Mitigate CVE-2024-0690.

The Makefile has been removed from the stable-2.14 branch.

.gitignore

@@ -26,64 +26,14 @@
 /ansible-core-2.14.2.tar.gz
 /ansible-core-2.14.3.tar.gz
 /ansible-core-2.14.4.tar.gz
-/ansible-core-2.15.0b3.tar.gz
-/ansible-core-2.15.0rc1.tar.gz
-/ansible-core-2.15.0rc2.tar.gz
-/ansible-core-2.15.0.tar.gz
-/ansible-core-2.15.1.tar.gz
-/ansible-core-2.15.2.tar.gz
-/ansible-documentation-2.15.2.tar.gz
-/ansible-core-2.15.3.tar.gz
-/ansible-documentation-2.15.3.tar.gz
-/ansible-core-2.15.4.tar.gz
-/ansible-documentation-2.15.4.tar.gz
-/ansible-core-2.16.0b1.tar.gz
-/ansible-documentation-2.16.0b1.tar.gz
-/ansible-core-2.16.0b2.tar.gz
-/ansible-documentation-2.16.0b2.tar.gz
-/ansible-core-2.16.0rc1.tar.gz
-/ansible-documentation-2.16.0rc1.tar.gz
-/ansible-core-2.16.0.tar.gz
-/ansible-documentation-2.16.0.tar.gz
-/ansible-core-2.16.1.tar.gz
-/ansible-documentation-2.16.1.tar.gz
-/ansible-core-2.16.2.tar.gz
-/ansible-documentation-2.16.2.tar.gz
-/ansible-core-2.16.3.tar.gz
-/ansible-documentation-2.16.3.tar.gz
-/ansible-core-2.16.4.tar.gz
-/ansible-documentation-2.16.4.tar.gz
-/ansible-core-2.16.5.tar.gz
-/ansible-documentation-2.16.5.tar.gz
-/ansible-core-2.16.6.tar.gz
-/ansible-documentation-2.16.6.tar.gz
-/ansible-core-2.16.7.tar.gz
-/ansible-documentation-2.16.7.tar.gz
-/ansible-core-2.16.8.tar.gz
-/ansible-documentation-2.16.8.tar.gz
-/ansible-core-2.16.9.tar.gz
-/ansible-documentation-2.16.9.tar.gz
-/ansible-core-2.16.10.tar.gz
-/ansible-documentation-2.16.10.tar.gz
-/ansible-core-2.16.11.tar.gz
-/ansible-documentation-2.16.11.tar.gz
-/ansible-core-2.16.12.tar.gz
-/ansible-documentation-2.16.12.tar.gz
-/ansible-core-2.18.0.tar.gz
-/ansible-documentation-2.18.0.tar.gz
-/ansible-core-2.18.1.tar.gz
-/ansible-documentation-2.18.1.tar.gz
-/ansible-core-2.18.3.tar.gz
-/ansible-documentation-2.18.3.tar.gz
-/ansible-core-2.18.4.tar.gz
-/ansible-documentation-2.18.4.tar.gz
-/ansible-core-2.18.6.tar.gz
-/ansible-documentation-2.18.6.tar.gz
-/ansible-core-2.18.7.tar.gz
-/ansible-documentation-2.18.7.tar.gz
-/ansible-core-2.18.9.tar.gz
-/ansible-documentation-2.18.9.tar.gz
-/ansible-core-2.18.11.tar.gz
-/ansible-documentation-2.18.11.tar.gz
-/ansible-core-2.20.1.tar.gz
-/ansible-documentation-2.20.1.tar.gz
+/ansible-core-2.14.5.tar.gz
+/ansible-core-2.14.6.tar.gz
+/ansible-core-2.14.7.tar.gz
+/ansible-core-2.14.8.tar.gz
+/ansible-documentation-2.14.8.tar.gz
+/ansible-core-2.14.9.tar.gz
+/ansible-documentation-2.14.9.tar.gz
+/ansible-core-2.14.10.tar.gz
+/ansible-documentation-2.14.10.tar.gz
+/ansible-core-2.14.11.tar.gz
+/ansible-documentation-2.14.11.tar.gz

.packit.yaml

@@ -1,30 +0,0 @@
-# See the documentation for more information:
-# https://packit.dev/docs/configuration/
-
-upstream_project_url: https://github.com/ansible/ansible
-upstream_tag_template: v{version}
-issue_repository: https://pagure.io/ansible-packit-issues
-create_sync_note: false
-# TODO: Remove pending https://fedoraproject.org/wiki/Changes/Ansible13
-upstream_tag_include: "v2.18"
-jobs:
-  - job: pull_from_upstream
-    trigger: release
-    dist_git_branches:
-      # Fast forward merge rawhide while it is held at v2.18.
-      rawhide:
-        fast_forward_merge_into:
-          - fedora-43
-          - fedora-42
-  - job: koji_build
-    trigger: commit
-    dist_git_branches:
-      - fedora-all
-    sidetag_group: "ansible"
-    dependents:
-      - ansible
-  # The update for the sidetag group is created in the ansible package.
-  # - job: bodhi_update
-  #   trigger: commit
-  #   dist_git_branches:
-  #     - rawhide

2.10.3-test-patch.patch

@@ -0,0 +1,17 @@
+diff --color -Nur ansible-base-2.10.3.orig/test/units/modules/test_async_wrapper.py ansible-base-2.10.3/test/units/modules/test_async_wrapper.py
+--- ansible-base-2.10.3.orig/test/units/modules/test_async_wrapper.py	2020-11-02 14:26:08.000000000 -0800
++++ ansible-base-2.10.3/test/units/modules/test_async_wrapper.py	2020-11-03 13:07:42.556005427 -0800
+@@ -22,11 +22,11 @@
+     def test_run_module(self, monkeypatch):
+ 
+         def mock_get_interpreter(module_path):
+-            return ['/usr/bin/python']
++            return ['/usr/bin/python3']
+ 
+         module_result = {'rc': 0}
+         module_lines = [
+-            '#!/usr/bin/python',
++            '#!/usr/bin/python3',
+             'import sys',
+             'sys.stderr.write("stderr stuff")',
+             "print('%s')" % json.dumps(module_result)

