update to current state

Reviewed-on: https://src.suse.de/products/SLFO/pulls/1745
Reviewed-by: Elisei Roca <eroca@suse.de>

.gitmodules

@@ -851,6 +851,7 @@
 [submodule "docker-compose"]
 	path = docker-compose
 	url = ../../SLFO-pool/docker-compose
+	branch = 1.1
 [submodule "docker-compose-switch"]
 	path = docker-compose-switch
 	url = ../../SLFO-pool/docker-compose-switch
@@ -2653,6 +2654,7 @@
 [submodule "libpcap"]
 	path = libpcap
 	url = ../../SLFO-pool/libpcap
+	branch = 1.1
 [submodule "libpciaccess"]
 	path = libpciaccess
 	url = ../../SLFO-pool/libpciaccess
@@ -2880,6 +2882,7 @@
 [submodule "libsodium"]
 	path = libsodium
 	url = ../../SLFO-pool/libsodium
+	branch = 1.1
 [submodule "libsolv"]
 	path = libsolv
 	url = ../../SLFO-pool/libsolv
@@ -2916,6 +2919,7 @@
 [submodule "libtasn1"]
 	path = libtasn1
 	url = ../../SLFO-pool/libtasn1
+	branch = 1.1
 [submodule "libtcnative-1-0"]
 	path = libtcnative-1-0
 	url = ../../SLFO-pool/libtcnative-1-0

patchinfo.20260102164256564774.925254595339/_patchinfo

@@ -0,0 +1,25 @@
+<patchinfo incident="368">
+  <!-- generated from request(s) 398065 -->
+  <issue tracker="bnc" id="1255731">VUL-0: EMBARGOED: CVE-2025-14524: curl: bearer token leak on cross-protocol redirect</issue>
+  <issue tracker="bnc" id="1255732">VUL-0: EMBARGOED: CVE-2025-14819: curl: openSSL partial chain store policy bypass</issue>
+  <issue tracker="bnc" id="1255733">VUL-0: EMBARGOED: CVE-2025-15079: curl: libssh global knownhost override</issue>
+  <issue tracker="bnc" id="1255734">VUL-0: EMBARGOED: CVE-2025-15224: curl: libssh key passphrase bypass without agent set</issue>
+  <issue tracker="cve" id="2025-14524"/>
+  <issue tracker="cve" id="2025-14819"/>
+  <issue tracker="cve" id="2025-15079"/>
+  <issue tracker="cve" id="2025-15224"/>
+  <packager>lmulling</packager>
+  <rating>moderate</rating>
+  <category>security</category>
+  <summary>Security update for curl</summary>
+  <description>This update for curl fixes the following issues:
+
+- CVE-2025-14524: bearer token leak on cross-protocol redirect (bsc#1255731).
+- CVE-2025-14819: libssh global knownhost override (bsc#1255732).
+- CVE-2025-15079: libssh key passphrase bypass without agent set (bsc#1255733).
+- CVE-2025-15224: OpenSSL partial chain store policy bypass (bsc#1255734).
+</description>
+  <package>curl</package>
+  <package>curl:mini</package>
+  <seperate_build_arch/>
+</patchinfo>

patchinfo.20260105173108572448.925254595339/_patchinfo

@@ -0,0 +1,23 @@
+<patchinfo incident="370">
+  <!-- generated from request(s) 398155 -->
+  <issue tracker="bnc" id="1230020">VUL-0: CVE-2023-7256: libpcap: double free via addrinfo in sock_initaddress()</issue>
+  <issue tracker="bnc" id="1230034">VUL-0: CVE-2024-8006: libpcap: null pointer dereference in pcap_findalldevs_ex()</issue>
+  <issue tracker="bnc" id="1255765">VUL-0: CVE-2025-11961: libpcap: out-of-bound-write and out-of-bound-read in pcap_ether_aton() due to missing validation of provided MAC-48 address string</issue>
+  <issue tracker="cve" id="2023-7256"/>
+  <issue tracker="cve" id="2024-8006"/>
+  <issue tracker="cve" id="2025-11961"/>
+  <packager>pmonrealgonzalez</packager>
+  <rating>moderate</rating>
+  <category>security</category>
+  <summary>Security update for libpcap</summary>
+  <description>This update for libpcap fixes the following issues:
+
+- CVE-2025-11961: missing validation of provided MAC-48 address string in `pcap_ether_aton()` can lead to out-of-bounds
+  read and write (bsc#1255765).
+- CVE-2024-8006: missing return value check in `pcap_findalldevs_ex()` can lead to NULL pointer dereference
+  (bsc#1230034).
+- CVE-2023-7256: unclear value returned by  `sock_initaddress()` can lead to a double-free (bsc#1230020).
+</description>
+  <package>libpcap</package>
+  <seperate_build_arch/>
+</patchinfo>

patchinfo.20260106110541873376.925254595339/_patchinfo

@@ -1,4 +1,4 @@
-<patchinfo>
+<patchinfo incident="367">
   <!-- generated from request(s) 398179 -->
   <issue tracker="bnc" id="1216002">VUL-0: CVE-2023-5366: openvswitch: missing masks on a final stage with ports trie</issue>
   <issue tracker="bnc" id="1219465">VUL-0: CVE-2023-3966: openvswitch, openvswitch3: Invalid memory access in Geneve with HW offload</issue>
@@ -65,4 +65,4 @@ Other updates and bugfixes:
 </description>
   <package>openvswitch</package>
   <seperate_build_arch/>
-</patchinfo>
+</patchinfo>

