From 00031d2d6f4ab36ccf5cef8e992a3e85b7f545de Mon Sep 17 00:00:00 2001
From: Matt Clay <matt@mystile.com>
Date: Tue, 29 Oct 2024 11:49:59 -0700
Subject: [PATCH] New release v2.18.0rc2 (#84193)

---
 changelogs/CHANGELOG-v2.18.rst              | 27 ++++++++++++++-----
 changelogs/changelog.yaml                   | 29 ++++++++++++++++-----
 changelogs/fragments/2.18.0rc2_summary.yaml |  3 +++
 lib/ansible/release.py                      |  2 +-
 pyproject.toml                              |  2 +-
 5 files changed, 49 insertions(+), 14 deletions(-)
 create mode 100644 changelogs/fragments/2.18.0rc2_summary.yaml

diff --git a/changelogs/CHANGELOG-v2.18.rst b/changelogs/CHANGELOG-v2.18.rst
index 76b27a1ef87..806b1da40fe 100644
--- a/changelogs/CHANGELOG-v2.18.rst
+++ b/changelogs/CHANGELOG-v2.18.rst
@@ -4,6 +4,27 @@ ansible-core 2.18 "Fool in the Rain" Release Notes
 
 .. contents:: Topics
 
+v2.18.0rc2
+==========
+
+Release Summary
+---------------
+
+| Release Date: 2024-10-29
+| `Porting Guide <https://docs.ansible.com/ansible-core/2.18/porting_guides/porting_guide_core_2.18.html>`__
+
+Security Fixes
+--------------
+
+- include_vars action - Ensure that result masking is correctly requested when vault-encrypted files are read. (CVE-2024-8775)
+- task result processing - Ensure that action-sourced result masking (``_ansible_no_log=True``) is preserved. (CVE-2024-8775)
+- user action won't allow ssh-keygen, chown and chmod to run on existing ssh public key file, avoiding traversal on existing symlinks (CVE-2024-9902).
+
+Bugfixes
+--------
+
+- user action will now require O(force) to overwrite the public part of an ssh key when generating ssh keys, as was already the case for the private part.
+
 v2.18.0rc1
 ==========
 
@@ -115,7 +136,6 @@ Breaking Changes / Porting Guide
 --------------------------------
 
 - Stopped wrapping all commands sent over SSH on a Windows target with a ``powershell.exe`` executable. This results in one less process being started on each command for Windows to improve efficiency, simplify the code, and make ``raw`` an actual raw command run with the default shell configured on the Windows sshd settings. This should have no affect on most tasks except for ``raw`` which now is not guaranteed to always be running in a PowerShell shell and from having the console output codepage set to UTF-8. To avoid this issue either swap to using ``ansible.windows.win_command``, ``ansible.windows.win_shell``, ``ansible.windows.win_powershell`` or manually wrap the raw command with the shell commands needed to set the output console encoding.
-- assert - Nested templating may result in an inability for the conditional to be evaluated. See the porting guide for more information.
 - persistent connection plugins - The ``ANSIBLE_CONNECTION_PATH`` config option no longer has any effect.
 
 Deprecated Features
@@ -140,11 +160,6 @@ Removed Features (previously deprecated)
 - play_context - remove deprecated PlayContext.verbosity property (https://github.com/ansible/ansible/issues/82945).
 - utils/listify - remove deprecated 'loader' argument from listify_lookup_plugin_terms API (https://github.com/ansible/ansible/issues/82949).
 
