Your message dated Thu, 18 Jun 2026 19:37:25 +0000
with message-id <[email protected]>
and subject line Bug#1139175: fixed in ansible-core 2.21.1~rc1-1
has caused the Debian Bug report #1139175,
regarding ansible-core: CVE-2026-11332
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1139175: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1139175
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: ansible-core
Version: 2.21.0-1
Severity: important
Tags: security upstream
Forwarded: https://github.com/ansible/ansible/pull/87070
X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi,
The following vulnerability was published for ansible-core.
CVE-2026-11332[0]:
| A flaw was found in ansible-core. The ansible-galaxy role install
| command processes dependency specifications from a role's
| meta/requirements.yml file. Due to improper neutralization of
| argument delimiters, a malicious role author can inject arbitrary
| git configuration flags through the src field. This allows arbitrary
| code execution on the machine of a user who installs the role via
| ansible-galaxy role install.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2026-11332
https://www.cve.org/CVERecord?id=CVE-2026-11332
[1] https://bugzilla.redhat.com/show_bug.cgi?id=2485379
[2] https://github.com/ansible/ansible/pull/87070
[3]
https://github.com/ansible/ansible/commit/edee59aa15abcc74d920bb3e9c3835ab8db05a2f
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: ansible-core
Source-Version: 2.21.1~rc1-1
Done: Lee Garrett <[email protected]>
We believe that the bug you reported is fixed in the latest version of
ansible-core, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Lee Garrett <[email protected]> (supplier of updated ansible-core package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Thu, 18 Jun 2026 16:43:14 +0200
Source: ansible-core
Architecture: source
Version: 2.21.1~rc1-1
Distribution: unstable
Urgency: medium
Maintainer: Debian Python Team <[email protected]>
Changed-By: Lee Garrett <[email protected]>
Closes: 1139175
Changes:
ansible-core (2.21.1~rc1-1) unstable; urgency=medium
.
* New upstream version 2.21.1~rc1
* Fix CVE-2026-11332 (Closes: #1139175):
- ansible-galaxy: a malicious role author could inject arbitrary git
configuration in role dependencies.
* Update PR for forwarded patch fixing integration test unarchive
* Update meta-data for d/p/fix-integration-test-apt.patch
* Upstream the CI test patch
Checksums-Sha1:
64e1abdb78be980b7efa3f277352ac97f127db49 2972 ansible-core_2.21.1~rc1-1.dsc
57122420331b0b22217a3e2162e7e52de748e739 3390201
