From ac7b95e7108bff86eb3c9992775f26595195ce2b Mon Sep 17 00:00:00 2001
From: Felix Fontein <felix@fontein.de>
Date: Sun, 2 Nov 2025 13:04:47 +0100
Subject: [PATCH] Release 11.4.1.

---
 CHANGELOG.md                                  | 126 ++++++++++++------
 CHANGELOG.rst                                 |  35 +++++
 changelogs/changelog.yaml                     |  58 ++++++++
 changelogs/fragments/10891-dict-refactor.yml  |   6 -
 .../10918-gitlab-runner-fix-check-mode.yml    |   2 -
 ...d-client-auth-for-clientsecret-modules.yml |   2 -
 .../10934-cloudflare-dns-caa-bug.yml          |   2 -
 .../10934-cloudflare-dns-srv-bug.yml          |   2 -
 ...0955-pritunl_user-null-missing-params.yaml |   2 -
 ...961-terraform-complexvars-null-bugfix.yaml |   2 -
 .../fragments/10965-onepassword-bugfix.yml    |   2 -
 changelogs/fragments/11.4.1.yml               |   1 -
 changelogs/fragments/11001-omapi.yml          |   2 -
 changelogs/fragments/11005-keycloak_user.yml  |   4 -
 .../fragments/replace-random-with-secrets.yml |   4 -
 15 files changed, 176 insertions(+), 74 deletions(-)
 delete mode 100644 changelogs/fragments/10891-dict-refactor.yml
 delete mode 100644 changelogs/fragments/10918-gitlab-runner-fix-check-mode.yml
 delete mode 100644 changelogs/fragments/10933-keycloak-add-client-auth-for-clientsecret-modules.yml
 delete mode 100644 changelogs/fragments/10934-cloudflare-dns-caa-bug.yml
 delete mode 100644 changelogs/fragments/10934-cloudflare-dns-srv-bug.yml
 delete mode 100644 changelogs/fragments/10955-pritunl_user-null-missing-params.yaml
 delete mode 100644 changelogs/fragments/10961-terraform-complexvars-null-bugfix.yaml
 delete mode 100644 changelogs/fragments/10965-onepassword-bugfix.yml
 delete mode 100644 changelogs/fragments/11.4.1.yml
 delete mode 100644 changelogs/fragments/11001-omapi.yml
 delete mode 100644 changelogs/fragments/11005-keycloak_user.yml
 delete mode 100644 changelogs/fragments/replace-random-with-secrets.yml

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 11b30b41c8..33de42023c 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -2,52 +2,57 @@
 
 **Topics**
 
-- <a href="#v11-4-0">v11\.4\.0</a>
+- <a href="#v11-4-1">v11\.4\.1</a>
     - <a href="#release-summary">Release Summary</a>
     - <a href="#minor-changes">Minor Changes</a>
+    - <a href="#security-fixes">Security Fixes</a>
     - <a href="#bugfixes">Bugfixes</a>
-- <a href="#v11-3-0">v11\.3\.0</a>
+- <a href="#v11-4-0">v11\.4\.0</a>
     - <a href="#release-summary-1">Release Summary</a>
     - <a href="#minor-changes-1">Minor Changes</a>
-    - <a href="#deprecated-features">Deprecated Features</a>
     - <a href="#bugfixes-1">Bugfixes</a>
+- <a href="#v11-3-0">v11\.3\.0</a>
+    - <a href="#release-summary-2">Release Summary</a>
+    - <a href="#minor-changes-2">Minor Changes</a>
+    - <a href="#deprecated-features">Deprecated Features</a>
+    - <a href="#bugfixes-2">Bugfixes</a>
     - <a href="#new-plugins">New Plugins</a>
         - <a href="#filter">Filter</a>
     - <a href="#new-modules">New Modules</a>
 - <a href="#v11-2-1">v11\.2\.1</a>
-    - <a href="#release-summary-2">Release Summary</a>
-    - <a href="#bugfixes-2">Bugfixes</a>
-- <a href="#v11-2-0">v11\.2\.0</a>
     - <a href="#release-summary-3">Release Summary</a>
-    - <a href="#minor-changes-2">Minor Changes</a>
-    - <a href="#deprecated-features-1">Deprecated Features</a>
     - <a href="#bugfixes-3">Bugfixes</a>
+- <a href="#v11-2-0">v11\.2\.0</a>
+    - <a href="#release-summary-4">Release Summary</a>
+    - <a href="#minor-changes-3">Minor Changes</a>
+    - <a href="#deprecated-features-1">Deprecated Features</a>
+    - <a href="#bugfixes-4">Bugfixes</a>
     - <a href="#new-plugins-1">New Plugins</a>
         - <a href="#lookup">Lookup</a>
     - <a href="#new-modules-1">New Modules</a>
 - <a href="#v11-1-2">v11\.1\.2</a>
-    - <a href="#release-summary-4">Release Summary</a>
-    - <a href="#minor-changes-3">Minor Changes</a>
-    - <a href="#bugfixes-4">Bugfixes</a>
-- <a href="#v11-1-1">v11\.1\.1</a>
     - <a href="#release-summary-5">Release Summary</a>
     - <a href="#minor-changes-4">Minor Changes</a>
     - <a href="#bugfixes-5">Bugfixes</a>
-- <a href="#v11-1-0">v11\.1\.0</a>
+- <a href="#v11-1-1">v11\.1\.1</a>
     - <a href="#release-summary-6">Release Summary</a>
     - <a href="#minor-changes-5">Minor Changes</a>
-    - <a href="#deprecated-features-2">Deprecated Features</a>
     - <a href="#bugfixes-6">Bugfixes</a>
+- <a href="#v11-1-0">v11\.1\.0</a>
+    - <a href="#release-summary-7">Release Summary</a>
+    - <a href="#minor-changes-6">Minor Changes</a>
+    - <a href="#deprecated-features-2">Deprecated Features</a>
+    - <a href="#bugfixes-7">Bugfixes</a>
     - <a href="#new-plugins-2">New Plugins</a>
         - <a href="#callback">Callback</a>
     - <a href="#new-modules-2">New Modules</a>
 - <a href="#v11-0-0">v11\.0\.0</a>
-    - <a href="#release-summary-7">Release Summary</a>
-    - <a href="#minor-changes-6">Minor Changes</a>
+    - <a href="#release-summary-8">Release Summary</a>
+    - <a href="#minor-changes-7">Minor Changes</a>
     - <a href="#deprecated-features-3">Deprecated Features</a>
     - <a href="#removed-features-previously-deprecated">Removed Features \(previously deprecated\)</a>
-    - <a href="#security-fixes">Security Fixes</a>
-    - <a href="#bugfixes-7">Bugfixes</a>
+    - <a href="#security-fixes-1">Security Fixes</a>
+    - <a href="#bugfixes-8">Bugfixes</a>
     - <a href="#known-issues">Known Issues</a>
     - <a href="#new-plugins-3">New Plugins</a>
         - <a href="#callback-1">Callback</a>
@@ -58,17 +63,52 @@
     - <a href="#new-modules-3">New Modules</a>
 This changelog describes changes after version 10\.0\.0\.
 