patchinfo.20260107085404427730.187004354831441/_patchinfo

@@ -0,0 +1,586 @@
+<patchinfo incident="369">
+  <!-- generated from request(s) 364464 -->
+  <packager>dancermak</packager>
+  <rating>moderate</rating>
+  <category>recommended</category>
+  <summary>Recommended update for docker-compose</summary>
+  <description>This update for docker-compose fixes the following issues:
+
+Update to version 2.33.1:
+
+  * Improvements
+
+    - Add support for gw_priority, enable_ipv4 (requires docker
+      v28.0) by @thaJeztah in #12570
+
+  * Fixes
+
+    - Run watch standalone if menu fails to start by @ndeloof in
+      #12536
+    - Report error using non-file secret|config with read-only
+      service by @ndeloof in #12531
+    - Don't display bake suggestion when using --progress with
+      quiet or json option by @glours in #12561
+    - Fix pull --parallel and --no-parallel deprecation warnings
+      missing by @maxproske in #12555
+    - Fix error message when detach is implied by wait by @ndeloof
+      in #12566
+
+  * Dependencies
+
+    - build(deps): bump github.com/spf13/cobra from 1.8.1 to 1.9.1
+      by @dependabot in #12556
+    - build(deps): bump google.golang.org/grpc from 1.68.1 to
+      1.70.0 by @dependabot in #12494
+    - go.mod: update to docker v28.0.0 by @thaJeztah in #12545
+
+- remove docker-compose-switch dependency
+
+Update to version 2.33.0:
+
+  * Important
+
+    - This release introduce support for Bake to manage builds as
+      an alternative to the internal buildkit client. This new
+      feature can be enabled by setting COMPOSE_BAKE=1 variable.
+      Bake will become the default builder in a future release.
+
+  * Improvements
+
+    - let user know bake is now supported by @ndeloof in #12524
+    - support additional_context reference to another service by
+      @ndeloof in #12485
+    - add support for BUILDKIT_PROGRESS by @ndeloof in #12458
+    - add --with-env flag to publish command by @glours in #12482
+    - Update ls --quiet help description by @maxproske in #12541
+    - Publish warn display env vars by @glours in #12486
+
+  * Fixes
+
+    - Fix bake support by @ndeloof in #12507
+    - Update link in stats --help output by @maxproske in #12523
+    - Properly handle "builtin" seccomp profile by @r-bk in #12478
+    - manage watch applied to mulitple services by @ndeloof in
+      #12469
+
+  * Internal
+
+    - use main branch for docs upstream validation workflow by
+      @crazy-max in #12487
+    - fix provenance for binaries and generate sbom by @crazy-max
+      in #12479
+    - add codeowners file by @glours in #12480
+    - remove exit code per error type used by legacy metrics system
+      by @ndeloof in #12502
+    - Dockerfile: update golangci-lint to v1.63.4 by @thaJeztah in
+      #12546
+    - Full test coverage for compatibility cmd by @maxproske in
+      #12528
+    - don't send raw os.Args to opentelemetry but a pseudo command
+      line by @ndeloof in #12530
+    - add docker engine v28.x to the test-matrix by @thaJeztah in
+      #12539
+    - enable copyloopvar linter by @thaJeztah in #12542
+    - go.mod: remove toolchain directive by @thaJeztah in #12551
+
+  * Dependencies
+
+    - bump buildx v0.20.1 by @ndeloof in #12488
+    - bump docker to v27.5.1 by @ndeloof in #12491
+    - bump compose-go v2.4.8 by @ndeloof in #12543
+    - bump golang.org/x/sys from 0.28.0 to 0.30.0 by @dependabot in
+      #12529
+    - bump github.com/moby/term v0.5.2 by @thaJeztah in #12540
+    - bump github.com/otiai10/copy from 1.14.0 to 1.14.1 by
+      @dependabot in #12493
+    - bump github.com/jonboulle/clockwork from 0.4.0 to 0.5.0 by
+      @dependabot in #12430
+    - bump github.com/spf13/pflag from 1.0.5 to 1.0.6 by
+      @dependabot in #12548
+    - bump golang.org/x/sync from 0.10.0 to 0.11.0 by @dependabot
+      in #12547
+    - bump gotest.tools/v3 from 3.5.1 to 3.5.2 by @dependabot in
+      #12549
+
+- Update to version 2.32.4:
+
+  * add missing tag for build during merge workflow
+  * ci: re-use local source to build binary images
+  * ci: use local source for binary builds
+
+- Update to version 2.32.3:
+
+  * ci: update bake-action to v6
+  * simplification
+  * image can be set to a local ID, that isn't a valid docker ref
+  * can't render progress concurrently with buildkit
+  * exclude one-off container running convergence
+  * Only override service mac if set on the main network.
+
+- Update to version 2.32.2:
+
+  * remove engine v25 from e2e test matrix The 1st version
+    available for Ubuntu 24.x is Docker Engine v26
+  * fix relative path in compose file
+  * bump compose-go to v2.4.7
+  * replace tibdex/github-app-token by official GitHub
+    create-github-app-token
+  * bump golang.org/x/net to v0.33.0 to fix potential security
+    issue https://github.com/golang/go/issues/70906
+  * checkExpectedVolumes must ignore anonymous volumes
+  * When retrying to resolveOrCreateNetwork, retry with a valid
+    network name
+  * only check bind mount conflict if sync action is involved
+  * use the 3 latest major versions of the engine to run e2e step
+  * bump Golang version to v1.22.10 and update CI actions
+  * add --pull to run command
+  * CI to validate fmt
+  * `make fmt` so any contributor can enforce formatting
+  * format code with gofumpt
+
+- Update to version 2.32.1:
+  * e2e test to prevent future regression
+  * only check volume mounts for updated config
+
+- Update to version 2.32.0:
+  * e2e test for recreate volume
+  * build(deps): bump google.golang.org/grpc from 1.68.0 to 1.68.1
+  * build(deps): bump golang.org/x/crypto from 0.27.0 to 0.31.0
+  * build(deps): bump golang.org/x/sys from 0.27.0 to 0.28.0
+  * prompt user to confirm volume recreation
+  * Recreate container on volume configuration change
+  * introduce watch restart action
+  * bump otel dependencies to v1.28.0 and v0.53.0 to align with
+    buildx, buildkit and engine versions
+  * bump docker/buildx to latest release
