Script 'mail_helper' called by obssrc
Hello community,
here is the log from the commit of package ansible-core-2.18 for
openSUSE:Factory checked in at 2026-06-19 16:37:34
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/ansible-core-2.18 (Old)
and /work/SRC/openSUSE:Factory/.ansible-core-2.18.new.1956 (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "ansible-core-2.18"
Fri Jun 19 16:37:34 2026 rev:9 rq:1360467 version:2.18.18
Changes:
--------
--- /work/SRC/openSUSE:Factory/ansible-core-2.18/ansible-core-2.18.changes
2026-05-19 17:51:18.550966076 +0200
+++
/work/SRC/openSUSE:Factory/.ansible-core-2.18.new.1956/ansible-core-2.18.changes
2026-06-19 17:12:31.703795959 +0200
@@ -1,0 +2,11 @@
+Fri Jun 19 05:42:54 UTC 2026 - Johannes Kastl
<[email protected]>
+
+- update to 2.18.18:
+
https://github.com/ansible/ansible/blob/v2.18.18/changelogs/CHANGELOG-v2.18.rst
+ * Security Fixes
+ - ansible-galaxy install - Ensure role requirements are passed
+ as positional arguments to :command:`git clone`. Previously,
+ a malicious role author could inject arbitrary git
+ configuration in role dependencies. (CVE-2026-11332)
+
+-------------------------------------------------------------------
Old:
----
ansible_core-2.18.17.tar.gz
ansible_core-2.18.17.tar.gz.sha256
New:
----
ansible_core-2.18.18.tar.gz
ansible_core-2.18.18.tar.gz.sha256
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ ansible-core-2.18.spec ++++++
--- /var/tmp/diff_new_pack.nAZv9w/_old 2026-06-19 17:12:34.847903284 +0200
+++ /var/tmp/diff_new_pack.nAZv9w/_new 2026-06-19 17:12:34.847903284 +0200
@@ -43,7 +43,7 @@
%endif
Name: ansible-core-2.18
-Version: 2.18.17
+Version: 2.18.18
Release: 0
Summary: Radically simple IT automation
License: GPL-3.0-or-later
++++++ ansible_core-2.18.17.tar.gz -> ansible_core-2.18.18.tar.gz ++++++
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/ansible_core-2.18.17/PKG-INFO
new/ansible_core-2.18.18/PKG-INFO
--- old/ansible_core-2.18.17/PKG-INFO 2026-05-18 21:45:42.000000000 +0200
+++ new/ansible_core-2.18.18/PKG-INFO 2026-06-18 21:33:39.000000000 +0200
@@ -1,6 +1,6 @@
Metadata-Version: 2.4
Name: ansible-core
-Version: 2.18.17
+Version: 2.18.18
Summary: Radically simple IT automation
Author: Ansible Project
Project-URL: Homepage, https://ansible.com/
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/ansible_core-2.18.17/ansible_core.egg-info/PKG-INFO
new/ansible_core-2.18.18/ansible_core.egg-info/PKG-INFO
--- old/ansible_core-2.18.17/ansible_core.egg-info/PKG-INFO 2026-05-18
21:45:42.000000000 +0200
+++ new/ansible_core-2.18.18/ansible_core.egg-info/PKG-INFO 2026-06-18
21:33:39.000000000 +0200
@@ -1,6 +1,6 @@
Metadata-Version: 2.4
Name: ansible-core
-Version: 2.18.17
+Version: 2.18.18
Summary: Radically simple IT automation
Author: Ansible Project
Project-URL: Homepage, https://ansible.com/
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/ansible_core-2.18.17/ansible_core.egg-info/SOURCES.txt
new/ansible_core-2.18.18/ansible_core.egg-info/SOURCES.txt
--- old/ansible_core-2.18.17/ansible_core.egg-info/SOURCES.txt 2026-05-18
21:45:42.000000000 +0200
+++ new/ansible_core-2.18.18/ansible_core.egg-info/SOURCES.txt 2026-06-18
21:33:39.000000000 +0200
@@ -906,6 +906,7 @@
test/integration/targets/ansible-galaxy-role/files/safe-symlinks/tasks/utils/suite.yml
test/integration/targets/ansible-galaxy-role/meta/main.yml
test/integration/targets/ansible-galaxy-role/tasks/dir-traversal.yml