-Security Fixes
---------------
-
-- templating - Address issues where internal templating can cause unsafe variables to lose their unsafe designation (CVE-2023-5764)
-
 Bugfixes
 --------
 
diff --git a/changelogs/changelog.yaml b/changelogs/changelog.yaml
index fe057def212..cb82b67aeba 100644
--- a/changelogs/changelog.yaml
+++ b/changelogs/changelog.yaml
@@ -13,8 +13,6 @@ releases:
         swap to using ``ansible.windows.win_command``, ``ansible.windows.win_shell``,
         ``ansible.windows.win_powershell`` or manually wrap the raw command with the
         shell commands needed to set the output console encoding.
-      - assert - Nested templating may result in an inability for the conditional
-        to be evaluated. See the porting guide for more information.
       - persistent connection plugins - The ``ANSIBLE_CONNECTION_PATH`` config option
         no longer has any effect.
       bugfixes:
@@ -351,9 +349,6 @@ releases:
       - play_context - remove deprecated PlayContext.verbosity property (https://github.com/ansible/ansible/issues/82945).
       - utils/listify - remove deprecated 'loader' argument from listify_lookup_plugin_terms
         API (https://github.com/ansible/ansible/issues/82949).
-      security_fixes:
-      - templating - Address issues where internal templating can cause unsafe variables
-        to lose their unsafe designation (CVE-2023-5764)
     codename: Fool in the Rain
     fragments:
     - 2.18.0b1_summary.yaml
@@ -442,7 +437,6 @@ releases:
     - config_init_fix.yml
     - correct-callback-fqcn-old-style-action-invocation.yml
     - correct_connection_callback.yml
-    - cve-2023-5764.yml
     - darwin_facts.yml
     - delay_type.yml
     - deprecate-safe-evals.yml
@@ -584,3 +578,26 @@ releases:
     - skip-implicit-flush_handlers-no-notify.yml
     - user_action_fix.yml
     release_date: '2024-10-14'
+  2.18.0rc2:
+    changes:
+      bugfixes:
+      - user action will now require O(force) to overwrite the public part of an ssh
+        key when generating ssh keys, as was already the case for the private part.
+      release_summary: '| Release Date: 2024-10-29
+
+        | `Porting Guide <https://docs.ansible.com/ansible-core/2.18/porting_guides/porting_guide_core_2.18.html>`__
+
+        '
+      security_fixes:
+      - include_vars action - Ensure that result masking is correctly requested when
+        vault-encrypted files are read. (CVE-2024-8775)
+      - task result processing - Ensure that action-sourced result masking (``_ansible_no_log=True``)
+        is preserved. (CVE-2024-8775)
+      - user action won't allow ssh-keygen, chown and chmod to run on existing ssh
+        public key file, avoiding traversal on existing symlinks (CVE-2024-9902).
+    codename: Fool in the Rain
+    fragments:
+    - 2.18.0rc2_summary.yaml
+    - cve-2024-8775.yml
+    - user_ssh_fix.yml
+    release_date: '2024-10-29'
diff --git a/changelogs/fragments/2.18.0rc2_summary.yaml b/changelogs/fragments/2.18.0rc2_summary.yaml
new file mode 100644
index 00000000000..2ed04b71073
--- /dev/null
+++ b/changelogs/fragments/2.18.0rc2_summary.yaml
@@ -0,0 +1,3 @@
+release_summary: |
+   | Release Date: 2024-10-29
+   | `Porting Guide <https://docs.ansible.com/ansible-core/2.18/porting_guides/porting_guide_core_2.18.html>`__
diff --git a/lib/ansible/release.py b/lib/ansible/release.py
index 1d3eb3e3881..f9710bf9674 100644
--- a/lib/ansible/release.py
+++ b/lib/ansible/release.py
@@ -17,6 +17,6 @@
 
 from __future__ import annotations
 
-__version__ = '2.18.0rc1.post0'
+__version__ = '2.18.0rc2'
 __author__ = 'Ansible, Inc.'
 __codename__ = "Fool in the Rain"
diff --git a/pyproject.toml b/pyproject.toml
index 7011683d756..9cba19eeae3 100644
--- a/pyproject.toml
+++ b/pyproject.toml
@@ -1,5 +1,5 @@
 [build-system]
-requires = ["setuptools >= 66.1.0, <= 75.1.0"]  # lower bound to support controller Python versions, upper bound for latest version tested at release
+requires = ["setuptools >= 66.1.0, <= 75.3.0"]  # lower bound to support controller Python versions, upper bound for latest version tested at release
 build-backend = "setuptools.build_meta"
 
 [project]