CVE-2024-0690.patch

@@ -0,0 +1,85 @@
+From beb04bc2642c208447c5a936f94310528a1946b1 Mon Sep 17 00:00:00 2001
+From: Matt Martz <matt@sivel.net>
+Date: Thu, 18 Jan 2024 17:17:23 -0600
+Subject: [PATCH] [stable-2.14] Ensure ANSIBLE_NO_LOG is respected
+ (CVE-2024-0690) (#82565) (#82568)
+
+(cherry picked from commit 6935c8e)
+---
+ changelogs/fragments/cve-2024-0690.yml            |  2 ++
+ lib/ansible/playbook/base.py                      |  2 +-
+ lib/ansible/playbook/play_context.py              |  4 ----
+ test/integration/targets/no_log/no_log_config.yml | 13 +++++++++++++
+ test/integration/targets/no_log/runme.sh          |  5 +++++
+ 5 files changed, 21 insertions(+), 5 deletions(-)
+ create mode 100644 changelogs/fragments/cve-2024-0690.yml
+ create mode 100644 test/integration/targets/no_log/no_log_config.yml
+
+diff --git a/changelogs/fragments/cve-2024-0690.yml b/changelogs/fragments/cve-2024-0690.yml
+new file mode 100644
+index 00000000000000..0e030d88864ca5
+--- /dev/null
++++ b/changelogs/fragments/cve-2024-0690.yml
+@@ -0,0 +1,2 @@
++security_fixes:
++- ANSIBLE_NO_LOG - Address issue where ANSIBLE_NO_LOG was ignored (CVE-2024-0690)
+diff --git a/lib/ansible/playbook/base.py b/lib/ansible/playbook/base.py
+index c772df11926d86..c3bce16ba48a52 100644
+--- a/lib/ansible/playbook/base.py
++++ b/lib/ansible/playbook/base.py
+@@ -722,7 +722,7 @@ class Base(FieldAttributeBase):
+ 
+     # flags and misc. settings
+     environment = FieldAttribute(isa='list', extend=True, prepend=True)
+-    no_log = FieldAttribute(isa='bool')
++    no_log = FieldAttribute(isa='bool', default=C.DEFAULT_NO_LOG)
+     run_once = FieldAttribute(isa='bool')
+     ignore_errors = FieldAttribute(isa='bool')
+     ignore_unreachable = FieldAttribute(isa='bool')
+diff --git a/lib/ansible/playbook/play_context.py b/lib/ansible/playbook/play_context.py
+index 90de929364974e..44914454357522 100644
+--- a/lib/ansible/playbook/play_context.py
++++ b/lib/ansible/playbook/play_context.py
+@@ -320,10 +320,6 @@ def set_task_and_variable_override(self, task, variables, templar):
+             display.warning('The "%s" connection plugin has an improperly configured remote target value, '
+                             'forcing "inventory_hostname" templated value instead of the string' % new_info.connection)
+ 
+-        # set no_log to default if it was not previously set
+-        if new_info.no_log is None:
+-            new_info.no_log = C.DEFAULT_NO_LOG
+-
+         if task.check_mode is not None:
+             new_info.check_mode = task.check_mode
+ 
+diff --git a/test/integration/targets/no_log/no_log_config.yml b/test/integration/targets/no_log/no_log_config.yml
+new file mode 100644
+index 00000000000000..8a5088059db424
+--- /dev/null
++++ b/test/integration/targets/no_log/no_log_config.yml
+@@ -0,0 +1,13 @@
++- hosts: testhost
++  gather_facts: false
++  tasks:
++    - debug:
++      no_log: true
++
++    - debug:
++      no_log: false
++
++    - debug:
++
++    - debug:
++      loop: '{{ range(3) }}'
+diff --git a/test/integration/targets/no_log/runme.sh b/test/integration/targets/no_log/runme.sh
+index bb5c048fc9ab3f..8bfe019bb98289 100755
+--- a/test/integration/targets/no_log/runme.sh
++++ b/test/integration/targets/no_log/runme.sh
+@@ -19,3 +19,8 @@ set -eux
+ 
+ # test invalid data passed to a suboption
+ [ "$(ansible-playbook no_log_suboptions_invalid.yml -i ../../inventory -vvvvv "$@" | grep -Ec '(SUPREME|IDIOM|MOCKUP|EDUCATED|FOOTREST|CRAFTY|FELINE|CRYSTAL|EXPECTANT|AGROUND|GOLIATH|FREEFALL)')" = "0" ]
++
++# test variations on ANSIBLE_NO_LOG
++[ "$(ansible-playbook no_log_config.yml -i ../../inventory -vvvvv "$@" | grep -Ec 'the output has been hidden')" = "1" ]
++[ "$(ANSIBLE_NO_LOG=0 ansible-playbook no_log_config.yml -i ../../inventory -vvvvv "$@" | grep -Ec 'the output has been hidden')" = "1" ]
++[ "$(ANSIBLE_NO_LOG=1 ansible-playbook no_log_config.yml -i ../../inventory -vvvvv "$@" | grep -Ec 'the output has been hidden')" = "6" ]