+test/integration/targets/ansible-galaxy-role/tasks/git-config-injection.yml
test/integration/targets/ansible-galaxy-role/tasks/main.yml
test/integration/targets/ansible-galaxy-role/tasks/valid-role-symlinks.yml
test/integration/targets/ansible-galaxy/files/testserver.py
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/ansible_core-2.18.17/changelogs/CHANGELOG-v2.18.rst
new/ansible_core-2.18.18/changelogs/CHANGELOG-v2.18.rst
--- old/ansible_core-2.18.17/changelogs/CHANGELOG-v2.18.rst 2026-05-18
21:45:42.000000000 +0200
+++ new/ansible_core-2.18.18/changelogs/CHANGELOG-v2.18.rst 2026-06-18
21:33:39.000000000 +0200
@@ -4,6 +4,20 @@
.. contents:: Topics
+v2.18.18
+========
+
+Release Summary
+---------------
+
+| Release Date: 2026-06-18
+| `Porting Guide
<https://docs.ansible.com/ansible-core/2.18/porting_guides/porting_guide_core_2.18.html>`__
+
+Security Fixes
+--------------
+
+- ansible-galaxy install - Ensure role requirements are passed as positional
arguments to :command:`git clone`. Previously, a malicious role author could
inject arbitrary git configuration in role dependencies. (CVE-2026-11332)
+
v2.18.17
========
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/ansible_core-2.18.17/changelogs/changelog.yaml
new/ansible_core-2.18.18/changelogs/changelog.yaml
--- old/ansible_core-2.18.17/changelogs/changelog.yaml 2026-05-18
21:45:42.000000000 +0200
+++ new/ansible_core-2.18.18/changelogs/changelog.yaml 2026-06-18
21:33:39.000000000 +0200
@@ -869,6 +869,33 @@
- core_ci_remote_alias.yml
- winrm-psrp-nolog.yml
release_date: '2026-05-11'
+ 2.18.18:
+ changes:
+ release_summary: '| Release Date: 2026-06-18
+
+ | `Porting Guide
<https://docs.ansible.com/ansible-core/2.18/porting_guides/porting_guide_core_2.18.html>`__
+
+ '
+ codename: Fool in the Rain
+ fragments:
+ - 2.18.18_summary.yaml
+ release_date: '2026-06-18'
+ 2.18.18rc1:
+ changes:
+ release_summary: '| Release Date: 2026-06-11
+
+ | `Porting Guide
<https://docs.ansible.com/ansible-core/2.18/porting_guides/porting_guide_core_2.18.html>`__
+
+ '
+ security_fixes:
+ - ansible-galaxy install - Ensure role requirements are passed as
positional
+ arguments to :command:`git clone`. Previously, a malicious role author
could
+ inject arbitrary git configuration in role dependencies.
(CVE-2026-11332)
+ codename: Fool in the Rain
+ fragments:
+ - 2.18.18rc1_summary.yaml
+ - fix-cloning-malformed-role-requirements.yml
+ release_date: '2026-06-11'
2.18.1rc1:
changes:
bugfixes:
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/ansible_core-2.18.17/lib/ansible/module_utils/ansible_release.py
new/ansible_core-2.18.18/lib/ansible/module_utils/ansible_release.py
--- old/ansible_core-2.18.17/lib/ansible/module_utils/ansible_release.py
2026-05-18 21:45:42.000000000 +0200
+++ new/ansible_core-2.18.18/lib/ansible/module_utils/ansible_release.py
2026-06-18 21:33:39.000000000 +0200
@@ -17,6 +17,6 @@
from __future__ import annotations
-__version__ = '2.18.17'
+__version__ = '2.18.18'
__author__ = 'Ansible, Inc.'
__codename__ = "Fool in the Rain"
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/ansible_core-2.18.17/lib/ansible/release.py
new/ansible_core-2.18.18/lib/ansible/release.py
--- old/ansible_core-2.18.17/lib/ansible/release.py 2026-05-18
21:45:42.000000000 +0200
+++ new/ansible_core-2.18.18/lib/ansible/release.py 2026-06-18
21:33:39.000000000 +0200
@@ -17,6 +17,6 @@
from __future__ import annotations
-__version__ = '2.18.17'
+__version__ = '2.18.18'
