Update submodules from pool/MozillaThunderbird#5 and create patchinfo.20251027101939269288.187004354831441/_patchinfo

PR: products/PackageHub!188

.gitea/workflows/patchinfo_numberator.yaml

@@ -1,37 +1,35 @@
 # Use this as .gitea/workflows/patchinfo_numberator.yaml in all products/* repos
-name: Patchinfo ID numberator
-run-name: ${{ gitea.actor }} is setting patchinfo numbers
-on: [push]
+name: Patchinfo incident numbering
+
+on:
+  push:
+  workflow_dispatch:
+
+env:
+  REPO_PATH: /workspace/${{ gitea.repository }}
+  REPO_URL: https://gitea-actions-autobuild:${{ secrets.REPO_WRITE }}@$RUNNER_GITEA_DOMAIN/${{ gitea.repository }}.git
 
 jobs:
   use-go-action:
-    runs-on: tumbleweed
+    runs-on: tumbleweed_autobuild
     steps:
-      # Install packages if not provided by image
-      - run: |
-          rpm -q go && exit 0
-          zypper ref
-          zypper in -y go
-      # Generic action from GitHub to clone the product git repo
+
       - name: Checkout product
-        uses: https://gitea-actions-autobuild:${{ secrets.REPO_READ }}@src.opensuse.org/actions/github-actions-checkout@v4
-        with:
-          token: ${{ secrets.REPO_WRITE }}
-          repo-sha256: true
+        run: |
+          test -n "${{ env.REPO_PATH }}" && rm -rfv "${{ env.REPO_PATH }}"/*
+          git config --global --add safe.directory ${{ env.REPO_PATH }}
+          git clone ${{ env.REPO_URL }} ${{ env.REPO_PATH }}
 
       - name: Update all new _patchinfo files
-        uses: https://gitea-actions-autobuild:${{ secrets.REPO_READ }}@src.opensuse.org/actions/patchinfo-numbering-action@v0
-      - name: Get last commit author
-        id: last-commit
-        run: |
-          echo "author=$(git log -1 --pretty='%an <%ae>')" >> $GITHUB_OUTPUT
-      - name: Commit changes back
-        uses: https://gitea-actions-autobuild:${{ secrets.REPO_READ }}@src.opensuse.org/actions/stefanzweifel-git-auto-commit-action@v5
+        uses: https://src.opensuse.org/actions/patchinfo-numbering-action@v0
+        with:
+          prefix: packagehub-
+
+      - name: Commit changes
+        uses: https://src.opensuse.org/actions/stefanzweifel-git-auto-commit-action@v5
         with:
           commit_user_name: gitea-actions-autobuild
-          commit_user_email: autobuild+gitea@opensuse.org
-          commit_author: ${{ steps.last-commit.outputs.author }}
-          commit_message: "Update incident numbers [skip actions]"
+          commit_author: Patchinfo incident numbering <gitea-actions-autobuild@noreply.src.opensuse.org> 
+          commit_message: "Update patchinfo incident numbers [skip actions]"
           commit_options: '--no-edit'
           skip_fetch: true
-

0Backports/Backports.changes

@@ -1,3 +1,22 @@
+-------------------------------------------------------------------
+Fri Oct 10 07:19:41 UTC 2025 - Wolfgang Engel <wolfgang.engel@suse.com>
+
+- Backports.productcompose:
+  + add to backports_unneeded, not needed 
+    micro patterns that are coming from SLES
+      patterns-micro-alt_onlyDVD                               
+      patterns-micro-cloud                                     
+      patterns-micro-defaults                                  
+      patterns-micro-fips                                      
+      patterns-micro-hardware                                  
+      patterns-micro-ima-evm                                   
+      patterns-micro-kvm_host                                  
+      patterns-micro-onlyDVD                                   
+      patterns-micro-ra-agent                                  
+      patterns-micro-ra-verifier                               
+      patterns-micro-salt_minion                               
+      patterns-micro-sssd-ldap            
+
 -------------------------------------------------------------------
 Mon Oct  6 14:49:27 UTC 2025 - Wolfgang Engel <wolfgang.engel@suse.com>
 