GALAXY_COLLECTIONS_PATH_WARNINGS.patch

@@ -0,0 +1,65 @@
+From 734f38b2594692707d1fd3cbcfc8dc8a677f4ee3 Mon Sep 17 00:00:00 2001
+From: Maxwell G <maxwell@gtmx.me>
+Date: Fri, 21 Apr 2023 07:29:10 -0500
+Subject: [PATCH] Add GALAXY_COLLECTIONS_PATH_WARNINGS option. (#78487)
+
+* Add GALAXY_COLLECTIONS_PATH_WARNING option.
+
+This allows users to disable warnings from `ansible-galaxy collection
+install` about `--collections-path` missing from Ansible's configured
+collections_paths.
+---
+ .../fragments/78487-galaxy-collections-path-warnings.yml | 6 ++++++
+ lib/ansible/cli/galaxy.py                                | 5 ++++-
+ lib/ansible/config/base.yml                              | 9 +++++++++
+ 3 files changed, 19 insertions(+), 1 deletion(-)
+ create mode 100644 changelogs/fragments/78487-galaxy-collections-path-warnings.yml
+
+diff --git a/changelogs/fragments/78487-galaxy-collections-path-warnings.yml b/changelogs/fragments/78487-galaxy-collections-path-warnings.yml
+new file mode 100644
+index 00000000000000..4702e94f961d82
+--- /dev/null
++++ b/changelogs/fragments/78487-galaxy-collections-path-warnings.yml
+@@ -0,0 +1,6 @@
++---
++minor_changes:
++- >-
++  Add ``GALAXY_COLLECTIONS_PATH_WARNING`` option to disable the warning
++  given by ``ansible-galaxy collection install`` when installing a collection
++  to a path that isn't in the configured collection paths.
+diff --git a/lib/ansible/cli/galaxy.py b/lib/ansible/cli/galaxy.py
+index fc88137ff63604..0deb0331a582b9 100755
+--- a/lib/ansible/cli/galaxy.py
++++ b/lib/ansible/cli/galaxy.py
+@@ -1393,7 +1393,10 @@ def _execute_install_collection(
+         upgrade = context.CLIARGS.get('upgrade', False)
+ 
+         collections_path = C.COLLECTIONS_PATHS
+-        if len([p for p in collections_path if p.startswith(path)]) == 0:
++        if (
++            C.GALAXY_COLLECTIONS_PATH_WARNING
++            and len([p for p in collections_path if p.startswith(path)]) == 0
++        ):
+             display.warning("The specified collections path '%s' is not part of the configured Ansible "
+                             "collections paths '%s'. The installed collection will not be picked up in an Ansible "
+                             "run, unless within a playbook-adjacent collections directory." % (to_text(path), to_text(":".join(collections_path))))
+diff --git a/lib/ansible/config/base.yml b/lib/ansible/config/base.yml
+index 052a8f0834e4ca..206deb76d2e916 100644
+--- a/lib/ansible/config/base.yml
++++ b/lib/ansible/config/base.yml
+@@ -1366,6 +1366,15 @@ GALAXY_COLLECTION_SKELETON_IGNORE:
+   ini:
+   - {key: collection_skeleton_ignore, section: galaxy}
+   type: list
++GALAXY_COLLECTIONS_PATH_WARNING:
++  name: "ansible-galaxy collection install colections path warnings"
++  description: "whether ``ansible-galaxy collection install`` should warn about ``--collections-path`` missing from configured :ref:`collections_paths`"
++  default: true
++  type: bool
++  env: [{name: ANSIBLE_GALAXY_COLLECTIONS_PATH_WARNING}]
++  ini:
++    - {key: collections_path_warning, section: galaxy}
++  version_added: "2.16"
+ # TODO: unused?
+ #GALAXY_SCMS:
+ #  name: Galaxy SCMS

ansible-core.spec

@@ -1,74 +1,83 @@
-# SPDX-License-Identifier: MIT
-# Copyright (C) Fedora Project Authors
-# License Text: https://spdx.org/licenses/MIT.html
-
-# several test dependencies are unwanted in RHEL
-%bcond tests %{undefined rhel}
-
-# controls whether to generate shell completions
-# may be useful for bootstrapping purposes
-%bcond argcomplete 1
-
+%bcond_without tests
 # disable the python -s shbang flag as we want to be able to find non system modules
 %undefine _py3_shebang_s
 
-Name:           ansible-core
-Version:        2.20.1
+Name: ansible-core
+Summary: A radically simple IT automation system
+Version: 2.14.11
 %global uversion %{version_no_tilde %{quote:%nil}}
-Release:        2%{?dist}
-Summary:        A radically simple IT automation system
-
+Release: 2%{?dist}
 # The main license is GPLv3+. Many of the files in lib/ansible/module_utils
 # are BSD licensed. There are various files scattered throughout the codebase
 # containing code under different licenses.
-# The ssh-agent helper code is BSD-3-Clause.
-License:        GPL-3.0-or-later AND BSD-2-Clause AND BSD-3-Clause AND PSF-2.0 AND MIT AND Apache-2.0
-URL:            https://ansible.com
+License: GPL-3.0-or-later AND BSD-2-Clause AND PSF-2.0 AND MIT AND Apache-2.0
 
-Source0:        https://github.com/ansible/ansible/archive/v%{uversion}/%{name}-%{uversion}.tar.gz
-Source1:        https://github.com/ansible/ansible-documentation/archive/v%{uversion}/ansible-documentation-%{uversion}.tar.gz
+Source0: https://github.com/ansible/ansible/archive/v%{uversion}/%{name}-%{uversion}.tar.gz
+Source1: https://github.com/ansible/ansible-documentation/archive/v%{uversion}/ansible-documentation-%{uversion}.tar.gz
 
-BuildArch:      noarch
+Patch: https://github.com/ansible/ansible/commit/734f38b2594692707d1fd3cbcfc8dc8a677f4ee3.patch#/GALAXY_COLLECTIONS_PATH_WARNINGS.patch
+# urls - remove deprecated client key calls (#80751)
+# This is needed for Python 3.12, but we apply it unconditionally so
+# controllers running on older Fedora versions can still work with Python 3.12
+# F39+ targets.
+Patch: https://github.com/ansible/ansible/commit/0df794e5a4fe4597ee65b0d492fbf0d0989d5ca0.patch#/urls-remove-deprecated-client-key-calls.patch
+# Ensure ANSIBLE_NO_LOG is respected (CVE-2024-0690) (#82565) (#82568)
+Patch: https://github.com/ansible/ansible/commit/beb04bc2642c208447c5a936f94310528a1946b1.patch#/CVE-2024-0690.patch
+Url: https://ansible.com
+BuildArch: noarch
 
