On Sat, Jun 20, 2026 at 02:29:25AM +0200, Lee Garrett wrote:
>...
> [ Tests ]
> Upstream has stellar CI tests, they add new tests for every bug they
> fix. The tests also pass when running against Debian via autopkgtest. On
> top of that, I manually tested my playbooks against my servers to check
> for any regressions.
>
> [ Risks ]
> The changes are upstream bugfix releases with accompanying tests.
>...
How has the CVE been reproduced and the fix been tested?
No tests are run at build time, and the test case for the CVE is
disabled in debci.
> The security fix itself is fairly small and targeted.
FTR, this is the CVE fix:
>...
> --- ansible-core-2.19.4/lib/ansible/utils/galaxy.py 2025-11-05
> 00:27:03.000000000 +0100
> +++ ansible-core-2.19.11/lib/ansible/utils/galaxy.py 2026-06-18
> 21:34:02.000000000 +0200
> @@ -72,7 +72,7 @@
> elif scm == 'hg':
> clone_cmd.append('--insecure')
>
> - clone_cmd.extend([src, name])
> + clone_cmd.extend(['--', src, name])
>
> run_scm_cmd(clone_cmd, tempdir)
>...
cu
Adrian