0Backports/Backports.productcompose

@@ -14,7 +14,7 @@ scc:
 
 build_options:
 ### For maintenance, otherwise only "the best" version of each package is picked:
-# - take_all_available_versions
+- take_all_available_versions
 - hide_flavor_in_product_directory_name
 
 ### Since the Backports product build is not self-contained in a single repository,
@@ -32,8 +32,8 @@ debug: split
 repodata: all
 
 # has only an effect during maintenance:
-set_updateinfo_from: maint-coord@suse.de
-# set_updateinfo_id_prefix: openSUSE-Leap-16.0-
+set_updateinfo_from: maintenance@opensuse.org
+set_updateinfo_id_prefix: SUSE-PackageHub-16.0-
 
 flavors:
   backports_aarch64:
@@ -204,7 +204,20 @@ packagesets:
   - pam-extra-32bit
   - patterns-base-kernel_livepatching
   - patterns-base-transactional_base
+  - patterns-micro-alt_onlyDVD
+  - patterns-micro-cloud
+  - patterns-micro-defaults
   - patterns-micro-elemental_client
+  - patterns-micro-defaults
+  - patterns-micro-fips
+  - patterns-micro-hardware
+  - patterns-micro-ima-evm
+  - patterns-micro-kvm_host
+  - patterns-micro-onlyDVD
+  - patterns-micro-ra-agent
+  - patterns-micro-ra-verifier
+  - patterns-micro-salt_minion
+  - patterns-micro-sssd-ldap
   - patterns-sap-bone
   - patterns-base-update_test
   - plymouth-branding-upstream

_config

@@ -1,4 +1,8 @@
+%if 0%{?is_stage_project}
+Release: <CI_CNT>.<B_CNT> spec:bp160.999999.<CI_CNT>.<B_CNT>
+%else
 Release: <CI_CNT>.<B_CNT> spec:bp160.<CI_CNT>.<B_CNT>
+%endif
 
 # 000productcompose experiment
 %if "%_repository" == "product"
@@ -143,7 +147,7 @@ Substitute: wallpaper-branding-openSUSE wallpaper-branding-SLE
 %define is_opensuse  1
 %define is_backports 1
 
-%if "%_project" == "openSUSE:Backports:SLE-16.0" || "%_project" == "openSUSE:Backports:SLE-16.0:git"
+%if 0%{?_is_in_project}
 Macros:
 %vendor openSUSE
 %distribution SUSE Linux Enterprise 16
@@ -164,7 +168,7 @@ Macros:
 
 # Leap specific package list, the same list with excludebuild must add to Backports project
 # Most of package should be built in Backports
-%if "%_project" == "openSUSE:Backports:SLE-16.0" || "%_project" == "openSUSE:Backports:SLE-16.0:git"
+%if "%_project" == "openSUSE:Backports:SLE-16.0"
 # we build ffado:ffado-mixer for openSUSE, the main one is built in SLFO
 BuildFlags: excludebuild:ffado
 # build gpgme:qt flavor for qt5 support