 # Virtual provides for bundled libraries
 # Search for `_BUNDLED_METADATA` to find them
 
+# lib/ansible/module_utils/urls.py
+# SPDX-License-Identifier: BSD-2-Clause AND PSF-2.0
+Provides: bundled(python3dist(backports-ssl-match-hostname)) = 3.7.0.1
+
 # lib/ansible/module_utils/distro/*
 # SPDX-License-Identifier: Apache-2.0
-Provides:       bundled(python3dist(distro)) = 1.9.0
+Provides: bundled(python3dist(distro)) = 1.6.0
 
 # lib/ansible/module_utils/six/*
 # SPDX-License-Identifier: MIT
-Provides:       bundled(python3dist(six)) = 1.17.0
+Provides: bundled(python3dist(six)) = 1.16.0
 
-# lib/ansible/_internal/_wrapt.py
-# SPDX-License-Identifier: BSD-2-Clause
-Provides:       bundled(python3dist(wrapt)) = 1.17.2
+# lib/ansible/module_utils/compat/selectors.py
+# SPDX-License-Identifier: GPL-3.0-or-later
+Provides: bundled(python3dist(selectors2)) = 1.1.1
 
-BuildRequires:  make
-BuildRequires:  python%{python3_pkgversion}-devel
-# This is only used in %%prep to relax the required setuptools version,
-# which is not necessary in RHEL 10+.
-# Not using it in RHEL avoids unwanted dependencies.
-%if %{undefined rhel}
-BuildRequires:  tomcli >= 0.3.0
-%endif
+# lib/ansible/module_utils/compat/ipaddress.py
+# SPDX-License-Identifier: PSF-2.0
+Provides: bundled(python3dist(ipaddress)) = 1.0.22
+
+Conflicts: ansible <= 2.9.99
+#
+# obsoletes/provides for ansible-base
+#
+Provides: ansible-base = %{version}-%{release}
+Obsoletes: ansible-base < 2.10.6-1
+
+BuildRequires: make
+BuildRequires: python%{python3_pkgversion}-devel
 # Needed to build manpages from source.
-BuildRequires:  python%{python3_pkgversion}-docutils
+BuildRequires: python%{python3_pkgversion}-docutils
+# Shell completions
+BuildRequires: python%{python3_pkgversion}-argcomplete
 
 %if %{with tests}
-BuildRequires:  git-core
-BuildRequires:  glibc-all-langpacks
-BuildRequires:  python%{python3_pkgversion}-systemd
+BuildRequires: git-core
+BuildRequires: glibc-all-langpacks
+BuildRequires: python%{python3_pkgversion}-systemd
+# test/units/modules/test_async_wrapper.py needs this.
+# Instead of patching the tests to use /usr/bin/python3,
+# just give it what it wants.
+BuildRequires: /usr/bin/python
 %endif
 
-%if %{with argcomplete}
-Requires:       python%{python3_pkgversion}-argcomplete
-%endif
-%if 0%{?fedora} >= 39
-BuildRequires:  python3-libdnf5
-Recommends:     python3-libdnf5
-%endif
+Requires: python%{python3_pkgversion}-argcomplete
+# Require packaging macros if rpm-build exists
+# This makes the transition seamless for other packages
+# This is DEPRECATED. Packages must explicitly BuildRequire ansible-packaging.
+Requires: (ansible-packaging if rpm-build)
 
 
 %global _description %{expand:
@@ -83,9 +92,9 @@ are transferred to managed machines automatically.}
 This is the base part of ansible (the engine).
 
 %package doc
-Summary:        Documentation for Ansible Core
-Provides:       ansible-base-doc = %{version}-%{release}
-Obsoletes:      ansible-base-doc < 2.10.6-1
+Summary: Documentation for Ansible Core
+Provides: ansible-base-doc = %{version}-%{release}
+Obsoletes: ansible-base-doc < 2.10.6-1
 
 %description doc %_description
 
@@ -94,13 +103,8 @@ This package installs extensive documentation for ansible-core
 
 %prep
 %autosetup -p1 -n ansible-%{uversion} -a1
-# Relax setuptools constraint on Fedora
-# Future RHELs have new enough setuptools
-%if %{undefined rhel}
-tomcli-set pyproject.toml lists replace \
-    'build-system.requires' 'setuptools >=.*' 'setuptools'
-%endif
 
+# ansible-test is executed directly by the Makefile, so we need to fix the shebang.
 sed -i -s 's|/usr/bin/env python|%{python3}|' \
     bin/ansible-test \
     test/lib/ansible_test/_util/target/cli/ansible_test_cli_stub.py
@@ -115,10 +119,6 @@ sed '/^mock$/d' test/lib/ansible_test/_data/requirements/units.txt > _requiremen
 
 %generate_buildrequires
 %pyproject_buildrequires %{?with_tests:_requirements.txt test/units/requirements.txt}
-%if %{with argcomplete}
-# Shell completions
-echo 'python%{python3_pkgversion}-argcomplete'
-%endif
 
 
 %build
@@ -128,8 +128,6 @@ echo 'python%{python3_pkgversion}-argcomplete'
 mkdir -p docs/man/man1
 %{python3} packaging/cli-doc/build.py man --output-dir docs/man/man1
 
-
-%if %{with argcomplete}
 # Build shell completions
 (
     cd bin
@@ -152,7 +150,6 @@ mkdir -p docs/man/man1
         done
     done
 )
-%endif
 
 
 %install
@@ -169,10 +166,8 @@ done < <(find \
     %{buildroot}%{python3_sitelib}/ansible/cli/scripts/ansible_connection_cli_stub.py \
         -type f ! -executable)
 
-%if %{with argcomplete}
 install -Dpm 0644 bash_completions/* -t %{buildroot}%{bash_completions_dir}
 install -Dpm 0644 fish_completions/* -t %{buildroot}%{fish_completions_dir}
-%endif
 
 # Create system directories that Ansible defines as default locations in
 # ansible/config/base.yml
@@ -228,22 +223,20 @@ install -Dpm 0644 licenses/* -t %{buildroot}%{_pkglicensedir}
 %check
 %if %{with tests}
 %{python3} bin/ansible-test \
-    units --local --python-interpreter %{python3} -vv
+    units --local --python-interpreter %{python3}
 %endif
 
