ship llvmjit from here

PR: products/PackageHub!224

.gitmodules

@@ -26110,3 +26110,27 @@
 	path = fprintd
 	url = ../../pool/fprintd
 	branch = leap-16.0
+[submodule "python-acme"]
+	path = python-acme
+	url = ../../pool/python-acme
+	branch = leap-16.0
+[submodule "python-certbot"]
+	path = python-certbot
+	url = ../../pool/python-certbot
+	branch = leap-16.0
+[submodule "python-certbot-nginx"]
+	path = python-certbot-nginx
+	url = ../../pool/python-certbot-nginx
+	branch = leap-16.0
+[submodule "python-ConfigArgParse"]
+	path = python-ConfigArgParse
+	url = ../../pool/python-ConfigArgParse
+	branch = leap-16.0
+[submodule "python-josepy"]
+	path = python-josepy
+	url = ../../pool/python-josepy
+	branch = leap-16.0
+[submodule "python-pyRFC3339"]
+	path = python-pyRFC3339
+	url = ../../pool/python-pyRFC3339
+	branch = leap-16.0

0Backports/Backports.productcompose

@@ -271,6 +271,12 @@ packagesets:
   - update-test-retracted
   - update-test-security
   - update-test-trivial
+  - xen
+  - xen-devel
+  - xen-libs
+  - xen-doc-html
+  - xen-tools
+  - xen-tools-domU
   - yum-utils
 
 # TODO: unneeded Leap package per architecture
@@ -5421,7 +5427,6 @@ packagesets:
   - postgresql-docs
   - postgresql-jdbc
   - postgresql-jdbc-javadoc
-  - postgresql-llvmjit
   - postgresql-plperl
   - postgresql-plpython
   - postgresql-pltcl
@@ -5431,7 +5436,6 @@ packagesets:
   - postgresql13-contrib
   - postgresql13-devel
   - postgresql13-docs
-  - postgresql13-llvmjit
   - postgresql13-pgaudit
   - postgresql13-pgvector
   - postgresql13-plperl
@@ -5443,7 +5447,6 @@ packagesets:
   - postgresql14-contrib
   - postgresql14-devel
   - postgresql14-docs
-  - postgresql14-llvmjit
   - postgresql14-pgaudit
   - postgresql14-pgvector
   - postgresql14-plperl
@@ -5455,7 +5458,6 @@ packagesets:
   - postgresql15-contrib
   - postgresql15-devel
   - postgresql15-docs
-  - postgresql15-llvmjit
   - postgresql15-pgaudit
   - postgresql15-pgvector
   - postgresql15-plperl
@@ -5467,7 +5469,6 @@ packagesets:
   - postgresql16-contrib
   - postgresql16-devel
   - postgresql16-docs
-  - postgresql16-llvmjit
   - postgresql16-pgaudit
   - postgresql16-pgvector
   - postgresql16-plperl
@@ -5479,7 +5480,6 @@ packagesets:
   - postgresql17-contrib
   - postgresql17-devel
   - postgresql17-docs
-  - postgresql17-llvmjit
   - postgresql17-pgaudit
   - postgresql17-pgvector
   - postgresql17-plperl

patchinfo.20251016111300220521.93181000773252/_patchinfo

@@ -0,0 +1,17 @@
+<patchinfo incident="packagehub-11">
+  <issue tracker="bnc" id="1250487">VUL-0: CVE-2025-59682: python-Django,python-Django4: Potential partial directory-traversal via archive.extract()</issue>
+  <issue tracker="cve" id="2025-59682">VUL-0: CVE-2025-59682: python-Django,python-Django4: Potential partial directory-traversal via archive.extract()</issue>
+  <issue tracker="cve" id="2025-59681"/>
+  <issue tracker="bnc" id="1250485">VUL-0: CVE-2025-59681: python-Django,python-Django4: Potential SQL injection in QuerySet.annotate(), alias(), aggregate(), and extra() on MySQL and MariaDB</issue>
+  <packager>mcalabkova</packager>
+  <rating>important</rating>
+  <category>security</category>
+  <summary>Security update for python-Django</summary>
+  <description>This update for python-Django fixes the following issues:
+
+- CVE-2025-59681: Fixed a potential SQL injection in QuerySet.annotate(), alias(), aggregate(), and extra() on MySQL and MariaDB (boo#1250485)
+- CVE-2025-59682: Fixed a potential partial directory-traversal via archive.extract() (boo#1250487)
+</description>
+  <package>python-Django</package>
+  <seperate_build_arch/>
+</patchinfo>

