#1139175 ansible-core: CVE-2026-11332

Package:
src:ansible-core
Source:
src:ansible-core
Submitter:
Salvatore Bonaccorso
Date:
2026-06-18 19:39:02 UTC
Severity:
normal
Tags:
#1139175#5
Date:
2026-06-06 19:19:08 UTC
From:
To:
Hi,

The following vulnerability was published for ansible-core.

CVE-2026-11332[0]:
| A flaw was found in ansible-core. The ansible-galaxy role install
| command processes dependency specifications from a role's
| meta/requirements.yml file. Due to improper neutralization of
| argument delimiters, a malicious role author can inject arbitrary
| git configuration flags through the src field. This allows arbitrary
| code execution on the machine of a user who installs the role via
| ansible-galaxy role install.


If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2026-11332
https://www.cve.org/CVERecord?id=CVE-2026-11332
[1] https://bugzilla.redhat.com/show_bug.cgi?id=2485379
[2] https://github.com/ansible/ansible/pull/87070
[3] https://github.com/ansible/ansible/commit/edee59aa15abcc74d920bb3e9c3835ab8db05a2f

Please adjust the affected versions in the BTS as needed.

Regards,
Salvatore
#1139175#12
Date:
2026-06-18 19:37:25 UTC
From:
To:
We believe that the bug you reported is fixed in the latest version of
ansible-core, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 1139175@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Lee Garrett <debian@rocketjump.eu> (supplier of updated ansible-core package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
Format: 1.8
Date: Thu, 18 Jun 2026 16:43:14 +0200
Source: ansible-core
Architecture: source
Version: 2.21.1~rc1-1
Distribution: unstable
Urgency: medium
Maintainer: Debian Python Team <team+python@tracker.debian.org>
Changed-By: Lee Garrett <debian@rocketjump.eu>
Closes: 1139175
Changes:
 ansible-core (2.21.1~rc1-1) unstable; urgency=medium
 .
   * New upstream version 2.21.1~rc1
   * Fix CVE-2026-11332 (Closes: #1139175):
     - ansible-galaxy: a malicious role author could inject arbitrary git
       configuration in role dependencies.
   * Update PR for forwarded patch fixing integration test unarchive
   * Update meta-data for d/p/fix-integration-test-apt.patch
   * Upstream the CI test patch
Checksums-Sha1:
 64e1abdb78be980b7efa3f277352ac97f127db49 2972 ansible-core_2.21.1~rc1-1.dsc
 57122420331b0b22217a3e2162e7e52de748e739 3390201 ansible-core_2.21.1~rc1.orig.tar.gz
 f489fadfa38f44c4e0848440b61ba79bec66cb85 31168 ansible-core_2.21.1~rc1-1.debian.tar.xz
 6e626d69ba55aac280b89dd575c798f0629d6ee4 7585 ansible-core_2.21.1~rc1-1_amd64.buildinfo
Checksums-Sha256:
 f262559f2b324f112b8f6bc05b7b19b3bb3223a46f5c3630f3a47e07770fc8a4 2972 ansible-core_2.21.1~rc1-1.dsc
 e352517f16c245a13b4d37b0976948557fa533d7d852fa3285ef774f517a4637 3390201 ansible-core_2.21.1~rc1.orig.tar.gz
 dcb0cf01dce9521c4d6eaba92cb04306b128927417abbb5ecdd4b3cb1b5e85df 31168 ansible-core_2.21.1~rc1-1.debian.tar.xz
 08772551f7948d3e97b4ef7f6c57e306a23d0e77264cca1fd7e7caabcef99e27 7585 ansible-core_2.21.1~rc1-1_amd64.buildinfo
Files:
 668996b6dd994ceed6f0baf9ba98b52a 2972 admin optional ansible-core_2.21.1~rc1-1.dsc
 d0dd9f8f328cf18dd82518ea75cc189c 3390201 admin optional ansible-core_2.21.1~rc1.orig.tar.gz
 476ac7fbd5c40f0f09fc4f1386bea156 31168 admin optional ansible-core_2.21.1~rc1-1.debian.tar.xz
 734d18af831b10cfe6c1951d54b3fe58 7585 admin optional ansible-core_2.21.1~rc1-1_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----

iQQzBAEBCgAdFiEE2EfGJRCpwv8kLOAs1gShxII+4PgFAmo0Q1QACgkQ1gShxII+
4PjEiB//WxxPedIdClrRpqTuLh3piAbf2/5yU85vGdtrXGYxrQIUblvsgodRifcr
BrP/cjb/9yRadi/w0uJZQGORpHEzDTdnjljA19Ng15LK9mjm/L8Fw6stY1YF/o2C
fNmKymycHDn0rqIpqfr71h6t5zARh0KsDtM42p8itJl7ql/0Hag6Ahu9TllvRYUW
QpoOOHVl9B2shdUMyRXU6Pq3jb4YgOMaySGALn4cddBwPjrNxmxa277diqp+2Ml+
5vEwJEcMrsz39Qs3KZ23AleTjf+Ib9HZiMKLgJnO07nvluELfPQ3bJOB1Xc98dqF
9LUwAh9Rk+ARGo8it7dLl+PJJWlMkaGKPqFCbMntxz/53J7JNcrh2f1hAruWWSsw
0rtpYDxh7EattR7VIl2/WNwIZnGyZuAvokCEe9qp70lx7w16soQdXD9fw7Oa76WA
Wqhg2Q7wC8XplP7t65j741xCaHuezONr/V5WQecu1HBgmaEt7yvxtvZqW9AO9lia
B0QvwV5UObMPqGhrkybQ+q8Yvat2PvpLTJtA8VVO5RvGSygomXPVYqmbdrFhaTOt
joUIGeymd9qkwlBWd2l3OSCedkb3Hur8dsxC3V52wZgxPNj3HdMefENDVbzo5vC5
kOyRD/vhOfdk1pqtQTZ9OwFmrBEviFfkKL0jPDeQrvoPQn7QlDykvosxdWu3sWOx
I+cE4zXO6N1htIwi5c+VlQxuc7pmkdB9kdHflQbMrXGo9wpwjtMpRS4OTDMZeEt2
pVES2FQwgE6Hu9f6yM1cLwqBF2U+t1pKiXhj9QsTj38tVsNMlgw5ejqI8EHllIgE
9GRlE14QoxPySgX2sbSHxFTOgIM1yiqbkHjc67Go15+B3inZZfBRM8XSYroW0Zaj
b0ZLQE1/UlV0qV8zqHUD/A/13ijipYyFwGjuNZDK+Wm55dpna/F4zEg6S/F5bbey
b2uRzxyXUyR5LXXHndum5f4uZkzC763ZBuWhw6Q0rGtwyioFbMfH6XP8KQ9WfgsN
A9xAZ7okQX3AZcrNgp1yBwhubxWoNOxcGPda8/vAlZWpdkg2MOvRkH0iGQiDDWIM
pNP52/04cghBE1yG81N1MJ16G4zGSs+5lzI1NP7IuPr2g/1g0HFlWoFyxR0d4N6h
lEdkr1vCZekpuEcojtrjJPZU1uN7q4sOaINazadLF61PJ8GE7MmekIWZB0VT5Oe6
25prS3J8ETvD9wLimBBbjYHQBIG6sx1VPdZoXuPVWDu039fPDDeny+qllGVRXcKb
gBmINu3A9ClcyEEFvR+3M/l98/qom7DPvOFXst/1ubNZOul6OvsxJ3MC44EY+Z3q
rgMxFPDsKWn+eUj6cH0X3PfQJjw76g==
=iezY
-----END PGP SIGNATURE-----