patchinfo.20251010110535882810.90520734224245/_patchinfo

@@ -0,0 +1,66 @@
+<patchinfo incident="packagehub-1">
+  <issue tracker="bnc" id="1251334">VUL-0: chromium: release 141.0.7390.65</issue>
+  <issue tracker="cve" id="2025-11213">VUL-0: chromium: release 141.0.7390.54</issue>
+  <issue tracker="cve" id="2025-11216">VUL-0: chromium: release 141.0.7390.54</issue>
+  <issue tracker="cve" id="2025-11207">VUL-0: chromium: release 141.0.7390.54</issue>
+  <issue tracker="cve" id="2025-11211">VUL-0: chromium: release 141.0.7390.54</issue>
+  <issue tracker="cve" id="2025-11212">VUL-0: chromium: release 141.0.7390.54</issue>
+  <issue tracker="cve" id="2025-11210">VUL-0: chromium: release 141.0.7390.54</issue>
+  <issue tracker="bnc" id="1250780">VUL-0: chromium: release 141.0.7390.54</issue>
+  <issue tracker="cve" id="2025-11208">VUL-0: chromium: release 141.0.7390.54</issue>
+  <issue tracker="cve" id="2025-10890">VUL-0: chromium: release 140.0.7339.207</issue>
+  <issue tracker="cve" id="2025-11206">VUL-0: chromium: release 141.0.7390.54</issue>
+  <issue tracker="cve" id="2025-11460">VUL-0: chromium: release 141.0.7390.65</issue>
+  <issue tracker="cve" id="2025-11219">VUL-0: chromium: release 141.0.7390.54</issue>
+  <issue tracker="bnc" id="1250472">VUL-0: chromium: release 140.0.7339.207</issue>
+  <issue tracker="cve" id="2025-11205">VUL-0: chromium: release 141.0.7390.54</issue>
+  <issue tracker="cve" id="2025-10891">VUL-0: chromium: release 140.0.7339.207</issue>
+  <issue tracker="cve" id="2025-11458"/>
+  <issue tracker="cve" id="2025-11215">VUL-0: chromium: release 141.0.7390.54</issue>
+  <issue tracker="cve" id="2025-11209">VUL-0: chromium: release 141.0.7390.54</issue>
+  <issue tracker="cve" id="2025-10892">VUL-0: chromium: release 140.0.7339.207</issue>
+  <packager>AndreasStieger</packager>
+  <rating>critical</rating>
+  <category>security</category>
+  <summary>Security update for chromium</summary>
+  <description>This update for chromium fixes the following issues:
+
+Chromium 141.0.7390.76:
+
+  * Do not send URLs as AIM input. This is to resolve a privacy
+    concern, around passing urls to AI Mode.
+
+Chromium 141.0.7390.65 (boo#1251334):
+
+  * CVE-2025-11458: Heap buffer overflow in Sync
+  * CVE-2025-11460: Use after free in Storage
+  * CVE-2025-11211: Out of bounds read in WebCodecs
+
+Chromium 141.0.7390.54 (stable released 2025-09-30) (boo#1250780)
+
+  * CVE-2025-11205: Heap buffer overflow in WebGPU
+  * CVE-2025-11206: Heap buffer overflow in Video
+  * CVE-2025-11207: Side-channel information leakage in Storage
+  * CVE-2025-11208: Inappropriate implementation in Media
+  * CVE-2025-11209: Inappropriate implementation in Omnibox
+  * CVE-2025-11210: Side-channel information leakage in Tab
+  * CVE-2025-11211: Out of bounds read in Media
+  * CVE-2025-11212: Inappropriate implementation in Media
+  * CVE-2025-11213: Inappropriate implementation in Omnibox
+  * CVE-2025-11215: Off by one error in V8
+  * CVE-2025-11216: Inappropriate implementation in Storage
+  * CVE-2025-11219: Use after free in V8
+  * Various fixes from internal audits, fuzzing and other initiatives
+
+Chromium 141.0.7390.37 (beta released 2025-09-24)
+
+Chromium 140.0.7339.207 (boo#1250472)
+
+  * CVE-2025-10890: Side-channel information leakage in V8
+  * CVE-2025-10891: Integer overflow in V8
+  * CVE-2025-10892: Integer overflow in V8
+
+</description>
+  <package>chromium</package>
+  <seperate_build_arch/>
+</patchinfo>