+  * fix support for service.mac_address
+  * update xx to v1.6.1 for compatibility with alpine 3.21 and file
+    5.46+
+  * build(deps): bump golang.org/x/sync from 0.9.0 to 0.10.0
+  * Update pkg/e2e/watch_test.go
+  * first watch action for a file event wins
+  * fix
+  * revisit TestDebounceBatching
+  * introduce sync+exec watch action
+  * log configuration error as a watch log event
+  * do not require a build section but for `rebuild` action
+  * pull --quiet should not drop status message, only progress
+  * use latest engine tags
+  * Bump buildx to 0.19.1
+  * be sure everything has been cleanup at the end of each tests
+  * add local config.json to test configuration dir if exists
+  * disable failing TestBuildSSH test
+  * fix build with bake
+
+- Update to version 2.31.0:
+  * bump containerd to v1.7,24
+  * bump google.golang.org/grpc to v1.68.0
+  * build(deps): bump github.com/moby/buildkit from 0.17.1 to
+    0.17.2
+  * build(deps): bump github.com/compose-spec/compose-go/v2
+  * only stop dependent containers ... if there's some
+  * disable TestNetworkConfigChanged which is unstable on CI
+  * only check attached networks on running containers
+  * fix: commit tests
+  * feat: add commit command
+  * run build tests against bake
+  * delegate build to buildx bake
+  * build(deps): bump github.com/stretchr/testify from 1.9.0 to
+    1.10.0
+  * use service.stop to stop dependent containers
+  * Update wait-timeout flag usage to include the unit
+  * go.mod: github.com/docker/cli v27.4.0-rc.2
+  * go.mod: github.com/docker/docker v27.4.0-rc.2
+  * go.mod: github.com/docker/cli 8d1bacae3e49 (v27.4.0-rc.2-dev)
+  * go.mod: github.com/docker/cli v27.4.0-rc.1
+  * go.mod: github.com/docker/docker v27.4.0-rc.1
+  * Update pkg/compose/convergence.go
+  * detect network config changes and recreate if needed
+  * go.mod: github.com/docker/buildx v0.18.0
+  * go.mod: github.com/moby/buildkit v0.17.1
+  * gha: test against docker engine v27.4.0
+  * push empty descriptor layer when using OCI version 1.1 for
+    Compose artifact it fixes a repository creation issue when
+    pushing the 1st time a Compose OCI artifact on the Hub
+  * remove ddev e2e tests
+  * implement remove-orphans on run
+  * ci: enable testifylint linter
+  * Emit events for building images
+  * Fix compose images that reutn a different image with the same
+    ID
+  * remove obsolete containers first on scale down
+  * pass stal bot inactivity limit from 6 to 3 months
+  * fix(config): Print service names with --no-interpolate
+  * build(deps): bump golang.org/x/sys from 0.26.0 to 0.27.0
+  * build(deps): bump golang.org/x/sync from 0.8.0 to 0.9.0
+
+- Update to version 2.30.3:
+  * bump compose-go v2.4.4
+  * Avoid starting all services on rebuild
+
+- Update to version 2.30.2:
+  * remove ArtifactType from Config in OCI v1.1 definition of the
+    artifact
+  * build(deps): bump github.com/compose-spec/compose-go/v2
+  * Service being declared in a profile must not trigger
+    re-creation
+  * Add profile e2e test case to document in compose
+  * Update `MAINTAINERS` file
+
+- Update to version 2.30.1:
+  * bump compose-go to version v2.4.2
+
+- Update to version 2.30.0:
+  * Improvements
+    - Introduce service hooks by @ndeloof (12166)
+    - Introduce generate command as alpha command by @glours
+      (12209)
+    - Add export command by @jarqvi (12120)
+    - Add support for CDI device request using devices by @ndeloof
+      (12184)
+    - Add support for bind recursive by @ndeloof (12210)
+    - Allow usage of -f flag with OCI Compose artifacts by @glours
+      (12220)
+  * Fixes
+    - Append unix-style relative path when computing container
+      target path by @ndeloof (12145)
+    - Wait for dependent service up to delay set by --wait-timeout
+      by @ndeloof (12156)
+    - Check secret source exists, as bind mount would create target
+      by @ndeloof (12151)
+    - After container restart register printer consumer by @jhrotko
+      (12158)
+    - Fix(down): Fix down command if specified services are not
+      running by @idsulik (12164)
+    - Show watch error message and open DD only when w is pressed
+      by @jhrotko (12165)
+    - Fix(push): Fix unexpected EOF on alpha publish by @idsulik
+      (12169)
+    - Fix(convergence): Serialize access to observed state by
+      @anantadwi13 (12150)
+    - Remove feature flag integration with Docker Desktop for
+      ComposeUI and ComposeNav by @jhrotko (12192)
+    - Support Dockerfile-specific ignore-file with watch by
+      @ndeloof (12193)
+    - Add support for raw env_file format by @ndeloof (12179)
+    - Convert GPUs to DeviceRequests with implicit "gpu" capability
+      by @ndeloof (12197)
+    - Improve error message to include expected network label by
+      @divinity76 (12213)
+    - Don't use progress to render restart, which hides logs by
+      @ndeloof (12226)
+    - One-off containers are not indexed, and must be ignored by
+      exec --index command by @ndeloof (12224)
+    - Don't warn about uid/gid not being supported while ... they
+      are by @ndeloof (12232)
+    - Connect to external networks by name by @ndeloof (12234)
+    - Fix push error message typo by @chris-crone (12237)
+    - Fix(dockerignore): Add wildcard support to dockerignore.go by
+      @idsulik (12239)
+  * Internal
+    - Remove bind options when creating a volume type by @jhrotko
+      (12177)
+    - pass device.options to engine by @ndeloof (12183)
+    - Add security policy by @thaJeztah (12194)
+    - Gha: set default permissions to "contents: read" by
+      @thaJeztah (12195)
+    - Desktop: allow this client to be identified via user-agent by
+      @djs55 (12212)
+    - Compose-go clean volume target to avoid ambiguous comparisons
+      by @ndeloof (12208)
+  * Dependencies
+    - Bump docker v27.3.1 by @ndeloof (12178)
+    - Build(deps): bump golang.org/x/sys from 0.25.0 to 0.26.0 by
+      @dependabot (12189)
+    - Bump compose-go to v2.3.0 by @glours (12198)
