Releases: HomeLabHD/ansible
Releases · HomeLabHD/ansible
2.20.4-v1
📦 ansible — v2.20.4-v1
Release type: prerelease • Commit:
55f8b19
Security: 🛡️ ❌ Critical — 2 critical and 6 high vulnerabilities detected
Image Availability
| Registry | Image | Tags |
|---|---|---|
| Docker Hub | docker.io/hlhd/ansible |
2.20.4-v1 latest |
Digest pull commands & supply chain artifacts
docker.io/hlhd/ansible
docker pull docker.io/hlhd/ansible@sha256:f0df38395070b024bf782e3890a49c6ea68647995e6f3409fba09c3899e2e47c
Highlights
- ci: revert skip-ci workflow rules — handled by StageFreight freshness guard
Notable Changes
Features
- add manifest-driven README, GitHub release sync, hvac + hashi_vault (SoFMeRight)
Bug Fixes
- ci: revert [skip ci] workflow rules — handled by StageFreight freshness guard (SoFMeRight)
- ci: allow tag pipelines through [skip ci] workflow rules (SoFMeRight)
- use forge backend for commits — uses GITLAB_TOKEN instead of CI job token (SoFMeRight)
- override docs.commit.add paths to match repo structure (SoFMeRight)
- narrator: remove details wrap from badges items — badges are already single-line (SoFMeRight)
- narrator: add details/summary wrap to Usage.md build-contents items (SoFMeRight)
- GitLab group casing PrPlanIT/HomeLabHD (SoFMeRight)
- remaining ansible-oci refs — build id, docs branding (SoFMeRight)
- rebrand refs — hlhd/ansible, HomeLabHD GitHub org (SoFMeRight)
- apk upgrade before install to patch zlib CVE-2026-22184 (SoFMeRight)
Refactoring
- rewrite CI catalog component templates (SoFMeRight)
Documentation
- refresh generated docs and badges [skip ci] (StageFreight-HomeLabHD) ×3
- restore per-section headings with details wrap on base image (SoFMeRight)
- consolidate image contents under single heading with inline badges (SoFMeRight)
- refresh narrator output — badges, versions renderer, details wrap (SoFMeRight)
- refresh generated docs and badges [skip ci] (SoFMeRight) ×9
CI/CD
- revert skip-ci workflow rules — handled by StageFreight freshness guard (SoFMeRight)
- retrigger mirror test (SoFMeRight)
- retrigger after deps update settled (SoFMeRight)
- retrigger with askpass auth (SoFMeRight)
- retrigger pipeline for fresh variable resolution (SoFMeRight)
- rename accessories to mirrors in sources config (SoFMeRight)
- add GitHub as accessory forge with git mirror sync (SoFMeRight)
- wire GitLab CI catalog component and fix template lint (SoFMeRight)
- narrator: replace hand-maintained tool/collection lists in Usage.md (SoFMeRight)
- adopt StageFreight GitLab CI skeleton (SoFMeRight)
- narrator: wrap all build-contents in details/summary, switch to badges (SoFMeRight)
- align stagefreight config with ansible versioning scheme (SoFMeRight)
Maintenance
- deps: update managed dependencies [skip ci] (StageFreight-HomeLabHD)
- deps: bump ansible-core 2.20.3 → 2.20.4 (SoFMeRight)
- narrator: restore shield vars in Docker badge (SoFMeRight)
Other Changes
- fix docker shield badge 404 — escape hyphen in repo name (SoFMeRight)
- consolidate components/ansible, integrate stagefreight, bump all deps (SoFMeRight)
- HomeLabHD org, hlhd Docker Hub, standardize OCI labels (SoFMeRight)
Security
🛡️ ❌ Critical — 2 critical and 6 high vulnerabilities detected