patchinfo.20251025182237146698.93181000773252/_patchinfo

@@ -0,0 +1,129 @@
+<patchinfo incident="packagehub-13">
+  <packager>os-autoinst-obs-workflow</packager>
+  <rating>moderate</rating>
+  <category>recommended</category>
+  <summary>Recommended update for openQA, os-autoinst</summary>
+  <description>This update for openQA, os-autoinst fixes the following issues:
+
+Changes in openQA:
+
+- Update to version 5.1761296552.ae7c17aa:
+  * Add tests for file_security_policy
+  * Pass parameter $is_userfile to log_url
+  * Remove redirect and serve files as attachments if necessary
+  * Serve files uploaded by tests via asset domain
+  * Use direct link to subdomain for the test assets
+  * Revert "Don't redirect to asset domain via /needles/ID/(image|json) route"
+  * Revert "Don't redirect screenshots, thumbs and needles to files_domain"
+
+- Update to version 5.1761228068.a3a7f84d:
+  * Dependency cron 2025-10-23
+
+- Update to version 5.1761037330.ad78558e:
+  * Avoid needless check for number of clones
+  * Avoid creation of `git_clone` tasks for jobs with empty `DISTRI`
+
+- Update to version 5.1760515610.a802d1dd:
+  * Lower the prio of archiving jobs to avoid piling up finalize jobs
+  * Add signatures in Schema::Result::ApiKeys
+
+- Update to version 5.1760245411.e3aeaaec:
+  * Dependency cron 2025-10-12
+
+- Update to version 5.1760108577.fd2f2a48:
+  * Log unavailability due to high load only as warning
+  * Filter job stats of scheduled products also by arch and build
+  * Document how to disable image optimizations
+  * Make image optimization errors stop the job producing an incomplete job
+  * Improve wording in description about job stats API
+  * Run `optipng` for real and handle errors if it fails
+
+- Update to version 5.1759912962.689b31ed:
+  * Avoid failing `obs_rsync_run` jobs when restarting `openqa-gru.service`
+
+- Update to version 5.1759834744.06a7028a:
+  * parser: ktap: Return earlier if subtest result is SKIP
+  * parser: ktap: Fallback to subtest index if name is not available
+
+- Update to version 5.1759440640.bb989cab:
+  * Don't redirect to asset domain via /needles/ID/(image|json) route
+
+- Update to version 5.1759402042.49e912c3:
+  * Introduce array job settings
+  * Retry `obs_rsync_update_*` tasks if Gru service terminates
+
+- Update to version 5.1759329378.3b8e8685:
+  * Reduce the number of required checks for Mergify again
+  * Ensure a failing cache service is seen as such by the worker/scheduler
+
+- Update to version 5.1759248257.70b23b32:
+  * Increase number of successful checks in Mergify config again
+  * Disable Helm Chart CI checks temporarily
+  * Consider all jobs for cleanup, not just jobs that were executed
+  * Verify job deletion when dependent job present
+
+- Update to version 5.1759149505.49c40b0b:
+  * Use always the latest PostgreSQL image in Compose and documentation
+  * Update the PostgreSQL version in the contributing documentation
+  * Update PostgreSQL data path in Docker Compose file after updating to v18
+  * Specify PostgreSQL version in Docker Compose configuration explicitly
+  * mergify: Allow more time for dependabot update reaction
+  * Remove version property from docker-compose
+  * README: Fix openQA badge after switch to UEFI
+  * build(deps-dev): bump eslint from 9.35.0 to 9.36.0
+
+- Update to version 5.1758910696.7549bb98:
+  * Replace argument assignment with signatures on ObsRsync/Task
+  * Enable automatic dependabot updates again after improvements
+  * docs: Add instructions for a continuous dashboard setup
+  * Replace argument assignment with signatures Folders package
+  * Fully cover WebAPI::Plugin::ObsRsync::Controller::Folders
+  * script: Also use OPENQA_WEBUI_MODE for related services
+
+- Update to version 5.1758814503.03d923a4:
+  * Use Mojo::File in Worker for is_qemu_running
+  * Use Mojo::File in Worker for meminfo
+  * Document archiving of important jobs
+
+- Update to version 5.1758729450.b88c0b40:
+  * Reject jobs if worker is broken when receiving a new job
+
+- Update to version 5.1758711845.e5c02221:
+  * script: Allow to configure openQA mode
+  * t: run at least once Memorylimit register with max_rss_limit &gt; 0
+  * Replace argument assignation with signatures on MemoryLimit
+
+Changes in os-autoinst:
+
+- Update to version 5.1761036042.c43e4ab:
+  * Update perltidy
+  * Allow redirects in needle NeedleDownloader
+  * Don't overwrite firewall xml
+  * Add UEFI support for ipxe kernel boot
+  * os-autoinst-setup-multi-machine: Simplify determine_ethernet_interface
+
+- Update to version 5.1759328765.e7438f7:
+  * Allow redirects in needle NeedleDownloader
+  * Don't overwrite firewall xml
+  * Add UEFI support for ipxe kernel boot
+  * t: Use consistent Mojo::File in 08-autotest as well
+  * os-autoinst-setup-multi-machine: Simplify determine_ethernet_interface
+
+- Update to version 5.1759134946.e08d7c7:
+  * Add UEFI support for ipxe kernel boot
+  * t: Use consistent Mojo::File in 08-autotest as well
+  * os-autoinst-setup-multi-machine: Simplify determine_ethernet_interface
+  * os-autoinst-setup-multi-machine: Only call zypper when necessary
+  * os-autoinst-setup-multi-machine: Improve network interface check
+</description>
+  <package>openQA</package>
+  <package>openQA:openQA-devel-test</package>
+  <package>openQA:openQA-test</package>
+  <package>openQA:openQA-worker-test</package>
+  <package>openQA:openQA-client-test</package>
+  <package>os-autoinst</package>
+  <package>os-autoinst:os-autoinst-test</package>
+  <package>os-autoinst:os-autoinst-devel-test</package>
+  <package>os-autoinst:os-autoinst-openvswitch-test</package>
+  <seperate_build_arch/>
+</patchinfo>