+    - Bump compose-go to v2.4.0 by @glours (12231)
+    - Bump compose-go to v2.4.1 by @glours (12243)
+    - Build(deps): bump github.com/containerd/containerd from
+      1.7.22 to 1.7.23 by @dependabot (12211)
+    - Bump golang minimal version to 1.22 in go.mod by @glours
+      (12246)
+    - Bump go.uber.org/mock to v0.5.0 and google.golang.org/grpc to
+      v1.67.1 by @glours (12245)
+
+- Update to version 2.29.7:
+  * revert commits link to mount API over bind changes
+
+- Update to version 2.29.6:
+  * don't set propagation if target engine isn't linux
+  * build(deps): bump github.com/docker/docker v27.3.0-rc.2
+  * build(deps): bump github.com/docker/cli v27.3.0-rc.2
+
+- Update to version 2.29.5:
+  * set propagation default
+  * Remove custom codeql workflow
+
+- Update to version 2.29.4:
+  * fix import
+  * chore(watch): Add debug log when skipping service without build
+    context
+  * stop dependent containers before recreating diverged service
+  * Fixed possible `nil` pointer dereference
+  * bump github.com/docker/buildx v0.17.1
+  * build(deps): bump docker, docker/cli to v27.3.0-rc.1
+  * gha: test against docker engine v27.3.0
+
+- Update to version 2.29.3:
+  * show sync files only in debug level
+  * chore(watch): Add changed files path/count to log
+  * build(deps): bump golang.org/x/sync from 0.7.0 to 0.8.0
+  * bump compose-go to version v2.2.0
+  * Restore compose v1 behavior to recreate containers when ran
+    with -V
+  * fix linting issues with golangci-lint 1.60.2
+  * bump golang to version 1.22.7
+  * bump dependencies versions, engine and cli v27.2.1 containerd
+    v1.7.22 buildx v0.17.0 buildkit v0.16.0
+  * build(deps): bump golang.org/x/sys from 0.22.0 to 0.25.0
+  * Fix typos
+  * Use logrus instead of direct output to stderr.
+  * attach: close streams when done
+  * Fix typo in pull.go
+  * Allow combination of bind mounts and 'rebuild' watches
+  * service hash must exlude depends_on
+  * prefer mount API over bind
+  * docs: duplicate documentation for root cmd
+  * docs(wait): Fix wait command description
+  * allow to add empty line in the logs when nav menu activated
+  * upgrade docker versions
+
+- Build with go 1.22 to avoid issues when processing go.mod per
+  https://github.com/golang/go/issues/62278#issuecomment-1698829945
+
+- Update to version 2.29.2:
+  * initial sync files that modified after image creation
+  * initial sync for root directory
+  * Removes redundant condition from toAPIBuildOptions in build.go
+  * docs: Update docker compose kill usage
+  * Fix stop on file chane for sync-restart action
+  * bump engine and cli to v27.1.1, buildx to v0.16.1
+  * remove all dependabot update PRs for OTel dependencies
+  * gp.mod: github.com/gofrs/flock v0.12.1
+  * go.mod: golang.org/x/sys v0.22.0
+  * update to go1.21.12
+
+- Update to version 2.29.1:
+  * Enhance JSON progress events with more fields.
+  * bump compose-go v2.1.5
+  * bump github.com/docker/cli v27.1.0
+  * bump github.com/docker/docker v27.1.0
+  * bump github.com/containerd/containerd v1.7.20
+  * gha: add docker 27.1.0
+  * fix(containers): fix sorting logic by adding secondary sorting
+    for one-off containers
+
+- Update to version 2.29.0:
+  * fix: typos
+  * update docs generation to avoid man pages generation
+  * bump compose-go to v2.1.4, buildx to v0.16.0, containerd to
+    v1.7.19 and buildx to v0.15.0
+  * restore setEnvWithDotEnv
+  * empty env variable with no value must be unset in container
+  * exclude unnecessary resources after services have been selected
+  * change time for stale bot
+  * Remove debug mode and run twice a week
+  * Add stale workflow
+  * update docs
+  * feat(watch): Add --prune option to docker-compose watch command
+  * Remove COMPOSE_MENU env from e2e tests
+  * Use rawjson for the build backend.
+  * Set logging format to JSON.
+  * Format errors as JSON when in JSON progress mode.
+  * Pass 'plain' instead of 'json' to build backend
+  * Add JSON stream progress writer
+  * go.mod: docker/cli, docker/docker v27.0.3
+  * gha: test against docker v27.0.3
+  * go.mod: docker/cli, docker/docker v27.0.2
+
+- Update to version 2.28.1:
+  * Remove `console.Terminal` check and use `IsTerminal` from
+    `streams.Out`
+
+- Update to version 2.28.0:
+  * go.mod: github.com/compose-spec/compose-go v2.1.3
+  * go.mod: docker/docker and docker/cli v27.0.1-rc.1
+
+- Update to version 2.27.3:
+  * build(deps): bump github.com/spf13/cobra from 1.8.0 to 1.8.1
+  * build(deps): bump github.com/docker/buildx from 0.15.0 to
+    0.15.1
+
+- Update to version 2.27.2:
+  * using as flag of the up command, watch was blocking process
+    shutdown This happened when sunsetting the application from
+    docker compose down command
+  * Add open watch docs in up menu
+  * bump buildkit to v0.14.0 and buildx to v0.15.0
+  * stop watch process when associated up process is stopped
+  * build(deps): bump github.com/docker/docker
+  * build(deps): bump github.com/containerd/containerd from 1.7.17
+    to 1.7.18
+  * build(deps): bump golang.org/x/sys from 0.20.0 to 0.21.0
+  * build(deps): bump github.com/hashicorp/go-version from 1.6.0 to
+    1.7.0
+  * build: replace uses of archive.CanonicalTarNameForPath
+  * update gh actions versions, update engine matrix, bump golang
+    to 1.21.11
+  * enforce keyboard.Close is always executed to restore terminal
+  * config --environment
+  * Readd event
+  * remove unreachable code
+  * Fix dot env file to define COMPOSE_* variables
+  * return an error when --detach and --watch are used together in
+    up command
+  * Correct 'cancellation' typo in comment
+  * Fix: change append to use slice index in ps.go
+  * COMPOSE_PROFILES can be set by .env file
+  * prevent concurrent map write relying on project immutability
+
+- Update to version 2.27.1:
+  * build(deps): bump github.com/containerd/containerd from 1.7.16
+    to 1.7.17
+  * build(deps): bump github.com/docker/buildx from 0.14.0 to
+    0.14.1