Vulnerability details (2 critical, 6 high, 27 medium, 4 low)
| Severity | CVE | Package | Installed | Fixed | Description |
|---|---|---|---|---|---|
| Critical | CVE-2026-33186 | google.golang.org/grpc | v1.79.1 | 1.79.3 | gRPC-Go has an authorization bypass via missing leading s... |
| Critical | GHSA-p77j-4mvh-x3m3 | google.golang.org/grpc | v1.79.1 | 1.79.3 | gRPC-Go has an authorization bypass via missing leading s... |
| High | CVE-2026-2673 | libcrypto3 | 3.5.5-r0 | — | Issue summary: An OpenSSL TLS 1.3 server may fail to nego... |
| High | CVE-2026-2673 | libssl3 | 3.5.5-r0 | — | Issue summary: An OpenSSL TLS 1.3 server may fail to nego... |
| High | CVE-2026-3805 | curl | 8.17.0-r1 | — | When doing a second SMB request to the same host again, c... |
| High | CVE-2026-27135 | nghttp2-libs | 1.68.0-r0 | — | nghttp2 is an implementation of the Hypertext Transfer Pr... |
| High | CVE-2026-4519 | python | 3.14.3 | — | The webbrowser.open() API would accept leading dashes in ... |
| High | GHSA-cvmj-47v9-35m9 | fuser | 0.13.0 | 0.16.0 | FUSE-Rust: Uninitalized memory read and leak caused by fu... |
| Medium | GHSA-c38w-74pg-36hr | rsa | 0.9.6 | — | Marvin Attack: potential key recovery through timing side... |
| Medium | CVE-2026-3644 | python | 3.14.3 | — | The fix for CVE-2026-0672, which rejected control charact... |
| Medium | CVE-2025-15366 | python | 3.14.3 | 3.15.0a6 | The imaplib module, when passed a user-controlled command... |
| Medium | CVE-2025-15367 | python | 3.14.3 | 3.15.0a6 | The poplib module, when passed a user-controlled command,... |
| Medium | CVE-2025-60876 | busybox | 1.37.0-r30 | — | BusyBox wget thru 1.3.7 accepted raw CR (0x0D)/LF (0x0A) ... |
| Medium | CVE-2025-60876 | busybox-binsh | 1.37.0-r30 | — | BusyBox wget thru 1.3.7 accepted raw CR (0x0D)/LF (0x0A) ... |
| Medium | CVE-2025-60876 | ssl_client | 1.37.0-r30 | — | BusyBox wget thru 1.3.7 accepted raw CR (0x0D)/LF (0x0A) ... |
| Medium | CVE-2016-2781 | coreutils | 9.8-r1 | — | chroot in GNU coreutils, when used with --userspec, allow... |
| Medium | CVE-2016-2781 | coreutils-env | 9.8-r1 | — | chroot in GNU coreutils, when used with --userspec, allow... |
| Medium | CVE-2016-2781 | coreutils-fmt | 9.8-r1 | — | chroot in GNU coreutils, when used with --userspec, allow... |
| Medium | CVE-2016-2781 | coreutils-sha512sum | 9.8-r1 | — | chroot in GNU coreutils, when used with --userspec, allow... |
| Medium | CVE-2026-1965 | curl | 8.17.0-r1 | — | libcurl can in some circumstances reuse the wrong connect... |
| Medium | CVE-2025-14819 | curl | 8.17.0-r1 | — | When doing TLS related transfers with reused easy or mult... |
| Medium | CVE-2025-15079 | curl | 8.17.0-r1 | — | When doing SSH-based transfers using either SCP or SFTP, ... |
| Medium | CVE-2025-14524 | curl | 8.17.0-r1 | — | When an OAuth2 bearer token is used for an HTTP(S) transf... |
| Medium | CVE-2026-4224 | python | 3.14.3 | — | When an Expat parser with a registered ElementDeclHandler... |
| Medium | CVE-2025-12781 | python | 3.14.3 | — | When passing data to the b64decode(), standard_b64decode(... |
| Medium | CVE-2026-3784 | curl | 8.17.0-r1 | — | curl would wrongly reuse an existing HTTP proxy connectio... |