-<a id="v11-4-0"></a>
-## v11\.4\.0
+<a id="v11-4-1"></a>
+## v11\.4\.1
 
 <a id="release-summary"></a>
 ### Release Summary
 
-Regular bugfix and feature release\.
+Regular bugfix release\.
 
 <a id="minor-changes"></a>
 ### Minor Changes
 
+* dependent lookup plugin \- refactor dict initialization\, no impact to users \([https\://github\.com/ansible\-collections/community\.general/pull/10891](https\://github\.com/ansible\-collections/community\.general/pull/10891)\)\.
+* pacemaker\_cluster\.py \- refactor dict initialization\, no impact to users \([https\://github\.com/ansible\-collections/community\.general/pull/10891](https\://github\.com/ansible\-collections/community\.general/pull/10891)\)\.
+* pacemaker\_resource\.py \- refactor dict initialization\, no impact to users \([https\://github\.com/ansible\-collections/community\.general/pull/10891](https\://github\.com/ansible\-collections/community\.general/pull/10891)\)\.
+* pacemaker\_stonith\.py \- refactor dict initialization\, no impact to users \([https\://github\.com/ansible\-collections/community\.general/pull/10891](https\://github\.com/ansible\-collections/community\.general/pull/10891)\)\.
+* scaleway module\_utils \- improve code readability\, no impact to users \([https\://github\.com/ansible\-collections/community\.general/pull/10891](https\://github\.com/ansible\-collections/community\.general/pull/10891)\)\.
+
+<a id="security-fixes"></a>
+### Security Fixes
+
+* keycloak\_user \- the parameter <code>credentials\[\]\.value</code> is now marked as <code>no\_log\=true</code>\. Before it was logged by Ansible\, unless the task was marked as <code>no\_log\: true</code>\. Since this parameter can be used for passwords\, this resulted in credential leaking \([https\://github\.com/ansible\-collections/community\.general/issues/11000](https\://github\.com/ansible\-collections/community\.general/issues/11000)\, [https\://github\.com/ansible\-collections/community\.general/pull/11005](https\://github\.com/ansible\-collections/community\.general/pull/11005)\)\.
+
+<a id="bugfixes"></a>
+### Bugfixes
+
+* cloudflare\_dns \- roll back changes to CAA record validation \([https\://github\.com/ansible\-collections/community\.general/issues/10934](https\://github\.com/ansible\-collections/community\.general/issues/10934)\, [https\://github\.com/ansible\-collections/community\.general/pull/10956](https\://github\.com/ansible\-collections/community\.general/pull/10956)\)\.
+* cloudflare\_dns \- roll back changes to SRV record validation \([https\://github\.com/ansible\-collections/community\.general/issues/10934](https\://github\.com/ansible\-collections/community\.general/issues/10934)\, [https\://github\.com/ansible\-collections/community\.general/pull/10937](https\://github\.com/ansible\-collections/community\.general/pull/10937)\)\.
+* gitlab\_runner \- fix exception in check mode when a new runner is created \([https\://github\.com/ansible\-collections/community\.general/issues/8854](https\://github\.com/ansible\-collections/community\.general/issues/8854)\)\.
+* keycloak\_clientsecret\, keycloak\_clientsecret\_info \- make <code>client\_auth</code> work \([https\://github\.com/ansible\-collections/community\.general/issues/10932](https\://github\.com/ansible\-collections/community\.general/issues/10932)\, [https\://github\.com/ansible\-collections/community\.general/pull/10933](https\://github\.com/ansible\-collections/community\.general/pull/10933)\)\.
+* omapi\_host \- make return values compatible with ansible\-core 2\.19 and Python 3 \([https\://github\.com/ansible\-collections/community\.general/pull/11001](https\://github\.com/ansible\-collections/community\.general/pull/11001)\)\.
+* onepassword\_doc and onepassword\_ssh\_key lookup plugins \- ensure that all connection parameters are passed to CLI class \([https\://github\.com/ansible\-collections/community\.general/pull/10965](https\://github\.com/ansible\-collections/community\.general/pull/10965)\)\.