+  * drop COMPOSE_EXPERIMENTAL_OTEL as docker/cli has opentelemetry
+    in
+  * add gui/composeview as part of available commands
+  * fix opentelemetry
+  * bump compose-go to version v2.1.1
+  * Set endpoint-specific DriverOpts
+  * Bump compose-go version to latest main
+  * Backport OpenBSD patches
+  * add new navigation menu to open Compose app configuration in
+    Docker Desktop
+  * build(deps): bump github.com/fsnotify/fsevents from 0.1.1 to
+    0.2.0
+  * build(deps): bump golang.org/x/sys from 0.19.0 to 0.20.0
+  * fix --resolve-image-digests
+  * allow a local .env file to override compose.yaml sibling .env
+  * Bump docker engine and cli to version 26.1.3
+  * Bump docker to v26.1.2
+  * Add documentation for --menu up option and COMPOSE_MENU
+    environemnt variable
+  * chore(deps): bump docker to v26.1.1 (#11794)
+
+- Update to version 2.27.0:
+  * fix: overlapping logs and menu navigation (#11765)
+  * build(deps): bump github.com/moby/buildkit
+  * chore(e2e): fix flaky cascade failure test
+  * use v2.26.1 tag for moby and Docker cli
+  * chore(deps): update to Moby v26.1 &amp; buildx v0.14
+  * bump compose-go version to v2.1.0
+  * fix support for --context=foo
+  * Fix #11710: Avoid to try to close channel twice after hitting
+    Ctrl-C on compose up (#11719)
+  * fix(desktop): remove overly-aggressive feature flag check
+    (#11748)
+  * chore: fix typo in comment
+  * bump dependencies
+  * fix: do not try to create file shares for non-directories
+  * check container_name is not in use by another service we will
+    create
+  * don't clear line when navigation is disabled
+  * fix: return correct exit code with `--exit-code-from` (#11715)
+  * progress for resource can be restarted after more Working event
+    comes
+  * Revert "Stop the resource timer after last expected event"
+  * Revert change to allow trying to kill again if a kill fails
+  * Handle errors and allow to send multiple kills if one failed
+  * Ignore errors when killing on second Ctrl-C
+  * docker compose up always kills the containers on second Ctrl-C
+  * read COMPOSE_REMOVE_ORPHANS from .env
+  * Set Required false to depends_on containers for compose -p
+    stop/down
+  * Ignore missing containers when compose stop -p
+  * Ignore missing containers when compose down -p
+  * Introduce support for build.entitlements
+  * Remove dead url reference.
+  * e2e test for --all-resources
+  * introduce --all-resources to _not_ exclude resources not used
+    by services
+  * Introduce --abort-on-container-failure
+  * bump golang version to 1.21.9
+  * don't use ansi espace sequence when disabled
+
+- Update to version 2.26.1:
+  * Does not start keyboard manager if there is no tty
+  * Change menu information text to dim
+  * Handle --no-build and --watch args
+  * build(deps): bump github.com/opencontainers/image-spec
+  * Unwrap error message.
+  * Include error message in pull warning/errors
+
+- Update to version 2.26.0:
+  * chore(desktop): revised feature detection for file shares
+  * Add Navigation Menu to compose up
+  * Add support for volume Subpath option
+  * Bump docker v26.0.0
+  * introduce config --variables to list compose model variables
+  * Fix docs on default build image name
+  * Bump compose-go to v2.0.2
+  * add support for annotations
+  * Revert "Bump compose-go to v2.0.1"
+  * Bump compose-go to v2.0.1
+  * feat(desktop): synchronized file share integration (#11614)
+  * feat(experiments): add experimental feature state (#11633)
+  * reduce timeout of the Otel tracing command
+  * fix `compose config --format json`
+
+- Update to version 2.25.0:
+  * Bump compose-go v2.0.0
+  * services shell completion bugfix
+  * fix TestBuildPlatformsWithCorrectBuildxConfig
+  * only use ToModel when --no-interpolate is set
+  * feat(desktop): add Docker Desktop detection and client skeleton
+    (#11593)
+
+- Update to version 2.24.7:
+  * chore(deps): upgrade go to 1.21.8 (#11578)
+  * ci(deps): bump moby/moby &amp; docker/cli to v25.0.4 (#11566)
+  * Add test summary for test jobs in ci
+  * make code simpler
+  * avoid duplicated "xx exited with code 0" message
+  * introduce --watch
+  * move code into small functions for better readability
+  * restore support for `config --no-interpolate`
+  * remove docker cli step in ci.yml
+  * get log to manage `attach`
+  * bump compose-go to version v2.0.0-rc.8
+  * use an dedicated compose file --quiet-pull e2e test
+  * Add a fallback check of Watch pid on Windows False positives
+    were detected when checking the previous watch process state
+  * add support of QuietOption to create command
+  * pass QuietOption when starting dependencies from run command
+  * when ran with ANSI disabled, force progress=plain
+  * Issue-11374: Modified compose up command to respect
+    COMPOSE_REMOVE_ORPHANS environment variable
+  * ci: bump engine version to `25.0.3`
+  * sort containers to optimize scale down
+  * discard stdout for laaarge log test
+
+- Update to version 2.24.6:
+  * use listeners to collect include metrics
+  * docs: update cli reference link
+  * docs: unify no trailing dots in docstrings and help (#11301)
+  * Use listener for file metadata
+  * fix deadlock collecting large logs
+  * chore(watch): remove old `docker cp` implementation
+  * ci(deps): bump docker/cli to v25.0.3 (#11481)
+  * pass All option to backend api.Service when length statuses is
+    not equal to zero
+  * Add OTEL specs: build, depends_on, capabilities (gpu/tpu)
+  * build(deps): bump github.com/opencontainers/image-spec
+  * feat(tracing): add project hash attr
+  * chore(load): ensure context passed to load
+  * Include all networks in ContainerCreate call if API &gt;= 1.44
+  * bump compose-go to v2.0.0-rc.4
+  * CI: docker engine version matrix
+  * build(deps): bump github.com/docker/cli
+  * Fix load .env from project directory when project file is set
+    by COMPOSE_FILE
+
+</description>
+  <package>docker-compose</package>
+  <seperate_build_arch/>
+</patchinfo>