| Medium | CVE-2026-2297 | python | 3.14.3 | — | The import hook in CPython that handles legacy *.pyc file... |
| Medium | GHSA-r6v5-fh4h-64xc | time | 0.3.23 | 0.3.47 | time vulnerable to stack exhaustion Denial of Service attack |
| Medium | CVE-2026-3783 | curl | 8.17.0-r1 | — | When an OAuth2 bearer token is used for an HTTP(S) transf... |
| Medium | GHSA-j4xf-2g29-59ph | tar | 0.4.43 | 0.4.45 | tar-rs unpack_in can chmod arbitrary directories by fol... |
| Medium | GHSA-gchp-q4r4-x4ff | tar | 0.4.43 | 0.4.45 | tar-rs incorrectly ignores PAX size headers if header siz... |
| Medium | CVE-2025-13034 | curl | 8.17.0-r1 | — | When using CURLOPT_PINNEDPUBLICKEY option with libcurl ... |
| Medium | CVE-2025-14017 | curl | 8.17.0-r1 | — | When doing multi-threaded LDAPS transfers (LDAP over TLS)... |
| Medium | GHSA-2rxc-gjrp-vjhx | anstream | 0.3.2 | 0.6.8 | Unsoundness in anstream |
| Medium | GHSA-4grx-2x9w-596c | rsa | 0.9.6 | — | Marvin Attack: potential key recovery through timing side... |
| Low | CVE-2025-15224 | curl | 8.17.0-r1 | — | When doing SSH-based transfers using either SCP or SFTP, ... |
| Low | GHSA-9c48-w39g-hm26 | rsa | 0.9.6 | 0.9.10 | rsa crate has potential panic on a prime being equal to 1 |
| Low | CVE-2025-13462 | python | 3.14.3 | — | The "tarfile" module would still apply normalization of A... |
| Low | CVE-2026-3479 | python | 3.14.3 | — | pkgutil.get_data() did not validate the resource argument... |
Full changelog
- [
55f8b19] revert skip-ci workflow rules — handled by StageFreight freshness guard (SoFMeRight) - [
b361ff1] revert [skip ci] workflow rules — handled by StageFreight freshness guard (SoFMeRight) - [
415b847] allow tag pipelines through [skip ci] workflow rules (SoFMeRight) - [
5ecf07d] refresh generated docs and badges [skip ci] (StageFreight-HomeLabHD) - [
2861550] retrigger mirror test (SoFMeRight) - [
9b24fbc] refresh generated docs and badges [skip ci] (StageFreight-HomeLabHD) - [
6a781d3] retrigger after deps update settled (SoFMeRight) - [
e39d8bc] update managed dependencies [skip ci] (StageFreight-HomeLabHD) - [
e4a168f] retrigger with askpass auth (SoFMeRight) - [
9236cdc] refresh generated docs and badges [skip ci] (StageFreight-HomeLabHD) - [
1fcf767] retrigger pipeline for fresh variable resolution (SoFMeRight) - [
88988d9] use forge backend for commits — uses GITLAB_TOKEN instead of CI job token (SoFMeRight) - [
8d021cd] override docs.commit.add paths to match repo structure (SoFMeRight) - [
9463034] rename accessories to mirrors in sources config (SoFMeRight) - [
2c0f5c4] add GitHub as accessory forge with git mirror sync (SoFMeRight) - [
db632e3] rewrite CI catalog component templates (SoFMeRight) - [
587f115] wire GitLab CI catalog component and fix template lint (SoFMeRight) - [
ed04566] restore per-section headings with details wrap on base image (SoFMeRight) - [
ce90bb3] consolidate image contents under single heading with inline badges (SoFMeRight) - [
f3322d7] refresh narrator output — badges, versions renderer, details wrap (SoFMeRight) - [
3e17949] remove details wrap from badges items — badges are already single-line (SoFMeRight) - ...