 
 %files -f %{pyproject_files}
 %license COPYING
-%license %{_pkglicensedir}/{Apache-License,MIT-license,PSF-license,simplified_bsd,BSD-3-Clause}.txt
-%doc README.md changelogs/CHANGELOG-v2.2?.rst
+%license %{_pkglicensedir}/{Apache-License,MIT-license,PSF-license,simplified_bsd}.txt
+%doc README.md changelogs/CHANGELOG-v2.1?.rst
 %dir %{_sysconfdir}/ansible/
 %config(noreplace) %{_sysconfdir}/ansible/*
 %{_bindir}/ansible*
 %{_datadir}/ansible/
-%if %{with argcomplete}
 %{bash_completions_dir}/ansible*
 %{fish_completions_dir}/ansible*.fish
-%endif
 %{_mandir}/man1/ansible*
 
 %files doc
@@ -254,184 +247,34 @@ install -Dpm 0644 licenses/* -t %{buildroot}%{_pkglicensedir}
 
 
 %changelog
-* Fri Jan 16 2026 Fedora Release Engineering <releng@fedoraproject.org> - 2.20.1-2
-- Rebuilt for https://fedoraproject.org/wiki/Fedora_44_Mass_Rebuild
-
-* Tue Dec 09 2025 Maxwell G <maxwell@gtmx.me> - 2.20.1-1
-- Update to 2.20.1. Fixes rhbz#2382388.
-- Update bundled() Provides
-- Remove upstreamed patches
-- Remove old Provides and Obsoletes for ansible-base and Ansible <= 2.9
-
-* Mon Nov 17 2025 Packit <hello@packit.dev> - 2.18.11-1
-- Update to version 2.18.11
-
-* Sat Sep 27 2025 Maxwell G <maxwell@gtmx.me> - 2.18.9-1
-- Update to 2.18.9.
-
-* Fri Sep 19 2025 Python Maint <python-maint@redhat.com> - 2.18.7-4
-- Rebuilt for Python 3.14.0rc3 bytecode
-
-* Fri Aug 15 2025 Python Maint <python-maint@redhat.com> - 2.18.7-3
-- Rebuilt for Python 3.14.0rc2 bytecode
-
-* Wed Jul 23 2025 Fedora Release Engineering <releng@fedoraproject.org> - 2.18.7-2
-- Rebuilt for https://fedoraproject.org/wiki/Fedora_43_Mass_Rebuild
-
-* Wed Jul 16 2025 Maxwell G <maxwell@gtmx.me> - 2.18.7-1
-- Update to 2.18.7. Fixes rhbz#2380244.
-
-* Sat Jun 07 2025 Maxwell G <maxwell@gtmx.me> - 2.18.6-2
-- Add initial support for Python 3.14 (rhbz#2366307)
-
-* Sat Jun 07 2025 Maxwell G <maxwell@gtmx.me> - 2.18.6-1
-- Update to 2.18.6. Fixes rhbz#2354908.
-
-* Tue Jun 03 2025 Python Maint <python-maint@redhat.com> - 2.18.4-2
-- Rebuilt for Python 3.14
-
-* Tue Mar 25 2025 Packit <hello@packit.dev> - 2.18.4-1
-- Update to version 2.18.4
-- Resolves: rhbz#2354908
-
-* Mon Mar 17 2025 Packit <hello@packit.dev> - 2.18.3-1
-- Update to version 2.18.3
-- Resolves: rhbz#2342365
-
-* Thu Jan 16 2025 Fedora Release Engineering <releng@fedoraproject.org> - 2.18.1-2
-- Rebuilt for https://fedoraproject.org/wiki/Fedora_42_Mass_Rebuild
-
-* Wed Dec 04 2024 Maxwell G <maxwell@gtmx.me> - 2.18.1-1
-- Update to 2.18.1. Fixes rhbz#2330005.
-- dnf5 - backport support for automatically installing python3-libdnf5 (rhbz#2322751).
-
-* Tue Nov 26 2024 Maxwell G <maxwell@gtmx.me> - 2.18.0-1
-- Update to 2.18.0. Fixes rhbz#2282011.
-
-* Fri Oct 11 2024 Maxwell G <maxwell@gtmx.me> - 2.16.12-1
-- Update to 2.16.12.
-
-* Tue Sep 10 2024 Maxwell G <maxwell@gtmx.me> - 2.16.11-1
-- Update to 2.16.11.
-
-* Tue Aug 13 2024 Maxwell G <maxwell@gtmx.me> - 2.16.10-1
-- Update to 2.16.10.
-
-* Fri Jul 19 2024 Maxwell G <maxwell@gtmx.me> - 2.16.9-1
-- Update to 2.16.9.
-
-* Wed Jul 17 2024 Fedora Release Engineering <releng@fedoraproject.org> - 2.16.8-2
-- Rebuilt for https://fedoraproject.org/wiki/Fedora_41_Mass_Rebuild
-
-* Sun Jun 23 2024 Maxwell G <maxwell@gtmx.me> - 2.16.8-1
-- Update to 2.16.8.
-
-* Sun Jun 09 2024 Python Maint <python-maint@redhat.com> - 2.16.7-2
-- Rebuilt for Python 3.13
-
-* Tue Jun 04 2024 Maxwell G <maxwell@gtmx.me> - 2.16.7-1
-- Update to 2.16.7.
-
-* Thu May 23 2024 Miro Hrončok <mhroncok@redhat.com> - 2.16.6-2
-- Fix build with Python 3.13
-
-* Tue Apr 16 2024 Maxwell G <maxwell@gtmx.me> - 2.16.6-1
-- Update to 2.16.6. Fixes rhbz#2261507.
-
-* Fri Mar 29 2024 Maxwell G <maxwell@gtmx.me> - 2.16.5-1
-- Update to 2.16.5. Fixes rhbz#2261507.
-
-* Fri Mar 29 2024 Maxwell G <maxwell@gtmx.me> - 2.16.5-1
-- Update to 2.16.5.
-
-* Sat Mar 02 2024 Maxwell G <maxwell@gtmx.me> - 2.16.4-1
-- Update to 2.16.4. Fixes rhbz#2261507.
-
-* Thu Feb 01 2024 Maxwell G <maxwell@gtmx.me> - 2.16.3-1
-- Update to 2.16.3. Fixes rhbz#2261507.
-
-* Mon Jan 22 2024 Fedora Release Engineering <releng@fedoraproject.org> - 2.16.2-4
-- Rebuilt for https://fedoraproject.org/wiki/Fedora_40_Mass_Rebuild
-
-* Fri Jan 19 2024 Fedora Release Engineering <releng@fedoraproject.org> - 2.16.2-3
-- Rebuilt for https://fedoraproject.org/wiki/Fedora_40_Mass_Rebuild
-
-* Thu Jan 18 2024 Maxwell G <maxwell@gtmx.me> - 2.16.2-2
+* Fri Jan 19 2024 Maxwell G <maxwell@gtmx.me> - 2.14.11-2
 - Mitigate CVE-2024-0690.
 