patchinfo.20251015125625066283.90520734224245/_patchinfo

@@ -0,0 +1,17 @@
+<patchinfo incident="packagehub-3">
+  <issue tracker="bnc" id="1252013">VUL-0: CVE-2025-11756: chromium: Use after free in Safe Browsing</issue>
+  <issue tracker="cve" id="2025-11756"/>
+  <packager>AndreasStieger</packager>
+  <rating>moderate</rating>
+  <category>security</category>
+  <summary>Security update for chromium</summary>
+  <description>This update for chromium fixes the following issues:
+
+Chromium 141.0.7390.107:
+
+* CVE-2025-11756: Use after free in Safe Browsing (boo#1252013)
+
+</description>
+  <package>chromium</package>
+  <seperate_build_arch/>
+</patchinfo>

patchinfo.20251017085122907353.93181000773252/_patchinfo

@@ -0,0 +1,103 @@
+<patchinfo incident="packagehub-4">
+  <packager>dheidler</packager>
+  <rating>moderate</rating>
+  <category>recommended</category>
+  <summary>Recommended update for opi</summary>
+  <description>This update for opi fixes the following issues:
+
+- Version 5.8.8
+  * Fix adding openh264 repo on leap 16.0
+
+This update for opi fixes the following issues:
+
+- Version 5.8.7
+  * Fix ocenaudio url
+  * Add LocalSend plugin
+  * Run all tests in verbose mode
+  * Print written repo files in verbose mode
+  * Increase timeouts in test/06_install_non_interactive.py
+  * Remove DNF references from README.md
+
+This update for opi fixes the following issues:
+
+- Version 5.8.5
+  * add librewolf plugin (#205)
+  * Install .NET 9
+  * Add verbose mode
+  * Change the order of the process in the github module
+  * Add rustdesk plugin
+
+This update for opi fixes the following issues:
+
+- Version 5.8.4
+  * Use arm64 rpm for libation on aarch64
+
+This update for opi fixes the following issues:
+
+- Version 5.8.3
+  * Install dependencies rpm-build and squashfs at runtime if needed
+  * Drop DNF support
+
+This update for opi fixes the following issues:
+
+- Version 5.8.2
+  * Warn about adding staging repos
+  * Gracefully handle zypper exit code 106 (repos without cache present)
+
+This update for opi fixes the following issues:
+
+- Version 5.8.1
+  * Fix SyntaxWarning: invalid escape sequence '\s'
+
+This update for opi fixes the following issues:
+
+- Version 5.8.0
+  * Add mullvad-brower
+
+This update for opi fixes the following issues:
+
+- Version 5.7.0
+  * Add leap-only plugin to install zellij from github release
+  * Don't use subprocess.run user kwarg on 15.6
+  * Fix tests: Use helloworld-opi-tests instead of zfs
+  * Perform search despite locked rpmdb
+  * Simplify backend code
+
+This update for opi fixes the following issues:
+
+- Use no macros in url in .spec for packtrack
+
+This update for opi fixes the following issues:
+
+- Version 5.6.0
+  * Add plugin to install vagrant from hashicorp repo
+
+This update for opi fixes the following issues:
+
+- Version 5.5.0
+  * Update opi/plugins/collabora.py
+  * add collabora office desktop
+  * Omit unsupported cli args on leap in 99_install_opi.py
+  * Switch to PEP517 install
+  * Fix 09_install_with_multi_repos_in_single_file_non_interactive.py
+  * Fix 07_install_multiple.py on tumbleweed
+  * Fix test suite on tumbleweed
+  * Update available apps in opi - README.md
+
+This update for opi fixes the following issues:
+
+- Version 5.4.0
+  * Show key ID when importing or deleting package signing keys
+  * Add option to install google-chrome-canary
+
+This update for opi fixes the following issues:
+
+- Version 5.3.0
+  * Fix tests for new zypper version
+  * fix doblue slash in packman repo url
+  * Add Plugin to install Libation
+
+</description>
+  <package>opi</package>
+  <seperate_build_arch/>
+</patchinfo>