+* pritunl\_user \- improve resilience when comparing user parameters if remote fields are <code>null</code> or missing\. List parameters \(<code>groups</code>\, <code>mac\_addresses</code>\) now safely default to empty lists for comparison and avoids <code>KeyError</code> issues \([https\://github\.com/ansible\-collections/community\.general/issues/10954](https\://github\.com/ansible\-collections/community\.general/issues/10954)\, [https\://github\.com/ansible\-collections/community\.general/pull/10955](https\://github\.com/ansible\-collections/community\.general/pull/10955)\)\.
+* random\_string lookup plugin \- replace <code>random\.SystemRandom\(\)</code> with <code>secrets\.SystemRandom\(\)</code> when generating strings\. This has no practical effect\, as both are the same \([https\://github\.com/ansible\-collections/community\.general/pull/10893](https\://github\.com/ansible\-collections/community\.general/pull/10893)\)\.
+* terraform \- fix bug when <code>null</code> values inside complex vars are throwing error instead of being passed to terraform\. Now terraform can handle <code>null\`\`s in \`\`complex\_vars</code> itself \([https\://github\.com/ansible\-collections/community\.general/pull/10961](https\://github\.com/ansible\-collections/community\.general/pull/10961)\)\.
+
+<a id="v11-4-0"></a>
+## v11\.4\.0
+
+<a id="release-summary-1"></a>
+### Release Summary
+
+Regular bugfix and feature release\.
+
+<a id="minor-changes-1"></a>
+### Minor Changes
+
 * github\_app\_access\_token lookup plugin \- add support for GitHub Enterprise Server \([https\://github\.com/ansible\-collections/community\.general/issues/10879](https\://github\.com/ansible\-collections/community\.general/issues/10879)\, [https\://github\.com/ansible\-collections/community\.general/pull/10880](https\://github\.com/ansible\-collections/community\.general/pull/10880)\)\.
 * gitlab\_group\_variable \- add <code>description</code> option \([https\://github\.com/ansible\-collections/community\.general/pull/10812](https\://github\.com/ansible\-collections/community\.general/pull/10812)\)\.
 * gitlab\_instance\_variable \- add <code>description</code> option \([https\://github\.com/ansible\-collections/community\.general/pull/10812](https\://github\.com/ansible\-collections/community\.general/pull/10812)\)\.
@@ -76,7 +116,7 @@ Regular bugfix and feature release\.
 * keycloak\_client \- add idempotent support for <code>optional\_client\_scopes</code> and <code>optional\_client\_scopes</code>\, and ensure consistent change detection between check mode and live run \([https\://github\.com/ansible\-collections/community\.general/issues/5495](https\://github\.com/ansible\-collections/community\.general/issues/5495)\, [https\://github\.com/ansible\-collections/community\.general/pull/10842](https\://github\.com/ansible\-collections/community\.general/pull/10842)\)\.
 * pipx module\_utils \- use <code>PIPX\_USE\_EMOJI</code> to disable emojis in the output of <code>pipx</code> 1\.8\.0 \([https\://github\.com/ansible\-collections/community\.general/pull/10874](https\://github\.com/ansible\-collections/community\.general/pull/10874)\)\.
 
-<a id="bugfixes"></a>
+<a id="bugfixes-1"></a>
 ### Bugfixes
 
 * Avoid usage of deprecated <code>ansible\.module\_utils\.six</code> in all code that does not have to support Python 2 \([https\://github\.com/ansible\-collections/community\.general/pull/10873](https\://github\.com/ansible\-collections/community\.general/pull/10873)\)\.
@@ -93,12 +133,12 @@ Regular bugfix and feature release\.
 <a id="v11-3-0"></a>
 ## v11\.3\.0
 
-<a id="release-summary-1"></a>
+<a id="release-summary-2"></a>
 ### Release Summary
 
 Regular bugfix and feature release\.
 