-* Mon Dec 11 2023 Maxwell G <maxwell@gtmx.me> - 2.16.2-1
-- Update to 2.16.2. Fixes rhbz#2254093.
+* Thu Oct 12 2023 Maxwell G <maxwell@gtmx.me> - 2.14.11-1
+- Update to 2.14.11.
 
-* Wed Dec 06 2023 Maxwell G <maxwell@gtmx.me> - 2.16.1-1
-- Update to 2.16.1. Fixes rhbz#2252860.
+* Wed Sep 13 2023 Maxwell G <maxwell@gtmx.me> - 2.14.10-1
+- Update to 2.14.10.
 
-* Fri Nov 10 2023 Maxwell G <maxwell@gtmx.me> - 2.16.0-1
-- Update to 2.16.0. Fixes rhbz#2248187.
+* Sun Aug 20 2023 Maxwell G <maxwell@gtmx.me> - 2.14.9-1
+- Update to 2.14.9.
 
-* Thu Oct 19 2023 Maxwell G <maxwell@gtmx.me> - 2.16.0~rc1-1
-- Update to 2.16.0~rc1.
+* Tue Jul 18 2023 Maxwell G <maxwell@gtmx.me> - 2.14.8-1
+- Update to 2.14.8.
 
-* Tue Oct 03 2023 Maxwell G <maxwell@gtmx.me> - 2.16.0~b2-1
-- Update to 2.16.0~b2.
+* Mon Jul 10 2023 Maxwell G <maxwell@gtmx.me> - 2.14.7-2
+- Backport patch to make the `url` module_util compatible with Python 3.12
+  (Fedora 39+) hosts
 
-* Mon Oct 02 2023 Miro Hrončok <mhroncok@redhat.com> - 2.16.0~b1-2
-- Do not use tomcli in Fedora ELN, avoid pulling unwanted dependencies
+* Fri Jun 30 2023 Maxwell G <maxwell@gtmx.me> - 2.14.7-1
+- Update to 2.14.7.
 
-* Wed Sep 27 2023 Maxwell G <maxwell@gtmx.me> - 2.16.0~b1-1
-- Update to 2.16.0~b1.
-
-* Tue Sep 26 2023 Kevin Fenzi <kevin@scrye.com> - 2.15.4-2
-- Add patch to fix readfp with python-3.12. Fixes rhbz#2239728
-
-* Mon Sep 11 2023 Maxwell G <maxwell@gtmx.me> - 2.15.4-1
-- Update to 2.15.4. Fixes rhbz#2238445.
-
-* Thu Aug 17 2023 Maxwell G <maxwell@gtmx.me> - 2.15.3-1
-- Update to 2.15.3. Fixes rhbz#2231963.
-
-* Wed Jul 19 2023 Fedora Release Engineering <releng@fedoraproject.org> - 2.15.2-2
-- Rebuilt for https://fedoraproject.org/wiki/Fedora_39_Mass_Rebuild
-
-* Tue Jul 18 2023 Maxwell G <maxwell@gtmx.me> - 2.15.2-1
-- Update to 2.15.2. Fixes rhbz#2223469.
-- Use the docs sources from https://github.com/ansible/ansible-documentation.
-
-* Mon Jul 03 2023 Maxwell G <maxwell@gtmx.me> - 2.15.1-2
-- Rebuilt for Python 3.12
-
-* Thu Jun 22 2023 Maxwell G <maxwell@gtmx.me> - 2.15.1-1
-- Update to 2.15.1. Fixes rhbz#2204492.
-- Add Recommends on python3-libdnf5 for Fedora 39
-
-* Sat Jun 17 2023 Maxwell G <maxwell@gtmx.me> - 2.15.0-5
-- Add patch to avoid importlib.abc.TraversableResources DeprecationWarning
-
-* Fri Jun 16 2023 Python Maint <python-maint@redhat.com> - 2.15.0-4
-- Rebuilt for Python 3.12
-
-* Tue Jun 13 2023 Maxwell G <maxwell@gtmx.me> - 2.15.0-3
-- Add support for Python 3.12. Fixes rhbz#2196539.
-- Remove conditional Requires on ansible-packaging.
-
-* Tue May 23 2023 Yaakov Selkowitz <yselkowi@redhat.com> - 2.15.0-2
-- Disable tests in RHEL builds
-
-* Tue May 16 2023 Maxwell G <maxwell@gtmx.me> - 2.15.0-1
-- Update to 2.15.0.
+* Mon May 29 2023 Maxwell G <maxwell@gtmx.me> - 2.14.6-1
+- Update to 2.14.6.
 - Don't remove dotfiles and empty files. ansible-core actually needs these.
 
-* Wed May 03 2023 Maxwell G <maxwell@gtmx.me> - 2.15.0~rc2-1
-- Update to 2.15.0~rc2.
-
-* Thu Apr 27 2023 Maxwell G <maxwell@gtmx.me> - 2.15.0~rc1-1
-- Update to 2.15.0~rc1.
-
-* Mon Apr 24 2023 Maxwell G <maxwell@gtmx.me> - 2.15.0~b3-1
-- Update to 2.15.0~b3.
-- Account for the removed Makefile
-
-* Mon Apr 24 2023 Maxwell G <maxwell@gtmx.me> - 2.14.4-2
-- Add gating
+* Mon May 01 2023 Maxwell G <maxwell@gtmx.me> - 2.14.5-1
+- Update to 2.14.5. Fixes rhbz#2189287.
 