patchinfo.20251017085327031166.93181000773252/_patchinfo

@@ -0,0 +1,17 @@
+<patchinfo incident="packagehub-5">
+  <packager>michals</packager>
+  <rating>moderate</rating>
+  <category>recommended</category>
+  <summary>Recommended update for virtme</summary>
+  <description>This update for virtme fixes the following issues:
+
+- Update to 1.38:
+  * Fix the infamous Stale file handle (ESTALE) errors with virtiofsd
+  * Fix for systemctl daemon-reload when systemd support is enabled
+  * Fix for a kernel symlink issue affecting openSUSE/SLE
+  * README/docs improvements
+  * Various coding style cleanups
+</description>
+  <package>virtme</package>
+  <seperate_build_arch/>
+</patchinfo>

patchinfo.20251020125830692820.93181000773252/_patchinfo

@@ -0,0 +1,55 @@
+<patchinfo incident="packagehub-6">
+  <issue tracker="bnc" id="1206292">[SELinux] Wine/Proton not working reliably with default SELinux configuration</issue>
+  <packager>regularhunter</packager>
+  <rating>moderate</rating>
+  <category>recommended</category>
+  <summary>Recommended update for lutris</summary>
+  <description>This update for lutris fixes the following issues:
+
+- Move selinux dependency
+
+- Fix gaming under selinux (bsc#1206292)
+
+- Fix wrong placement of lang_package macro in spec file
+
+- Update to 0.5.19:
+  * Fix Proton integration bugs so Proton-fixes are applied
+  * Do not offer DXVK, VKD3D, D3D Extras or DDXVK-NVAPI on Proton versions;
+    Proton will handle these.
+  * The "Enable Esync" and "Enable Fsync" settings are now passed on to Proton
+  * DXVK's integrated D8VK will be enabled in Proton
+  * Emulator BIOS file location (used by libretro) may be set in Preferences
+  * Obtain the release year from GOG and Itch.io.
+  * MAME Machine setting uses a searchable entry for its enourmous list
+  * Support for importing Commodore 64 ROMs
+
+- Add BuildRequires apparmor-abstractions, apparmor-rpm-macros for
+  Leap, fix for build error: directories not owned by a package:
+  /etc/apparmor.d
+
+- update to 0.5.18:
+  * Lutris downloads the latest GE-Proton build for Wine if any Wine version is installed
+  * Use dark theme by default
+  * Display cover-art rather than banners by default
+  * Add 'Uncategorized' view to sidebar
+  * Preference options that do not work on Wayland will be hidden when on Wayland
+  * Game searches can now use fancy tags like 'installed:yes' or 'source:gog', with explanatory tool-tip
+  * A new filter button on the search box can build many of these fancy tags for you
+  * Runner searches can use 'installed:yes' as well, but no other fancy searches or anything
+  * Updated the Flathub and Amazon source to new APIs, restoring integration
+  * Itch.io source integration will load a collection named 'Lutris' if present
+  * GOG and Itch.io sources can now offer Linux and Windows installers for the same game
+  * Added support for the 'foot' terminal
+  * Support for DirectX 8 in DXVK v2.4
+  * Support for Ayatana Application Indicators
+  * Additional options for Ruffle runner
+  * Updated download links for the Atari800 and MicroM8 runners
+  * No longer re-download cached installation files even when some are missing
+  * Lutris log is included in the 'System' tab of the Preferences window
+  * Improved error reporting, with the Lutris log included in the error details
+  * Add AppArmor profile for Ubuntu versions &gt;= 23.10
+  * Add Duckstation runner
+</description>
+  <package>lutris</package>
+  <seperate_build_arch/>
+</patchinfo>