-<a id="minor-changes-1"></a>
+<a id="minor-changes-2"></a>
 ### Minor Changes
 
 * android\_sdk \- minor refactor to improve readability \([https\://github\.com/ansible\-collections/community\.general/pull/10712](https\://github\.com/ansible\-collections/community\.general/pull/10712)\)\.
@@ -154,7 +194,7 @@ Regular bugfix and feature release\.
 * oci\_vcn \- module is deprecated and will be removed in community\.general 13\.0\.0 \([https\://github\.com/ansible\-collections/community\.general/issues/10318](https\://github\.com/ansible\-collections/community\.general/issues/10318)\, [https\://github\.com/ansible\-collections/community\.general/pull/10652](https\://github\.com/ansible\-collections/community\.general/pull/10652)\)\.
 * oracle\* doc fragments \- fragments are deprecated and will be removed in community\.general 13\.0\.0 \([https\://github\.com/ansible\-collections/community\.general/issues/10318](https\://github\.com/ansible\-collections/community\.general/issues/10318)\, [https\://github\.com/ansible\-collections/community\.general/pull/10652](https\://github\.com/ansible\-collections/community\.general/pull/10652)\)\.
 
-<a id="bugfixes-1"></a>
+<a id="bugfixes-2"></a>
 ### Bugfixes
 
 * kdeconfig \- <code>kwriteconfig</code> executable could not be discovered automatically on systems with only <code>kwriteconfig6</code> installed\. <code>kwriteconfig6</code> can now be discovered by Ansible \([https\://github\.com/ansible\-collections/community\.general/issues/10746](https\://github\.com/ansible\-collections/community\.general/issues/10746)\, [https\://github\.com/ansible\-collections/community\.general/pull/10751](https\://github\.com/ansible\-collections/community\.general/pull/10751)\)\.
@@ -181,12 +221,12 @@ Regular bugfix and feature release\.
 <a id="v11-2-1"></a>
 ## v11\.2\.1
 
-<a id="release-summary-2"></a>
+<a id="release-summary-3"></a>
 ### Release Summary
 
 Bugfix release\.
 
-<a id="bugfixes-2"></a>
+<a id="bugfixes-3"></a>
 ### Bugfixes
 
 * Avoid deprecated functionality in ansible\-core 2\.20 \([https\://github\.com/ansible\-collections/community\.general/pull/10687](https\://github\.com/ansible\-collections/community\.general/pull/10687)\)\.
@@ -198,12 +238,12 @@ Bugfix release\.
 <a id="v11-2-0"></a>
 ## v11\.2\.0
 
-<a id="release-summary-3"></a>
+<a id="release-summary-4"></a>
 ### Release Summary
 
 Regular bugfix and features release\.
 
-<a id="minor-changes-2"></a>
+<a id="minor-changes-3"></a>
 ### Minor Changes
 
 * apk \- using safer mechanism to run external command \([https\://github\.com/ansible\-collections/community\.general/issues/10479](https\://github\.com/ansible\-collections/community\.general/issues/10479)\, [https\://github\.com/ansible\-collections/community\.general/pull/10520](https\://github\.com/ansible\-collections/community\.general/pull/10520)\)\.
@@ -241,7 +281,7 @@ Regular bugfix and features release\.
 * github\_repo \- deprecate <code>force\_defaults\=true</code> \([https\://github\.com/ansible\-collections/community\.general/pull/10435](https\://github\.com/ansible\-collections/community\.general/pull/10435)\)\.
 * rocketchat \- the default value for <code>is\_pre740</code>\, currently <code>true</code>\, is deprecated and will change to <code>false</code> in community\.general 13\.0\.0 \([https\://github\.com/ansible\-collections/community\.general/pull/10490](https\://github\.com/ansible\-collections/community\.general/pull/10490)\)\.
 
-<a id="bugfixes-3"></a>
+<a id="bugfixes-4"></a>
 ### Bugfixes
 
 * jenkins\_plugin \- install latest compatible version instead of latest \([https\://github\.com/ansible\-collections/community\.general/issues/854](https\://github\.com/ansible\-collections/community\.general/issues/854)\, [https\://github\.com/ansible\-collections/community\.general/pull/10346](https\://github\.com/ansible\-collections/community\.general/pull/10346)\)\.
@@ -265,12 +305,12 @@ Regular bugfix and features release\.
 <a id="v11-1-2"></a>
 ## v11\.1\.2
 
-<a id="release-summary-4"></a>
+<a id="release-summary-5"></a>
 ### Release Summary
 
 Bugfix release\.
 
-<a id="minor-changes-3"></a>
+<a id="minor-changes-4"></a>
 ### Minor Changes
 
 * gem \- remove redundant constructs from argument specs \([https\://github\.com/ansible\-collections/community\.general/pull/10505](https\://github\.com/ansible\-collections/community\.general/pull/10505)\)\.
@@ -404,7 +444,7 @@ Bugfix release\.
 * zypper \- remove redundant constructs from argument specs \([https\://github\.com/ansible\-collections/community\.general/pull/10513](https\://github\.com/ansible\-collections/community\.general/pull/10513)\)\.
 * zypper\_repository \- remove redundant constructs from argument specs \([https\://github\.com/ansible\-collections/community\.general/pull/10513](https\://github\.com/ansible\-collections/community\.general/pull/10513)\)\.
 