 * Wed Mar 29 2023 Maxwell G <maxwell@gtmx.me> - 2.14.4-1
 - Update to 2.14.4. Fixes rhbz#2173765.

sources

@@ -1,2 +1,2 @@
-SHA512 (ansible-core-2.20.1.tar.gz) = fa0a4836e3548cd4e432e87b241beb6fb556765699c25b1f3b1c47111a1c44d5ba3244aeb8793408e72ab63564d6e848148becbfb550bd965e466752d7f78229
-SHA512 (ansible-documentation-2.20.1.tar.gz) = 0dc20cb62280c715e4b06788a5eb2c757c388d0da646a38fc3ab56e38d236ddb0fd7586a567d973e530ed3ed2310ff26542cdb0e1621e0049147dc747e20205b
+SHA512 (ansible-core-2.14.11.tar.gz) = 4246b0fcab2e89ff2e905c582b03dc4c05a2db29aaac72d9ce75a88edeb0ba3a2b5baee2756adf19b98af5516db4c0dca96c46f8d30d0029cbb37232dc197ee2
+SHA512 (ansible-documentation-2.14.11.tar.gz) = 40261e647092048b398a825abcdcc0b7fed51cabdb0c3e1b5f403ecc36ee7c289f41fec5fe4065ff0b955cf24db56914d61749525922b36f6fc6e606c5e975ad

tests/smoke.sh

@@ -3,38 +3,15 @@
 set -euo pipefail
 
 ansible --version
-
-cat <<EOF >inventory
-[all]
-localhost ansible_connection=local
-EOF
-export ANSIBLE_INVENTORY=inventory
-
-chroot="fedora-rawhide-x86_64"
-
-ansible localhost -bm setup |& tee out
-
-if ! grep Fedora out; then
-    chroot="epel-9-x86_64"
-fi
-
-ansible localhost -b \
-    -m package \
-    -a name=filesystem \
-  |& tee out
-grep -F 'localhost | SUCCESS' out
-(! grep -F 'localhost | CHANGED' out)
-
-ansible localhost -b \
+ansible -c local -i localhost, localhost -m setup
+ansible -c local -i locahost, localhost -b \
     -m community.general.copr \
-    -a "name=gotmax23/community.general.copr_integration_tests chroot=${chroot}" \
+    -a "name=gotmax23/community.general.copr_integration_tests chroot=fedora-rawhide-x86_64" \
   |& tee out
-grep -F 'localhost | CHANGED' out
-
-ansible localhost -b \
+grep 'localhost | CHANGED' out
+ansible -c local -i localhost, localhost -b \
     -m package \
-    -a name=copr-module-integration-dummy-package \
+    -a name=copr-module-integration-dummy-package  \
   |& tee out
-grep -F 'localhost | CHANGED' out
-
+grep 'localhost | CHANGED' out
 rpm -ql copr-module-integration-dummy-package

tests/smoke1.fmf

@@ -6,7 +6,6 @@ discover:
       - name: Run tests/smoke.sh
         test: tests/smoke.sh
         require:
-          - python3
           - python3-dnf
           - dnf-plugins-core
           - ansible-core

tests/smoke2.fmf

@@ -6,7 +6,6 @@ discover:
       - name: Run tests/smoke.sh
         test: tests/smoke.sh
         require:
-          - python3
           - python3-dnf
           - dnf-plugins-core
           - ansible-core