patchinfo.20251023113823853491.93181000773252/_patchinfo

@@ -0,0 +1,57 @@
+<patchinfo incident="packagehub-7">
+  <issue tracker="bnc" id="1248768">[warewulf, REGRESSION] None of the disk/partition/filesystem Options to `wwctl profile set` appear to do anything</issue>
+  <issue tracker="bnc" id="1227465">[warewulf, kernel] After updating the Kernel in the Container Image 'wwctl container list' still shows old</issue>
+  <issue tracker="bnc" id="1246082">warewulf4-slurm suggest  slurm only</issue>
+  <issue tracker="bnc" id="1248906">VUL-0: CVE-2025-58058: warewulf4: github.com/ulikunitz/xz: github.com/ulikunitz/xz leaks memory</issue>
+  <issue tracker="bnc" id="1227686">[warewulf, kernel] Feature: Allow to determine the Kernel to boot - with none set, take latest</issue>
+  <issue tracker="cve" id="2025-58058">cve#2025-58058 not resolved: 404 Client Error: Not Found for url: https://bugzilla.suse.com/api2/issues/?references__name=CVE-2025-58058</issue>
+  <packager>mslacken</packager>
+  <rating>important</rating>
+  <category>security</category>
+  <summary>Security update for warewulf4</summary>
+  <description>This update for warewulf4 fixes the following issues:
+
+Changes in warewulf4:
+
+- Update to version 4.6.4:
+  * v4.6.4 release updates
+  * Convert disk booleans from wwbool to *bool which allows bools in
+    disk to be set to false via command line (bsc#1248768)
+  * Update NetworkManager Overlay
+    * Disable ipv4 in NetworkManager if no address or route is specified
+  * fix(wwctl): Create overlay edit tempfile in tmpdir
+  * Add default for systemd name for warewulf in warewulf.conf
+  * Atomic overlay file application in wwclient
+  * Simpler names for overlay methods
+  * Fix warewulfd api behavior when deleting distribution overlay
+
+- Update to version 4.6.3:
+  * v4.6.3 release
+  * IPv6 iPXE support
+  * Fix a syntax error in the RPM specfile
+  * Fix a race condition in wwctl overlay edit
+  * Fixed handling of comma-separated mount options in `fstab` and `ignition` overlays
+  * Move reexec.Init() to beginning of wwctl
+  * Add documentation for using tmpfs to distribute across numa nodes
+  * added warewuld configure option
+  * Fix wwctl upgrade nodes to handle kernel argument lists (bsc#1227686 bsc#1227465)
+  * Address copilot review from #1945
+  * Refactor wwapi tests for proper isolation
+  * Bugfix: cloning a site overlay when parent dir does not exist
+  * Clone to a site overlay when adding files in wwapi
+  * Consolidated createOverlayFile and updateOverlayFile to addOverlayFile
+  * Support for creating and updating overlay file in wwapi
+  * Only return overlay files that refer to a path within the overlay
+  * add overlay file deletion support
+  * DELETE /api/overlays/{id}?force=true can delete overlays in use
+  * Restore idempotency of PUT /api/nodes/{id}
+  * Simplify overlay mtime api and add tests
+  * add node overlay buildtime
+  * Improved netplan support
+  * Rebuild overlays for discovered nodes
+  * Restrict userdocs from building during pr when not modified
+  * Update to v4.6.2 GitHub release notes
+</description>
+  <package>warewulf4</package>
+  <seperate_build_arch/>
+</patchinfo>

