Source: ansible-core Version: 2.21.0-1 Severity: important Tags: security upstream Forwarded: https://github.com/ansible/ansible/pull/87070 X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi, The following vulnerability was published for ansible-core. CVE-2026-11332[0]: | A flaw was found in ansible-core. The ansible-galaxy role install | command processes dependency specifications from a role's | meta/requirements.yml file. Due to improper neutralization of | argument delimiters, a malicious role author can inject arbitrary | git configuration flags through the src field. This allows arbitrary | code execution on the machine of a user who installs the role via | ansible-galaxy role install. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2026-11332 https://www.cve.org/CVERecord?id=CVE-2026-11332 [1] https://bugzilla.redhat.com/show_bug.cgi?id=2485379 [2] https://github.com/ansible/ansible/pull/87070 [3] https://github.com/ansible/ansible/commit/edee59aa15abcc74d920bb3e9c3835ab8db05a2f Please adjust the affected versions in the BTS as needed. Regards, Salvatore