ansible-core_2.21.1~rc1.orig.tar.gz
f489fadfa38f44c4e0848440b61ba79bec66cb85 31168
ansible-core_2.21.1~rc1-1.debian.tar.xz
6e626d69ba55aac280b89dd575c798f0629d6ee4 7585
ansible-core_2.21.1~rc1-1_amd64.buildinfo
Checksums-Sha256:
f262559f2b324f112b8f6bc05b7b19b3bb3223a46f5c3630f3a47e07770fc8a4 2972
ansible-core_2.21.1~rc1-1.dsc
e352517f16c245a13b4d37b0976948557fa533d7d852fa3285ef774f517a4637 3390201
ansible-core_2.21.1~rc1.orig.tar.gz
dcb0cf01dce9521c4d6eaba92cb04306b128927417abbb5ecdd4b3cb1b5e85df 31168
ansible-core_2.21.1~rc1-1.debian.tar.xz
08772551f7948d3e97b4ef7f6c57e306a23d0e77264cca1fd7e7caabcef99e27 7585
ansible-core_2.21.1~rc1-1_amd64.buildinfo
Files:
668996b6dd994ceed6f0baf9ba98b52a 2972 admin optional
ansible-core_2.21.1~rc1-1.dsc
d0dd9f8f328cf18dd82518ea75cc189c 3390201 admin optional
ansible-core_2.21.1~rc1.orig.tar.gz
476ac7fbd5c40f0f09fc4f1386bea156 31168 admin optional
ansible-core_2.21.1~rc1-1.debian.tar.xz
734d18af831b10cfe6c1951d54b3fe58 7585 admin optional
ansible-core_2.21.1~rc1-1_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQQzBAEBCgAdFiEE2EfGJRCpwv8kLOAs1gShxII+4PgFAmo0Q1QACgkQ1gShxII+
4PjEiB//WxxPedIdClrRpqTuLh3piAbf2/5yU85vGdtrXGYxrQIUblvsgodRifcr
BrP/cjb/9yRadi/w0uJZQGORpHEzDTdnjljA19Ng15LK9mjm/L8Fw6stY1YF/o2C
fNmKymycHDn0rqIpqfr71h6t5zARh0KsDtM42p8itJl7ql/0Hag6Ahu9TllvRYUW
QpoOOHVl9B2shdUMyRXU6Pq3jb4YgOMaySGALn4cddBwPjrNxmxa277diqp+2Ml+
5vEwJEcMrsz39Qs3KZ23AleTjf+Ib9HZiMKLgJnO07nvluELfPQ3bJOB1Xc98dqF
9LUwAh9Rk+ARGo8it7dLl+PJJWlMkaGKPqFCbMntxz/53J7JNcrh2f1hAruWWSsw
0rtpYDxh7EattR7VIl2/WNwIZnGyZuAvokCEe9qp70lx7w16soQdXD9fw7Oa76WA
Wqhg2Q7wC8XplP7t65j741xCaHuezONr/V5WQecu1HBgmaEt7yvxtvZqW9AO9lia
B0QvwV5UObMPqGhrkybQ+q8Yvat2PvpLTJtA8VVO5RvGSygomXPVYqmbdrFhaTOt
joUIGeymd9qkwlBWd2l3OSCedkb3Hur8dsxC3V52wZgxPNj3HdMefENDVbzo5vC5
kOyRD/vhOfdk1pqtQTZ9OwFmrBEviFfkKL0jPDeQrvoPQn7QlDykvosxdWu3sWOx
I+cE4zXO6N1htIwi5c+VlQxuc7pmkdB9kdHflQbMrXGo9wpwjtMpRS4OTDMZeEt2
pVES2FQwgE6Hu9f6yM1cLwqBF2U+t1pKiXhj9QsTj38tVsNMlgw5ejqI8EHllIgE
9GRlE14QoxPySgX2sbSHxFTOgIM1yiqbkHjc67Go15+B3inZZfBRM8XSYroW0Zaj
b0ZLQE1/UlV0qV8zqHUD/A/13ijipYyFwGjuNZDK+Wm55dpna/F4zEg6S/F5bbey
b2uRzxyXUyR5LXXHndum5f4uZkzC763ZBuWhw6Q0rGtwyioFbMfH6XP8KQ9WfgsN
A9xAZ7okQX3AZcrNgp1yBwhubxWoNOxcGPda8/vAlZWpdkg2MOvRkH0iGQiDDWIM
pNP52/04cghBE1yG81N1MJ16G4zGSs+5lzI1NP7IuPr2g/1g0HFlWoFyxR0d4N6h
lEdkr1vCZekpuEcojtrjJPZU1uN7q4sOaINazadLF61PJ8GE7MmekIWZB0VT5Oe6
25prS3J8ETvD9wLimBBbjYHQBIG6sx1VPdZoXuPVWDu039fPDDeny+qllGVRXcKb
gBmINu3A9ClcyEEFvR+3M/l98/qom7DPvOFXst/1ubNZOul6OvsxJ3MC44EY+Z3q
rgMxFPDsKWn+eUj6cH0X3PfQJjw76g==
=iezY
-----END PGP SIGNATURE-----
pgpjIxj4ZnM0K.pgp
Description: PGP signature
--- End Message ---