-<a id="bugfixes-4"></a>
+<a id="bugfixes-5"></a>
 ### Bugfixes
 
 * apk \- fix check for empty/whitespace\-only package names \([https\://github\.com/ansible\-collections/community\.general/pull/10532](https\://github\.com/ansible\-collections/community\.general/pull/10532)\)\.
@@ -418,12 +458,12 @@ Bugfix release\.
 <a id="v11-1-1"></a>
 ## v11\.1\.1
 
-<a id="release-summary-5"></a>
+<a id="release-summary-6"></a>
 ### Release Summary
 
 Bugfix release for the next Ansible 12 pre\-release\.
 
-<a id="minor-changes-4"></a>
+<a id="minor-changes-5"></a>
 ### Minor Changes
 
 * aerospike\_migrations \- remove redundant constructs from argument specs \([https\://github\.com/ansible\-collections/community\.general/pull/10494](https\://github\.com/ansible\-collections/community\.general/pull/10494)\)\.
@@ -454,7 +494,7 @@ Bugfix release for the next Ansible 12 pre\-release\.
 * filesystem \- remove redundant constructs from argument specs \([https\://github\.com/ansible\-collections/community\.general/pull/10494](https\://github\.com/ansible\-collections/community\.general/pull/10494)\)\.
 * sysrc \- adjustments to the code \([https\://github\.com/ansible\-collections/community\.general/pull/10417](https\://github\.com/ansible\-collections/community\.general/pull/10417)\)\.
 
-<a id="bugfixes-5"></a>
+<a id="bugfixes-6"></a>
 ### Bugfixes
 
 * apache2\_module \- avoid ansible\-core 2\.19 deprecation \([https\://github\.com/ansible\-collections/community\.general/pull/10459](https\://github\.com/ansible\-collections/community\.general/pull/10459)\)\.
@@ -472,12 +512,12 @@ Bugfix release for the next Ansible 12 pre\-release\.
 <a id="v11-1-0"></a>
 ## v11\.1\.0
 
-<a id="release-summary-6"></a>
+<a id="release-summary-7"></a>
 ### Release Summary
 
 Regular bugfix and feature release\.
 
-<a id="minor-changes-5"></a>
+<a id="minor-changes-6"></a>
 ### Minor Changes
 
 * cloudflare\_dns \- adds support for PTR records \([https\://github\.com/ansible\-collections/community\.general/pull/10267](https\://github\.com/ansible\-collections/community\.general/pull/10267)\)\.
@@ -532,7 +572,7 @@ Regular bugfix and feature release\.
 * catapult \- module is deprecated and will be removed in community\.general 13\.0\.0 \([https\://github\.com/ansible\-collections/community\.general/issues/10318](https\://github\.com/ansible\-collections/community\.general/issues/10318)\, [https\://github\.com/ansible\-collections/community\.general/pull/10329](https\://github\.com/ansible\-collections/community\.general/pull/10329)\)\.
 * pacemaker\_cluster \- the parameter <code>state</code> will become a required parameter in community\.general 12\.0\.0 \([https\://github\.com/ansible\-collections/community\.general/pull/10227](https\://github\.com/ansible\-collections/community\.general/pull/10227)\)\.
 
-<a id="bugfixes-6"></a>
+<a id="bugfixes-7"></a>
 ### Bugfixes
 
 * dependent lookup plugin \- avoid deprecated ansible\-core 2\.19 functionality \([https\://github\.com/ansible\-collections/community\.general/pull/10359](https\://github\.com/ansible\-collections/community\.general/pull/10359)\)\.
@@ -558,12 +598,12 @@ Regular bugfix and feature release\.
 <a id="v11-0-0"></a>
 ## v11\.0\.0
 
-<a id="release-summary-7"></a>
+<a id="release-summary-8"></a>
 ### Release Summary
 
 This is release 11\.0\.0 of <code>community\.general</code>\, released on 2025\-06\-16\.
 
-<a id="minor-changes-6"></a>
+<a id="minor-changes-7"></a>
 ### Minor Changes
 
 * CmdRunner module utils \- the convenience method <code>cmd\_runner\_fmt\.as\_fixed\(\)</code> now accepts multiple arguments as a list \([https\://github\.com/ansible\-collections/community\.general/pull/9893](https\://github\.com/ansible\-collections/community\.general/pull/9893)\)\.
@@ -951,13 +991,13 @@ This is release 11\.0\.0 of <code>community\.general</code>\, released on 2025\-
 * redfish\_utils module utils \- the <code>\_init\_session</code> method has been removed \([https\://github\.com/ansible\-collections/community\.general/pull/10126](https\://github\.com/ansible\-collections/community\.general/pull/10126)\)\.
 * stackpath\_compute inventory plugin \- the plugin was removed since the company and the service were sunset in June 2024 \([https\://github\.com/ansible\-collections/community\.general/pull/10126](https\://github\.com/ansible\-collections/community\.general/pull/10126)\)\.
 
-<a id="security-fixes"></a>
+<a id="security-fixes-1"></a>
 ### Security Fixes
 
 * keycloak\_authentication \- API calls did not properly set the <code>priority</code> during update resulting in incorrectly sorted authentication flows\. This apparently only affects Keycloak 25 or newer \([https\://github\.com/ansible\-collections/community\.general/pull/9263](https\://github\.com/ansible\-collections/community\.general/pull/9263)\)\.
 * keycloak\_client \- Sanitize <code>saml\.encryption\.private\.key</code> so it does not show in the logs \([https\://github\.com/ansible\-collections/community\.general/pull/9621](https\://github\.com/ansible\-collections/community\.general/pull/9621)\)\.
 
