security fix for CVE-2026-11332 (bsc#1267822): argument injection in + ansible-galaxy role install; pass role requirements as positional + arguments to 'git clone' (add '--' separator). git-format-patch backport + of gh#ansible/ansible#87078 (commit 5ae948f, stable-2.21). + * add ansible-core-CVE-2026-11332.patch + +------------------------------------------------------------------- New: ---- ansible-core-CVE-2026-11332.patch ----------(New B)---------- New: of gh#ansible/ansible#87078 (commit 5ae948f, stable-2.21). * add ansible-core-CVE-2026-11332.patch ----------(New E)---------- ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ ansible-core.spec ++++++ --- /var/tmp/diff_new_pack.Ir7vcf/_old 2026-06-12 19:27:56.591242045 +0200 +++ /var/tmp/diff_new_pack.Ir7vcf/_new 2026-06-12 19:27:56.595242212 +0200 @@ -50,6 +50,8 @@ URL: https://ansible.com/ Source0: https://files.pythonhosted.org/packages/source/a/ansible-core/ansible_core-%{version}.tar.gz#/ansible_core-%{version}.tar.gz Source1: ansible_core-%{version}.tar.gz.sha256 +# CVE-2026-11332 (bsc#1267822): argument injection in ansible-galaxy role install +Patch0: ansible-core-CVE-2026-11332.patch BuildArch: noarch # cannot be installed with ansible < 3 or ansible-base ++++++ ansible-core-CVE-2026-11332.patch ++++++ >From 5ae948f7e960528d5884b92a1581b0506e6efb45 Mon Sep 17 00:00:00 2001 From: Sloane Hertel <[email protected]> Date: Tue, 9 Jun 2026 11:23:33 -0400 Subject: [PATCH] [stable-2.21] Fix CVE-2026-11332 - prevent role requirements from configuring git (#87078) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit * Fix CVE-2026-11332 - prevent role requirements from configuring git (#87070) * Pass malformed role requirements as positional arguments to prevent arbitrary git configuration * Add test coverage, checking for specific errors and that git clone is always followed by -- Co-authored-by: 🇺🇦 Sviatoslav Sydorenko (Святослав Сидоренко) <[email protected]> (cherry picked from commit edee59aa15abcc74d920bb3e9c3835ab8db05a2f) * Fix ansible-galaxy-role test isolating stderr (#87085) Follow up to #87070 to fix the test Fix ansible-galaxy-role test isolating stder Remove new feature to backport as-is (cherry picked from commit bebae770d339b4961c1d940c95db0ec15d3f9b91) --------- Co-authored-by: 🇺🇦 Sviatoslav Sydorenko (Святослав Сидоренко) <[email protected]> --- lib/ansible/utils/galaxy.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lib/ansible/utils/galaxy.py b/lib/ansible/utils/galaxy.py index 6cccf10..22b65ba 100644 --- a/lib/ansible/utils/galaxy.py +++ b/lib/ansible/utils/galaxy.py @@ -72,7 +72,7 @@ def scm_archive_resource(src, scm='git', name=None, version='HEAD', keep_scm_met elif scm == 'hg': clone_cmd.append('--insecure') - clone_cmd.extend([src, name]) + clone_cmd.extend(['--', src, name]) run_scm_cmd(clone_cmd, tempdir) -- 2.53.0