patchinfo.20260108142454877887.187004354831441/_patchinfo

@@ -0,0 +1,18 @@
+<patchinfo incident="371">
+  <!-- generated from request(s) 398341 -->
+  <issue tracker="bnc" id="1231494">[Build 20241008-SELinux] openQA test fails in rsync_server: rsyncd cant start</issue>
+  <issue tracker="bnc" id="1255372">The rsync service cannot start in SELinux Enforcing state</issue>
+  <packager>rfrohl</packager>
+  <rating>moderate</rating>
+  <category>recommended</category>
+  <summary>Recommended update for selinux-policy</summary>
+  <description>This update for selinux-policy fixes the following issues:
+
+Update to version 20241031+git17.66062d7a5:
+
+* rsync: add rsync_exec_commands boolean and enable it by default (bsc#1231494, bsc#1255372)
+
+</description>
+  <package>selinux-policy</package>
+  <seperate_build_arch/>
+</patchinfo>

patchinfo.20260109142433097868.925254595339/_patchinfo

@@ -0,0 +1,16 @@
+<patchinfo incident="372">
+  <!-- generated from request(s) 398603 -->
+  <issue tracker="bnc" id="1256341">VUL-0: CVE-2025-13151: libtasn1: stack-based buffer overflow in `asn1_expend_octet_string`</issue>
+  <issue tracker="cve" id="2025-13151"/>
+  <packager>pmonrealgonzalez</packager>
+  <rating>moderate</rating>
+  <category>security</category>
+  <summary>Security update for libtasn1</summary>
+  <description>This update for libtasn1 fixes the following issues:
+
+- CVE-2025-13151: lack of validation of input data size leads to stack-based buffer overflow in
+  `asn1_expend_octet_string` (bsc#1256341).
+</description>
+  <package>libtasn1</package>
+  <seperate_build_arch/>
+</patchinfo>

patchinfo.20260109144230958366.925254595339/_patchinfo

@@ -0,0 +1,15 @@
+<patchinfo incident="373">
+  <!-- generated from request(s) 398572 -->
+  <issue tracker="bnc" id="1256070">VUL-0: CVE-2025-15444: libsodium: Cryptographic bypass via improper elliptic curve point validation</issue>
+  <issue tracker="cve" id="2025-15444"/>
+  <packager>lmulling</packager>
+  <rating>moderate</rating>
+  <category>security</category>
+  <summary>Security update for libsodium</summary>
+  <description>This update for libsodium fixes the following issues:
+
+- CVE-2025-15444: missing checks when validating elliptic curve points allows for cryptographic bypass (bsc#1256070).
+</description>
+  <package>libsodium</package>
+  <seperate_build_arch/>
+</patchinfo>

patchinfo.20260109151253589679.925254595339/_patchinfo

@@ -0,0 +1,26 @@
+<patchinfo incident="374">
+  <!-- generated from request(s) 398618 -->
+  <issue tracker="bnc" id="1255715">VUL-0: CVE-2025-68973: gpg2: gpg.fail/memcpy: Memory Corruption in ASCII-Armor Parsing</issue>
+  <issue tracker="bnc" id="1256243">VUL-0: gpg2: agent: Fix a memory leak</issue>
+  <issue tracker="bnc" id="1256244">VUL-0: gpg2: gpg.fail/detached: Error out on unverified output for non-detached signatures</issue>
+  <issue tracker="bnc" id="1256246">VUL-0: gpg2: gpg.fail/sha1: GnuPG may downgrade digest algorithm to SHA1 during key signature checking</issue>
+  <issue tracker="bnc" id="1256390">VUL-0: gpg2: gpg.fail/notdash: Cleartext Signature Forgery in the NotDashEscaped header implementation in GnuPG</issue>
+  <issue tracker="cve" id="2025-68973"/>
+  <packager>ayankov</packager>
+  <rating>important</rating>
+  <category>security</category>
+  <summary>Security update for gpg2</summary>
+  <description>This update for gpg2 fixes the following issues:
+
+- CVE-2025-68973: out-of-bounds write when processing specially crafted input in the armor parser can lead to memory corruption (bsc#1255715).
+
+Other security fixes:
+
+- gpg: Avoid potential downgrade to SHA1 in 3rd party key signatures (bsc#1256246).
+- gpg: Error out on unverified output for non-detached signatures (bsc#1256244).
+- agent: Fix a memory leak (bsc#1256243).
+- gpg: Deprecate the option --not-dash-escaped (bsc#1256390).
+</description>
+  <package>gpg2</package>
+  <seperate_build_arch/>
+</patchinfo>