-<a id="bugfixes-7"></a>
+<a id="bugfixes-8"></a>
 ### Bugfixes
 
 * apache2\_mod\_proxy \- make compatible with Python 3 \([https\://github\.com/ansible\-collections/community\.general/pull/9762](https\://github\.com/ansible\-collections/community\.general/pull/9762)\)\.
diff --git a/CHANGELOG.rst b/CHANGELOG.rst
index 52b7ca83d0..30ff62e5f2 100644
--- a/CHANGELOG.rst
+++ b/CHANGELOG.rst
@@ -6,6 +6,41 @@ Community General Release Notes
 
 This changelog describes changes after version 10.0.0.
 
+v11.4.1
+=======
+
+Release Summary
+---------------
+
+Regular bugfix release.
+
+Minor Changes
+-------------
+
+- dependent lookup plugin - refactor dict initialization, no impact to users (https://github.com/ansible-collections/community.general/pull/10891).
+- pacemaker_cluster.py - refactor dict initialization, no impact to users (https://github.com/ansible-collections/community.general/pull/10891).
+- pacemaker_resource.py - refactor dict initialization, no impact to users (https://github.com/ansible-collections/community.general/pull/10891).
+- pacemaker_stonith.py - refactor dict initialization, no impact to users (https://github.com/ansible-collections/community.general/pull/10891).
+- scaleway module_utils - improve code readability, no impact to users (https://github.com/ansible-collections/community.general/pull/10891).
+
+Security Fixes
+--------------
+
+- keycloak_user - the parameter ``credentials[].value`` is now marked as ``no_log=true``. Before it was logged by Ansible, unless the task was marked as ``no_log: true``. Since this parameter can be used for passwords, this resulted in credential leaking (https://github.com/ansible-collections/community.general/issues/11000, https://github.com/ansible-collections/community.general/pull/11005).
+
+Bugfixes
+--------
+
+- cloudflare_dns - roll back changes to CAA record validation (https://github.com/ansible-collections/community.general/issues/10934, https://github.com/ansible-collections/community.general/pull/10956).
+- cloudflare_dns - roll back changes to SRV record validation (https://github.com/ansible-collections/community.general/issues/10934, https://github.com/ansible-collections/community.general/pull/10937).
+- gitlab_runner - fix exception in check mode when a new runner is created (https://github.com/ansible-collections/community.general/issues/8854).
+- keycloak_clientsecret, keycloak_clientsecret_info - make ``client_auth`` work (https://github.com/ansible-collections/community.general/issues/10932, https://github.com/ansible-collections/community.general/pull/10933).
+- omapi_host - make return values compatible with ansible-core 2.19 and Python 3 (https://github.com/ansible-collections/community.general/pull/11001).
+- onepassword_doc and onepassword_ssh_key lookup plugins - ensure that all connection parameters are passed to CLI class (https://github.com/ansible-collections/community.general/pull/10965).
+- pritunl_user - improve resilience when comparing user parameters if remote fields are ``null`` or missing. List parameters (``groups``, ``mac_addresses``) now safely default to empty lists for comparison and avoids ``KeyError`` issues (https://github.com/ansible-collections/community.general/issues/10954, https://github.com/ansible-collections/community.general/pull/10955).
+- random_string lookup plugin - replace ``random.SystemRandom()`` with ``secrets.SystemRandom()`` when generating strings. This has no practical effect, as both are the same (https://github.com/ansible-collections/community.general/pull/10893).
+- terraform - fix bug when ``null`` values inside complex vars are throwing error instead of being passed to terraform. Now terraform can handle ``null``s in ``complex_vars`` itself (https://github.com/ansible-collections/community.general/pull/10961).
+
 v11.4.0
 =======
 