__author__ = 'Ansible, Inc.'
__codename__ = "Fool in the Rain"
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/ansible_core-2.18.17/lib/ansible/utils/galaxy.py
new/ansible_core-2.18.18/lib/ansible/utils/galaxy.py
--- old/ansible_core-2.18.17/lib/ansible/utils/galaxy.py 2026-05-18
21:45:42.000000000 +0200
+++ new/ansible_core-2.18.18/lib/ansible/utils/galaxy.py 2026-06-18
21:33:39.000000000 +0200
@@ -72,7 +72,7 @@
elif scm == 'hg':
clone_cmd.append('--insecure')
- clone_cmd.extend([src, name])
+ clone_cmd.extend(['--', src, name])
run_scm_cmd(clone_cmd, tempdir)
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/ansible_core-2.18.17/test/integration/targets/ansible-galaxy-role/tasks/git-config-injection.yml
new/ansible_core-2.18.18/test/integration/targets/ansible-galaxy-role/tasks/git-config-injection.yml
---
old/ansible_core-2.18.17/test/integration/targets/ansible-galaxy-role/tasks/git-config-injection.yml
1970-01-01 01:00:00.000000000 +0100
+++
new/ansible_core-2.18.18/test/integration/targets/ansible-galaxy-role/tasks/git-config-injection.yml
2026-06-18 21:33:39.000000000 +0200
@@ -0,0 +1,52 @@
+- vars:
+ invalid_git_opts: '-ccore.sshCommand=sh -c "id > {{ remote_tmp_dir
}}/role_exe"'
+ # use SSH protocol to test core.sshCommand is not configured
+ dummy_repo: [email protected]:ansible/nosuchrepo.git
+ block:
+ - name: Ensure git is installed
+ package:
+ name: git
+ when: ansible_distribution not in ["MacOSX", "Alpine"]
+ register: git_install
+
+ - name: Create invalid requirements file
+ copy:
+ dest: "{{ remote_tmp_dir }}/invalid-requirements.yml"
+ content: |
+ - src: {{ invalid_git_opts }}
+ scm: git
+ name: {{ dummy_repo }}
+ - src: {{ dummy_repo }}
+ scm: git
+ name: {{ invalid_git_opts }}
+
+ - name: Attempt to install invalid role requirements
+ command: ansible-galaxy install -r {{ remote_tmp_dir
}}/invalid-requirements.yml --ignore-errors
+ register: result
+ environment:
+ ANSIBLE_NOCOLOR: True
+ ANSIBLE_FORCE_COLOR: False
+
+ - name: Validate git core.sshCommand did not run
+ stat:
+ path: "{{ remote_tmp_dir }}/role_exe"
+ register: stat_result
+ failed_when: stat_result.stat.exists
+
+ - name: Verify the invalid field is treated as a single positional
argument (repo or dest)
+ assert:
+ that:
+ - stderr is search(error1)
+ - stderr is search(error2)
+ - (stderr | regex_findall("git clone") | length) == (stderr |
regex_findall("git clone --") | length) == 2
+ vars:
+ stderr: "{{ result.stderr | regex_replace('\\n', ' ') }}"
+ error1: "repository '{{ invalid_git_opts }}' does not exist"
+ error2: "Cloning into '{{ invalid_git_opts }}'"
+
+ always:
+ - name: Uninstall git if it was installed
+ package:
+ name: git
+ state: absent
+ when: git_install is changed | default(false)
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/ansible_core-2.18.17/test/integration/targets/ansible-galaxy-role/tasks/main.yml
new/ansible_core-2.18.18/test/integration/targets/ansible-galaxy-role/tasks/main.yml
---
old/ansible_core-2.18.17/test/integration/targets/ansible-galaxy-role/tasks/main.yml
2026-05-18 21:45:42.000000000 +0200
+++
new/ansible_core-2.18.18/test/integration/targets/ansible-galaxy-role/tasks/main.yml
2026-06-18 21:33:39.000000000 +0200
@@ -70,3 +70,4 @@
- import_tasks: dir-traversal.yml
- import_tasks: valid-role-symlinks.yml
+- import_tasks: git-config-injection.yml
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/ansible_core-2.18.17/test/lib/ansible_test/_util/target/setup/bootstrap.sh
new/ansible_core-2.18.18/test/lib/ansible_test/_util/target/setup/bootstrap.sh
---
old/ansible_core-2.18.17/test/lib/ansible_test/_util/target/setup/bootstrap.sh
2026-05-18 21:45:42.000000000 +0200
+++
new/ansible_core-2.18.18/test/lib/ansible_test/_util/target/setup/bootstrap.sh
2026-06-18 21:33:39.000000000 +0200
@@ -285,9 +285,13 @@
# Instead, ansible-test will install it using pip.
# packaging and resolvelib are missing for controller supported Python
versions, so we just
# skip them and let ansible-test install them from PyPI.
+ #
+ # sqlite-libs needs to be specified currently to get sqlite3 imports
working
+ # https://redhat.atlassian.net/browse/RHEL-178008
if [ "${controller}" ]; then
packages="
${packages}
+ sqlite-libs
${py_pkg_prefix}-cryptography
${py_pkg_prefix}-pyyaml
"
++++++ ansible_core-2.18.17.tar.gz.sha256 -> ansible_core-2.18.18.tar.gz.sha256
++++++
---
/work/SRC/openSUSE:Factory/ansible-core-2.18/ansible_core-2.18.17.tar.gz.sha256
2026-05-19 17:51:18.634969547 +0200
+++
/work/SRC/openSUSE:Factory/.ansible-core-2.18.new.1956/ansible_core-2.18.18.tar.gz.sha256
2026-06-19 17:12:32.135810706 +0200
@@ -1 +1 @@
-556815258f84a57349b63474479506b2a8431a85661fd3f53a5c11894b7a3f25
ansible_core-2.18.17.tar.gz
+f339cc73d74382d3b9bc74326e0dd7938fd20023f4aede40fffc2eaa8ffe694c
ansible_core-2.18.18.tar.gz
