#1140412 trixie-pu: package ansible-core/2.19.11-0+deb13u1

#1140412#5
Date:
2026-06-20 00:29:25 UTC
From:
To:
Hello release team,

[ Reason ]
This is a bugfix update of ansible-core within the 2.19.x series,
rolling up the 2.19.5 through 2.19.11 upstream releases on top of the
2.19.4 currently in trixie.

Notably, 2.19.11 includes a security fix: ansible-galaxy install now ensures
role requirements are passed as positional arguments to `git clone`.
Previously, a malicious role author could inject arbitrary git configuration
in role dependencies (CVE-2026-11332, Closes: #1139175).

There are also two more security fixes in the 2.19.10 release that don't
have a CVE assigned (I'm in the process of poking upstream about this).

[ Impact ]
If not approved, users will be exposed to CVE-2026-11332 (+2 other
security issues) and will miss a number of bugfixes accumulated across
seven upstream point releases.

[ Tests ]
Upstream has stellar CI tests, they add new tests for every bug they
fix. The tests also pass when running against Debian via autopkgtest. On
top of that, I manually tested my playbooks against my servers to check
for any regressions.

[ Risks ]
The changes are upstream bugfix releases with accompanying tests. The bulk of
the diff is in ansible-test (test infrastructure: updated remote/container
images, new CI service endpoints) and does not affect the runtime that users
rely on. The security fix itself is fairly small and targeted.

[ Checklist ]
  [x] *all* changes are documented in the d/changelog
  [x] I reviewed all changes and I approve them
  [x] attach debdiff against the package in (old)stable
  [x] the issue is verified as fixed in unstable

[ Changes ]
The upstream changes are all documented here:
https://github.com/ansible/ansible/blob/stable-2.19/changelogs/CHANGELOG-v2.19.rst
Every change in the code has a changelog entry. The relevant sections are
v2-19-5 through v2-19-11.

[ Other info ]
%

Greets,
Lee

#1140412#12
Date:
2026-06-20 13:19:23 UTC
From:
To:
How has the CVE been reproduced and the fix been tested?

No tests are run at build time, and the test case for the CVE is
disabled in debci.

FTR, this is the CVE fix:

cu
Adrian

#1140412#17
Date:
2026-06-25 17:01:50 UTC
From:
To:
the test:

$ PYTHONPATH=./test/lib/ ansible-test integration ansible-galaxy-role
WARNING: Using locale "C.UTF-8" instead of "en_US.UTF-8". Tests which depend on
the locale may behave unexpectedly.
Running ansible-galaxy-role integration test role

PLAY [testhost] ****************************************************************

TASK [Gathering Facts] *********************************************************
ok: [testhost]

TASK [setup_remote_tmp_dir : make sure we have the ansible_os_family and
ansible_distribution_version facts] ***
skipping: [testhost]

TASK [setup_remote_tmp_dir : include_tasks] ************************************
included:
/workspaces/ansible-core/test/results/.tmp/integration/ansible-galaxy-role-do9a_yyp-ÅÑŚÌβŁÈ/test/integration/targets/setup_remote_tmp_dir/tasks/default.yml
for testhost

TASK [setup_remote_tmp_dir : create temporary directory] ***********************
changed: [testhost]

TASK [setup_remote_tmp_dir : record temporary directory] ***********************
ok: [testhost]

TASK [ansible-galaxy-role : Create invalid requirements file] ******************
changed: [testhost]

TASK [ansible-galaxy-role : Attempt to install invalid role requirements] ******
changed: [testhost]

TASK [ansible-galaxy-role : Validate git core.sshCommand did not run] **********
ok: [testhost]

TASK [ansible-galaxy-role : Verify the invalid field is treated as a single
positional argument (repo or dest)] ***
ok: [testhost] => {
     "changed": false,
     "msg": "All assertions passed"
}

TASK [ansible-galaxy-role : Uninstall git if it was installed] *****************
skipping: [testhost]

RUNNING HANDLER [setup_remote_tmp_dir : delete temporary directory] ************
included:
/workspaces/ansible-core/test/results/.tmp/integration/ansible-galaxy-role-do9a_yyp-ÅÑŚÌβŁÈ/test/integration/targets/setup_remote_tmp_dir/tasks/default-cleanup.yml
for testhost

RUNNING HANDLER [setup_remote_tmp_dir : Ensure temporary directory has correct
perms to delete] ***
changed: [testhost]

RUNNING HANDLER [setup_remote_tmp_dir : delete temporary directory] ************
changed: [testhost]

PLAY RECAP *********************************************************************
testhost                   : ok=11   changed=5    unreachable=0    failed=0
skipped=2    rescued=0    ignored=0

WARNING: Reviewing previous 1 warning(s):
WARNING: Using locale "C.UTF-8" instead of "en_US.UTF-8". Tests which depend on
the locale may behave unexpectedly.

 > No tests are run at build time, and the test case for the CVE is
 > disabled in debci.

The integration test this test case is part of fails due to packaging issues
with setuptools, refer to:
https://github.com/ansible/ansible/issues/27105
https://github.com/pypa/setuptools/issues/415

Switching the upstream source in an stable update to fix the test issue is
overkill, so I won't do that.

Bye,
Lee