diff --git a/changelogs/changelog.yaml b/changelogs/changelog.yaml
index b9ec36af50..0360fb918a 100644
--- a/changelogs/changelog.yaml
+++ b/changelogs/changelog.yaml
@@ -1799,3 +1799,61 @@ releases:
       - 10880-github_app_access_token-lookup.yml
       - 11.4.0.yml
     release_date: '2025-10-06'
+  11.4.1:
+    changes:
+      bugfixes:
+        - cloudflare_dns - roll back changes to CAA record validation (https://github.com/ansible-collections/community.general/issues/10934,
+          https://github.com/ansible-collections/community.general/pull/10956).
+        - cloudflare_dns - roll back changes to SRV record validation (https://github.com/ansible-collections/community.general/issues/10934,
+          https://github.com/ansible-collections/community.general/pull/10937).
+        - gitlab_runner - fix exception in check mode when a new runner is created
+          (https://github.com/ansible-collections/community.general/issues/8854).
+        - keycloak_clientsecret, keycloak_clientsecret_info - make ``client_auth``
+          work (https://github.com/ansible-collections/community.general/issues/10932,
+          https://github.com/ansible-collections/community.general/pull/10933).
+        - omapi_host - make return values compatible with ansible-core 2.19 and Python
+          3 (https://github.com/ansible-collections/community.general/pull/11001).
+        - onepassword_doc and onepassword_ssh_key lookup plugins - ensure that all
+          connection parameters are passed to CLI class (https://github.com/ansible-collections/community.general/pull/10965).
+        - pritunl_user - improve resilience when comparing user parameters if remote
+          fields are ``null`` or missing. List parameters (``groups``, ``mac_addresses``)
+          now safely default to empty lists for comparison and avoids ``KeyError``
+          issues (https://github.com/ansible-collections/community.general/issues/10954,
+          https://github.com/ansible-collections/community.general/pull/10955).
+        - random_string lookup plugin - replace ``random.SystemRandom()`` with ``secrets.SystemRandom()``
+          when generating strings. This has no practical effect, as both are the same
+          (https://github.com/ansible-collections/community.general/pull/10893).
+        - terraform - fix bug when ``null`` values inside complex vars are throwing
+          error instead of being passed to terraform. Now terraform can handle ``null``s
+          in ``complex_vars`` itself (https://github.com/ansible-collections/community.general/pull/10961).
+      minor_changes:
+        - dependent lookup plugin - refactor dict initialization, no impact to users
+          (https://github.com/ansible-collections/community.general/pull/10891).
+        - pacemaker_cluster.py - refactor dict initialization, no impact to users
+          (https://github.com/ansible-collections/community.general/pull/10891).
+        - pacemaker_resource.py - refactor dict initialization, no impact to users
+          (https://github.com/ansible-collections/community.general/pull/10891).
+        - pacemaker_stonith.py - refactor dict initialization, no impact to users
+          (https://github.com/ansible-collections/community.general/pull/10891).
+        - scaleway module_utils - improve code readability, no impact to users (https://github.com/ansible-collections/community.general/pull/10891).
+      release_summary: Regular bugfix release.
+      security_fixes:
+        - 'keycloak_user - the parameter ``credentials[].value`` is now marked as
+          ``no_log=true``. Before it was logged by Ansible, unless the task was marked
+          as ``no_log: true``. Since this parameter can be used for passwords, this
+          resulted in credential leaking (https://github.com/ansible-collections/community.general/issues/11000,
+          https://github.com/ansible-collections/community.general/pull/11005).'
+    fragments:
+      - 10891-dict-refactor.yml
+      - 10918-gitlab-runner-fix-check-mode.yml
+      - 10933-keycloak-add-client-auth-for-clientsecret-modules.yml
+      - 10934-cloudflare-dns-caa-bug.yml
+      - 10934-cloudflare-dns-srv-bug.yml
+      - 10955-pritunl_user-null-missing-params.yaml
+      - 10961-terraform-complexvars-null-bugfix.yaml
+      - 10965-onepassword-bugfix.yml
+      - 11.4.1.yml
+      - 11001-omapi.yml
+      - 11005-keycloak_user.yml
+      - replace-random-with-secrets.yml
+    release_date: '2025-11-02'
diff --git a/changelogs/fragments/10891-dict-refactor.yml b/changelogs/fragments/10891-dict-refactor.yml
deleted file mode 100644
index 63d5e585ff..0000000000
--- a/changelogs/fragments/10891-dict-refactor.yml
+++ /dev/null
@@ -1,6 +0,0 @@
-minor_changes:
-  - dependent lookup plugin - refactor dict initialization, no impact to users (https://github.com/ansible-collections/community.general/pull/10891).
-  - scaleway module_utils - improve code readability, no impact to users (https://github.com/ansible-collections/community.general/pull/10891).
-  - pacemaker_cluster.py - refactor dict initialization, no impact to users (https://github.com/ansible-collections/community.general/pull/10891).
-  - pacemaker_resource.py - refactor dict initialization, no impact to users (https://github.com/ansible-collections/community.general/pull/10891).
-  - pacemaker_stonith.py - refactor dict initialization, no impact to users (https://github.com/ansible-collections/community.general/pull/10891).