patchinfo.20260112101224252559.187004354831441/_patchinfo

@@ -0,0 +1,64 @@
+<patchinfo incident="375">
+  <!-- generated from request(s) 398664, 398665 -->
+  <issue tracker="bnc" id="1241826">VUL-0: CVE-2025-22872: elemental-register,elemental-toolkit,elemental-operator: golang.org/x/net/html: incorrectly interpreted tags can cause content to be placed wrong scope during DOM construction</issue>
+  <issue tracker="bnc" id="1241857">VUL-0: CVE-2025-22872: elemental-agent: golang.org/x/net/html: incorrectly interpreted tags can cause content to be placed wrong scope during DOM construction</issue>
+  <issue tracker="bnc" id="1251511">VUL-0: CVE-2025-47911: elemental-register,elemental-operator,elemental-toolkit: golang.org/x/net/html: various algorithms with quadratic complexity when parsing HTML documents</issue>
+  <issue tracker="bnc" id="1251679">VUL-0: CVE-2025-58190: elemental-operator,elemental-register,elemental-toolkit: golang.org/x/net/html: excessive memory consumption by `html.ParseFragment` when processing specially crafted input</issue>
+  <issue tracker="bnc" id="1253581">VUL-0: CVE-2025-47913: elemental-toolkit: golang.org/x/crypto/ssh/agent: client process termination when receiving an unexpected message type in response to a key listing or signing request</issue>
+  <issue tracker="bnc" id="1253901">VUL-0: CVE-2025-58181: elemental-toolkit: golang.org/x/crypto/ssh: invalidated number of mechanisms can cause unbounded memory consumption</issue>
+  <issue tracker="bnc" id="1254079">VUL-0: CVE-2025-47914: elemental-toolkit: golang.org/x/crypto/ssh/agent: non validated message size can cause a panic due to an out of bounds read</issue>
+  <issue tracker="cve" id="2025-22872"/>
+  <issue tracker="cve" id="2025-47911"/>
+  <issue tracker="cve" id="2025-47913"/>
+  <issue tracker="cve" id="2025-47914"/>
+  <issue tracker="cve" id="2025-58181"/>
+  <issue tracker="cve" id="2025-58190"/>
+  <packager>dcassany</packager>
+  <rating>important</rating>
+  <category>security</category>
+  <summary>Security update for elemental-toolkit, elemental-operator</summary>
+  <description>This update for elemental-toolkit, elemental-operator fixes the following issues:
+
+elemental-operator:
+
+  - Update to v1.7.4:
+
+    * Bump github.com/rancher-sandbox/go-tpm and its dependencies
+               This bump includes few CVE fixes:
+               * bsc#1241826 (CVE-2025-22872)
+               * bsc#1241857 (CVE-2025-22872)
+               * bsc#1251511 (CVE-2025-47911)
+               * bsc#1251679 (CVE-2025-58190)
+    * Install yip config files in before-install step
+    * Revert "Do not delete ManagedOSVersions by default"
+    * Set default channel variable names consistent with OS version
+    * Do not delete ManagedOSVersions by default
+    * Include -channel suffix to channel names
+    * OS channel: enable baremetal channel by default
+
+elemental-toolkit:
+
+  - Update to v2.2.7:
+
+    * Bump toolkit build to go 1.24
+    * Bump golang.org/x/crypto library
+               This bumg includes few CVE fixes:
+                * bsc#1241826 (CVE-2025-22872)
+                * bsc#1241857 (CVE-2025-22872)
+                * bsc#1251511 (CVE-2025-47911)
+                * bsc#1251679 (CVE-2025-58190)
+                * bsc#1253581 (CVE-2025-47913)
+                * bsc#1253901 (CVE-2025-58181)
+                * bsc#1254079 (CVE-2025-47914)
+
+  - Update to v2.2.5:
+
+    * Permissive mode for green selinux
+    * Adapt code and unit tests
+    * Minor change to lookup devices using blkid
+
+</description>
+  <package>elemental-operator</package>
+  <package>elemental-toolkit</package>
+  <seperate_build_arch/>
+</patchinfo>

patchinfo.20260112101721826875.187004354831441/_patchinfo

@@ -0,0 +1,19 @@
+<patchinfo incident="376">
+  <!-- generated from request(s) 398720, 398721 -->
+  <packager>mlandres</packager>
+  <rating>moderate</rating>
+  <category>recommended</category>
+  <summary>Recommended update for libsolv</summary>
+  <description>This update for libsolv fixes the following issues:
+
+libsolv was updated to 0.7.35:
+
+  - fixed rare crash in the handling of allowuninstall in combination
+    with forcebest updates
+  - new pool_satisfieddep_map feature to test if a set of packages
+    satisfies a dependency
+</description>
+  <package>libsolv</package>
+  <seperate_build_arch/>
+  <zypp_restart_needed/>
+</patchinfo>

patchinfo.20260112103353361683.248533169425576/_patchinfo

@@ -0,0 +1,16 @@
+<patchinfo incident="377">
+  <!-- generated from request(s) 398578 -->
+  <issue tracker="bnc" id="1256105">VUL-0: CVE-2025-14017: curl: broken TLS options for threaded LDAPS</issue>
+  <issue tracker="cve" id="2025-14017"/>
+  <packager>lmulling</packager>
+  <rating>important</rating>
+  <category>security</category>
+  <summary>Security update for curl</summary>
+  <description>This update for curl fixes the following issues:
+
+- CVE-2025-14017: Fixed broken TLS options for threaded LDAPS (bsc#1256105).
+</description>
+  <package>curl</package>
+  <package>curl:mini</package>
+  <seperate_build_arch/>
+</patchinfo>

patchinfo.20260113105320588700.248533169425576/_patchinfo

@@ -0,0 +1,15 @@
+<patchinfo incident="378">
+  <!-- generated from request(s) 398743 -->
+  <issue tracker="bnc" id="1255491">VUL-0: CVE-2025-68615: net-snmp: a specially crafted packet can cause a buffer overflow and the daemon to crash</issue>
+  <issue tracker="cve" id="2025-68615"/>
+  <packager>abergmann</packager>
+  <rating>important</rating>
+  <category>security</category>
+  <summary>Security update for net-snmp</summary>
+  <description>This update for net-snmp fixes the following issues:
+
+- CVE-2025-68615: Fixed snmptrapd buffer overflow (bsc#1255491).
+</description>
+  <package>net-snmp</package>
+  <seperate_build_arch/>
+</patchinfo>

patchinfo.20260113124807205635.248533169425576/_patchinfo

@@ -0,0 +1,17 @@
+<patchinfo incident="380">
+  <!-- generated from request(s) 398737 -->
+  <issue tracker="bnc" id="1237543">VUL-0: CVE-2025-0838: abseil-cpp: heap buffer overflow in sized constructors, reserve(), and rehash() methods of absl:{flat,node}hash{set,map}</issue>
+  <issue tracker="cve" id="2025-0838"/>
+  <packager>glaubitz</packager>
+  <rating>moderate</rating>
+  <category>security</category>
+  <summary>Security update for abseil-cpp</summary>
+  <description>This update for abseil-cpp fixes the following issues:
+
+Update to version 20230802.3:
+
+- CVE-2025-0838: Fixed potential integer overflow in hash container create/resize (#1813) (bsc#1237543).
+</description>
+  <package>abseil-cpp</package>
+  <seperate_build_arch/>
+</patchinfo>