urls-remove-deprecated-client-key-calls.patch

@@ -0,0 +1,154 @@
+From 0df794e5a4fe4597ee65b0d492fbf0d0989d5ca0 Mon Sep 17 00:00:00 2001
+From: Jordan Borean <jborean93@gmail.com>
+Date: Thu, 18 May 2023 08:17:25 +1000
+Subject: [PATCH] urls - remove deprecated client key calls (#80751)
+
+---
+ .../fragments/urls-client-cert-py12.yml       |  2 ++
+ lib/ansible/module_utils/urls.py              | 28 +++++++++++--------
+ test/units/module_utils/urls/test_Request.py  | 14 ++++------
+ 3 files changed, 24 insertions(+), 20 deletions(-)
+ create mode 100644 changelogs/fragments/urls-client-cert-py12.yml
+
+diff --git a/changelogs/fragments/urls-client-cert-py12.yml b/changelogs/fragments/urls-client-cert-py12.yml
+new file mode 100644
+index 00000000000000..aab129ed96e94b
+--- /dev/null
++++ b/changelogs/fragments/urls-client-cert-py12.yml
+@@ -0,0 +1,2 @@
++bugfixes:
++- urls.py - fixed cert_file and key_file parameters when running on Python 3.12 - https://github.com/ansible/ansible/issues/80490
+diff --git a/lib/ansible/module_utils/urls.py b/lib/ansible/module_utils/urls.py
+index 0e5fbb74c4fae2..0197d86e1033b2 100644
+--- a/lib/ansible/module_utils/urls.py
++++ b/lib/ansible/module_utils/urls.py
+@@ -535,15 +535,18 @@ def __init__(self, message, import_traceback, module=None):
+ UnixHTTPSConnection = None
+ if hasattr(httplib, 'HTTPSConnection') and hasattr(urllib_request, 'HTTPSHandler'):
+     class CustomHTTPSConnection(httplib.HTTPSConnection):  # type: ignore[no-redef]
+-        def __init__(self, *args, **kwargs):
++        def __init__(self, client_cert=None, client_key=None, *args, **kwargs):
+             httplib.HTTPSConnection.__init__(self, *args, **kwargs)
+             self.context = None
+             if HAS_SSLCONTEXT:
+                 self.context = self._context
+             elif HAS_URLLIB3_PYOPENSSLCONTEXT:
+                 self.context = self._context = PyOpenSSLContext(PROTOCOL)
+-            if self.context and self.cert_file:
+-                self.context.load_cert_chain(self.cert_file, self.key_file)
++
++            self._client_cert = client_cert
++            self._client_key = client_key
++            if self.context and self._client_cert:
++                self.context.load_cert_chain(self._client_cert, self._client_key)
+ 
+         def connect(self):
+             "Connect to a host on a given (SSL) port."
+@@ -564,10 +567,10 @@ def connect(self):
+             if HAS_SSLCONTEXT or HAS_URLLIB3_PYOPENSSLCONTEXT:
+                 self.sock = self.context.wrap_socket(sock, server_hostname=server_hostname)
+             elif HAS_URLLIB3_SSL_WRAP_SOCKET:
+-                self.sock = ssl_wrap_socket(sock, keyfile=self.key_file, cert_reqs=ssl.CERT_NONE,  # pylint: disable=used-before-assignment
+-                                            certfile=self.cert_file, ssl_version=PROTOCOL, server_hostname=server_hostname)
++                self.sock = ssl_wrap_socket(sock, keyfile=self._client_key, cert_reqs=ssl.CERT_NONE,  # pylint: disable=used-before-assignment
++                                            certfile=self._client_cert, ssl_version=PROTOCOL, server_hostname=server_hostname)
+             else:
+-                self.sock = ssl.wrap_socket(sock, keyfile=self.key_file, certfile=self.cert_file, ssl_version=PROTOCOL)
++                self.sock = ssl.wrap_socket(sock, keyfile=self._client_key, certfile=self._client_cert, ssl_version=PROTOCOL)
+ 
+     class CustomHTTPSHandler(urllib_request.HTTPSHandler):  # type: ignore[no-redef]
+ 
+@@ -602,10 +605,6 @@ def https_open(self, req):
+             return self.do_open(self._build_https_connection, req)
+ 
+         def _build_https_connection(self, host, **kwargs):
+-            kwargs.update({
+-                'cert_file': self.client_cert,
+-                'key_file': self.client_key,
+-            })
+             try:
+                 kwargs['context'] = self._context
+             except AttributeError:
+@@ -613,7 +612,7 @@ def _build_https_connection(self, host, **kwargs):
+             if self._unix_socket:
+                 return UnixHTTPSConnection(self._unix_socket)(host, **kwargs)
+             if not HAS_SSLCONTEXT:
+-                return CustomHTTPSConnection(host, **kwargs)
++                return CustomHTTPSConnection(host, client_cert=self.client_cert, client_key=self.client_key, **kwargs)
+             return httplib.HTTPSConnection(host, **kwargs)
+ 
+     @contextmanager
+@@ -979,7 +978,7 @@ def atexit_remove_file(filename):
+             pass
+ 
+ 
+-def make_context(cafile=None, cadata=None, ciphers=None, validate_certs=True):
++def make_context(cafile=None, cadata=None, ciphers=None, validate_certs=True, client_cert=None, client_key=None):
+     if ciphers is None:
+         ciphers = []
+ 
+@@ -1006,6 +1005,9 @@ def make_context(cafile=None, cadata=None, ciphers=None, validate_certs=True):
+     if ciphers:
+         context.set_ciphers(':'.join(map(to_native, ciphers)))
+ 
++    if client_cert:
++        context.load_cert_chain(client_cert, keyfile=client_key)
++
+     return context
+ 
+ 
+@@ -1514,6 +1516,8 @@ def open(self, method, url, data=None, headers=None, use_proxy=None,
+                 cadata=cadata,
+                 ciphers=ciphers,
+                 validate_certs=validate_certs,
++                client_cert=client_cert,
++                client_key=client_key,
+             )
+             handlers.append(HTTPSClientAuthHandler(client_cert=client_cert,
+                                                    client_key=client_key,
+diff --git a/test/units/module_utils/urls/test_Request.py b/test/units/module_utils/urls/test_Request.py
+index d2c4ea38012a49..a8bc3a0b6bde3b 100644
+--- a/test/units/module_utils/urls/test_Request.py
++++ b/test/units/module_utils/urls/test_Request.py
+@@ -33,6 +33,7 @@ def install_opener_mock(mocker):
+ def test_Request_fallback(urlopen_mock, install_opener_mock, mocker):
+     here = os.path.dirname(__file__)
+     pem = os.path.join(here, 'fixtures/client.pem')
++    client_key = os.path.join(here, 'fixtures/client.key')
+ 
+     cookies = cookiejar.CookieJar()
+     request = Request(
+@@ -46,8 +47,8 @@ def test_Request_fallback(urlopen_mock, install_opener_mock, mocker):
+         http_agent='ansible-tests',
+         force_basic_auth=True,
+         follow_redirects='all',
+-        client_cert='/tmp/client.pem',
+-        client_key='/tmp/client.key',
++        client_cert=pem,
++        client_key=client_key,
+         cookies=cookies,
+         unix_socket='/foo/bar/baz.sock',
+         ca_path=pem,
+@@ -68,8 +69,8 @@ def test_Request_fallback(urlopen_mock, install_opener_mock, mocker):
+         call(None, 'ansible-tests'),  # http_agent
+         call(None, True),  # force_basic_auth
+         call(None, 'all'),  # follow_redirects
+-        call(None, '/tmp/client.pem'),  # client_cert
+-        call(None, '/tmp/client.key'),  # client_key
++        call(None, pem),  # client_cert
++        call(None, client_key),  # client_key
+         call(None, cookies),  # cookies
+         call(None, '/foo/bar/baz.sock'),  # unix_socket
+         call(None, pem),  # ca_path
+@@ -358,10 +359,7 @@ def test_Request_open_client_cert(urlopen_mock, install_opener_mock):
+     assert ssl_handler.client_cert == client_cert
+     assert ssl_handler.client_key == client_key
+ 
+-    https_connection = ssl_handler._build_https_connection('ansible.com')
+-
+-    assert https_connection.key_file == client_key
+-    assert https_connection.cert_file == client_cert
++    ssl_handler._build_https_connection('ansible.com')
+ 
+ 
+ def test_Request_open_cookies(urlopen_mock, install_opener_mock):