diff --git a/changelogs/fragments/10918-gitlab-runner-fix-check-mode.yml b/changelogs/fragments/10918-gitlab-runner-fix-check-mode.yml
deleted file mode 100644
index 214487938b..0000000000
--- a/changelogs/fragments/10918-gitlab-runner-fix-check-mode.yml
+++ /dev/null
@@ -1,2 +0,0 @@
-bugfixes:
-  - gitlab_runner - fix exception in check mode when a new runner is created (https://github.com/ansible-collections/community.general/issues/8854).
diff --git a/changelogs/fragments/10933-keycloak-add-client-auth-for-clientsecret-modules.yml b/changelogs/fragments/10933-keycloak-add-client-auth-for-clientsecret-modules.yml
deleted file mode 100644
index df70186ff5..0000000000
--- a/changelogs/fragments/10933-keycloak-add-client-auth-for-clientsecret-modules.yml
+++ /dev/null
@@ -1,2 +0,0 @@
-bugfixes:
-  - keycloak_clientsecret, keycloak_clientsecret_info - make ``client_auth`` work (https://github.com/ansible-collections/community.general/issues/10932, https://github.com/ansible-collections/community.general/pull/10933).
\ No newline at end of file
diff --git a/changelogs/fragments/10934-cloudflare-dns-caa-bug.yml b/changelogs/fragments/10934-cloudflare-dns-caa-bug.yml
deleted file mode 100644
index e40acc30f4..0000000000
--- a/changelogs/fragments/10934-cloudflare-dns-caa-bug.yml
+++ /dev/null
@@ -1,2 +0,0 @@
-bugfixes:
-  - cloudflare_dns - roll back changes to CAA record validation (https://github.com/ansible-collections/community.general/issues/10934, https://github.com/ansible-collections/community.general/pull/10956).
diff --git a/changelogs/fragments/10934-cloudflare-dns-srv-bug.yml b/changelogs/fragments/10934-cloudflare-dns-srv-bug.yml
deleted file mode 100644
index eb2b06d2f1..0000000000
--- a/changelogs/fragments/10934-cloudflare-dns-srv-bug.yml
+++ /dev/null
@@ -1,2 +0,0 @@
-bugfixes:
-  - cloudflare_dns - roll back changes to SRV record validation (https://github.com/ansible-collections/community.general/issues/10934, https://github.com/ansible-collections/community.general/pull/10937).
diff --git a/changelogs/fragments/10955-pritunl_user-null-missing-params.yaml b/changelogs/fragments/10955-pritunl_user-null-missing-params.yaml
deleted file mode 100644
index 03aad70fb3..0000000000
--- a/changelogs/fragments/10955-pritunl_user-null-missing-params.yaml
+++ /dev/null
@@ -1,2 +0,0 @@
-bugfixes:
-  - "pritunl_user - improve resilience when comparing user parameters if remote fields are ``null`` or missing. List parameters (``groups``, ``mac_addresses``) now safely default to empty lists for comparison and avoids ``KeyError`` issues (https://github.com/ansible-collections/community.general/issues/10954, https://github.com/ansible-collections/community.general/pull/10955)."
diff --git a/changelogs/fragments/10961-terraform-complexvars-null-bugfix.yaml b/changelogs/fragments/10961-terraform-complexvars-null-bugfix.yaml
deleted file mode 100644
index 284da1f888..0000000000
--- a/changelogs/fragments/10961-terraform-complexvars-null-bugfix.yaml
+++ /dev/null
@@ -1,2 +0,0 @@
-bugfixes:
- - terraform - fix bug when ``null`` values inside complex vars are throwing error instead of being passed to terraform. Now terraform can handle ``null``s in ``complex_vars`` itself (https://github.com/ansible-collections/community.general/pull/10961).
diff --git a/changelogs/fragments/10965-onepassword-bugfix.yml b/changelogs/fragments/10965-onepassword-bugfix.yml
deleted file mode 100644
index 670c02fdc2..0000000000
--- a/changelogs/fragments/10965-onepassword-bugfix.yml
+++ /dev/null
@@ -1,2 +0,0 @@
-bugfixes:
-  - onepassword_doc and onepassword_ssh_key lookup plugins - ensure that all connection parameters are passed to CLI class (https://github.com/ansible-collections/community.general/pull/10965).
\ No newline at end of file
diff --git a/changelogs/fragments/11.4.1.yml b/changelogs/fragments/11.4.1.yml
deleted file mode 100644
index 1b14bd80d1..0000000000
--- a/changelogs/fragments/11.4.1.yml
+++ /dev/null
@@ -1 +0,0 @@
-release_summary: Regular bugfix release.
diff --git a/changelogs/fragments/11001-omapi.yml b/changelogs/fragments/11001-omapi.yml
deleted file mode 100644
index 5131f763c0..0000000000
--- a/changelogs/fragments/11001-omapi.yml
+++ /dev/null
@@ -1,2 +0,0 @@
-bugfixes:
-  - "omapi_host - make return values compatible with ansible-core 2.19 and Python 3 (https://github.com/ansible-collections/community.general/pull/11001)."
diff --git a/changelogs/fragments/11005-keycloak_user.yml b/changelogs/fragments/11005-keycloak_user.yml
deleted file mode 100644
index d715ca8c94..0000000000
--- a/changelogs/fragments/11005-keycloak_user.yml
+++ /dev/null
@@ -1,4 +0,0 @@
-security_fixes:
-  - "keycloak_user - the parameter ``credentials[].value`` is now marked as ``no_log=true``. Before it was logged by Ansible, unless the task was marked as ``no_log: true``.
-     Since this parameter can be used for passwords, this resulted in credential leaking
-     (https://github.com/ansible-collections/community.general/issues/11000, https://github.com/ansible-collections/community.general/pull/11005)."
diff --git a/changelogs/fragments/replace-random-with-secrets.yml b/changelogs/fragments/replace-random-with-secrets.yml
deleted file mode 100644
index b82e59e7e9..0000000000
--- a/changelogs/fragments/replace-random-with-secrets.yml
+++ /dev/null
@@ -1,4 +0,0 @@
-bugfixes:
-  - random_string lookup plugin - replace ``random.SystemRandom()`` with ``secrets.SystemRandom()`` when
-    generating strings. This has no practical effect, as both are the same
-    (https://github.com/ansible-collections/community.general/pull/10893).