patchinfo.20251027101939269288.187004354831441/_patchinfo

@@ -0,0 +1,48 @@
+<patchinfo>
+  <issue tracker="cve" id="2025-10527">This vulnerability affects Firefox &lt; 143, Firefox ESR &lt; 140.3, Thunderbird &lt; 143, and Thunderbird &lt; 140.3.</issue>
+  <issue tracker="cve" id="2025-10536">This vulnerability affects Firefox &lt; 143, Firefox ESR &lt; 140.3, Thunderbird &lt; 143, and Thunderbird &lt; 140.3.</issue>
+  <issue tracker="cve" id="2025-10528">This vulnerability affects Firefox &lt; 143, Firefox ESR &lt; 140.3, Thunderbird &lt; 143, and Thunderbird &lt; 140.3.</issue>
+  <issue tracker="cve" id="2025-10537">Memory safety bugs present in Firefox ESR 140.2, Thunderbird ESR 140.2, Firefox 142 and Thunderbird 142. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability affects Firefox &lt; 143, Firefox ESR &lt; 140.3, Thunderbird &lt; 143, and Thunderbird &lt; 140.3.</issue>
+  <issue tracker="cve" id="2025-10529">This vulnerability affects Firefox &lt; 143, Firefox ESR &lt; 140.3, Thunderbird &lt; 143, and Thunderbird &lt; 140.3.</issue>
+  <issue tracker="cve" id="2025-10532">This vulnerability affects Firefox &lt; 143, Firefox ESR &lt; 140.3, Thunderbird &lt; 143, and Thunderbird &lt; 140.3.</issue>
+  <issue tracker="cve" id="2025-10533">This vulnerability affects Firefox &lt; 143, Firefox ESR &lt; 115.28, Firefox ESR &lt; 140.3, Thunderbird &lt; 143, and Thunderbird &lt; 140.3.</issue>
+  <issue tracker="bnc" id="1249391">VUL-0: MozillaFirefox / MozillaThunderbird: update to 143.0 and 140.3esr</issue>
+  <packager>Yoshio_Sato</packager>
+  <rating>important</rating>
+  <category>security</category>
+  <summary>Security update for MozillaThunderbird</summary>
+  <description>This update for MozillaThunderbird fixes the following issues:
+
+Changes in MozillaThunderbird:
+
+Mozilla Thunderbird 140.3.0 ESR:
+
+  * Right-clicking 'List-ID' -&gt; 'Unsubscribe' created double encoded
+    draft subject
+  * Thunderbird could crash on startup
+  * Thunderbird could crash when importing mail
+  * Opening Website header link in RSS feed incorrectly re-encoded
+    URL parameters
+  MFSA 2025-78 (bsc#1249391)
+  * CVE-2025-10527
+    Sandbox escape due to use-after-free in the Graphics:
+    Canvas2D component
+  * CVE-2025-10528
+    Sandbox escape due to undefined behavior, invalid pointer in
+    the Graphics: Canvas2D component
+  * CVE-2025-10529
+    Same-origin policy bypass in the Layout component
+  * CVE-2025-10532
+    Incorrect boundary conditions in the JavaScript: GC component
+  * CVE-2025-10533
+    Integer overflow in the SVG component
+  * CVE-2025-10536
+    Information disclosure in the Networking: Cache component
+  * CVE-2025-10537
+    Memory safety bugs fixed in Firefox ESR 140.3, Thunderbird
+    ESR 140.3, Firefox 143 and Thunderbird 143
+
+</description>
+  <package>MozillaThunderbird</package>
+  <seperate_build_arch/>
+</patchinfo>

patchinfo.ga/_patchinfo

@@ -1,4 +1,4 @@
-<patchinfo>
+<patchinfo incident="packagehub-2">
   <packager>msmeissn</packager>
   <rating>important</rating>
   <category>no_updateinfo</category>
@@ -25695,4 +25695,4 @@ After its initial build it should never be rebuilt.
 <package>zypp-gui</package>
 <package>zypper-changelog-plugin</package>
 <package>zypper-keys-plugin</package>
-</patchinfo>
+</patchinfo>

workflow.config

@@ -6,8 +6,8 @@
   "ManualMergeProject": true,
   "NoProjectGitPR": true,
   "Reviewers": [
-    "*maintenance-release-review",
-    "+opensuse-review",
+    "-maintenance-release-review",
+    "*opensuse-review",
     "+legaldb",
     "-autogits_obs_staging_bot",
     "-qam-openqa-review"
@@ -64,7 +64,9 @@
         "mimi_vx",
         "mschnitzer",
         "msmeissn",
-        "openqa-maintenance"
+        "openqa-maintenance",
+        "foursixnine-openqa",
+        "szarate"
         ],
       "Silent": true
     }