patchinfo.20260113125347403729.248533169425576/_patchinfo

@@ -0,0 +1,19 @@
+<patchinfo incident="381">
+  <!-- generated from request(s) 398693 -->
+  <issue tracker="bnc" id="1254666">VUL-0: CVE-2025-14104: util-linux: heap buffer overread in setpwnam() when processing 256-byte usernames</issue>
+  <issue tracker="cve" id="2025-14104"/>
+  <issue tracker="jsc" id="PED-13682"/>
+  <packager>sbrabec</packager>
+  <rating>moderate</rating>
+  <category>security</category>
+  <summary>Security update for util-linux</summary>
+  <description>This update for util-linux fixes the following issues:
+
+- CVE-2025-14104: Fixed heap buffer overread in setpwnam() when processing 256-byte usernames (bsc#1254666).
+- lscpu: Add support for NVIDIA Olympus arm64 core (jsc#PED-13682).
+</description>
+  <package>util-linux</package>
+  <package>util-linux:python</package>
+  <package>util-linux:systemd</package>
+  <seperate_build_arch/>
+</patchinfo>

patchinfo.20260113125428117014.248533169425576/_patchinfo

@@ -0,0 +1,16 @@
+<patchinfo incident="382">
+  <!-- generated from request(s) 398808 -->
+  <issue tracker="bnc" id="1256331">VUL-0: CVE-2026-21441: python-urllib3,python-urllib3_1,python36-urlliurlllibb3: excessive resource consumption during decompression of data in HTTP redirect responses</issue>
+  <issue tracker="cve" id="2026-21441"/>
+  <packager>glaubitz</packager>
+  <rating>moderate</rating>
+  <category>security</category>
+  <summary>Security update for python-urllib3</summary>
+  <description>This update for python-urllib3 fixes the following issues:
+
+- CVE-2026-21441: Fixed excessive resource consumption during decompression of data in HTTP redirect responses (bsc#1256331).
+</description>
+  <package>python-urllib3</package>
+  <package>python-urllib3:test</package>
+  <seperate_build_arch/>
+</patchinfo>

patchinfo.20260114091933280356.248533169425576/_patchinfo

@@ -0,0 +1,26 @@
+<patchinfo incident="379">
+  <!-- generated from request(s) 398897 -->
+  <issue tracker="bnc" id="1252555">VUL-0: CVE-2025-12105: libsoup,libsoup2: heap use-after-free in message queue handling during HTTP/2 read completion</issue>
+  <issue tracker="bnc" id="1254876">VUL-0: CVE-2025-14523: libsoup: Duplicate Host Header Handling Causes Host-Parsing Discrepancy (First- vs Last-Value Wins)</issue>
+  <issue tracker="bnc" id="1256399">VUL-0: CVE-2026-0719: libsoup,libsoup2: stack-based buffer overflow in NTLM authentication can lead to arbitrary code execution</issue>
+  <issue tracker="bnc" id="1256418">VUL-0: CVE-2026-0716: libsoup: improper bounds handling may allow out-of-bounds read</issue>
+  <issue tracker="cve" id="2025-12105"/>
+  <issue tracker="cve" id="2025-14523"/>
+  <issue tracker="cve" id="2026-0716"/>
+  <issue tracker="cve" id="2026-0719"/>
+  <packager>AZhou</packager>
+  <rating>important</rating>
+  <category>security</category>
+  <summary>Security update for libsoup</summary>
+  <description>This update for libsoup fixes the following issues:
+
+- CVE-2025-14523: flaw in HTTP header handling can lead to host header parsing discrepancy between servers and proxies
+  and allow for request smuggling, cache poisoning and bypass of access controls (bsc#1254876).
+- CVE-2025-12105: heap use-after-free in message queue handling during HTTP/2 read completion can lead to undefined
+  behavior or crash (bsc#1252555).
+- CVE-2026-0716: Fixed out-of-bounds read for websocket (bsc#1256418).
+- CVE-2026-0719: Fixed overflow for password md4sum (bsc#1256399).
+</description>
+  <package>libsoup</package>
+  <seperate_build_arch/>
+</patchinfo>

patchinfo.20260123124636505966.187004354831441/_patchinfo

@@ -0,0 +1,46 @@
+<patchinfo>
+  <!-- generated from request(s) 399654 -->
+  <packager>adrianSuSE</packager>
+  <rating>moderate</rating>
+  <category>recommended</category>
+  <summary>Recommended update for product-composer</summary>
+  <description>This update for product-composer fixes the following issues:
+
+update to version 0.5.17:
+
+  * backport set_updateinfo_prefix support per flavor
+  * dropping schema validation in 0.5 branch to avoid additional
+    dep in SLFO 1.1
+
+update to version 0.5.16:
+
+  * package EULA support added
+  * agama: do not take the iso meta data from the agama iso
+  * code cleanup and refactoring
+  * build description files are now validated.
+  * verify command is now checking all flavors by default.
+
+update to version 0.5.15:
+
+  * fix generation of gpg-pubkey content tags
+  * Do not error out in updateinfo_packages_only mode if packages are not found
+  * Set BUILD_DIR before calling the sbom generator
+  * Handle build_options in flavors different
+    Add them to the global set, instead of replacing the global set.
+  * Fix handover of multiple --build-option cli parameters
+
+update to version 0.5.14:
+
+  * fixing CPE-ID generation (ommit * in empty fields)
+  * allowing to select build-options via cli and project build configuration
+
+update to version 0.5.13:
+
+  * support encoding of "update" and "edition" fields into CPE
+  * allow blacklisting binaries via updateinfo flag
+  * allow to specify repodata config per flavor
+
+</description>
+  <package>product-composer</package>
+  <seperate_build_arch/>
+</patchinfo>