patchinfo.20251025182836794674.93181000773252/_patchinfo

@@ -0,0 +1,28 @@
+<patchinfo incident="packagehub-18">
+  <packager>jsulig</packager>
+  <rating>moderate</rating>
+  <category>recommended</category>
+  <summary>Recommended update for amarok</summary>
+  <description>This update for amarok fixes the following issues:
+
+Changes in amarok:
+
+- Update to version 3.3.1
+  * Enable saving and loading script console items, autocompletion
+    in script console, and re-enable some more scripting functionality
+  * Convert the remaining main UI toolbuttons to use icons from theme
+  * Clear out remnants of the now-discontinued MusicDNS service
+  * Fix example permission grant command in database settings (kde#386004)
+  * Fix equalizer gains not updating when selecting some presets (kde#463908)
+  * Fix continuing playback after timecoded tracks (cue files etc, (kde#270003)
+  * Fix MusicBrainz search
+  * Properly start CD playback if Amarok is not already running (kde#503310)
+  * Also transmit embedded cover art through MPRIS (kde#357620)
+  * Don't show transcoding dialog after canceling download (kde#275840)
+  * Load network information earlier to avoid crashes on startup (kde#507497)
+  * Try to export as-compatible-as-possible playlist files (kde#507329)
+  * Fix some random crashes during playback
+
+</description>
+  <package>amarok</package>
+</patchinfo>

patchinfo.20251027101618101208.187004354831441/_patchinfo

@@ -0,0 +1,32 @@
+<patchinfo incident="packagehub-16">
+  <packager>miska</packager>
+  <rating>moderate</rating>
+  <category>recommended</category>
+  <summary>Recommended update for knot</summary>
+  <description>This update for knot fixes the following issues:
+
+Changes in knot:
+
+- disable quic in stable releases due to the missing libraries
+
+update to version 3.5.1, see
+
+  https://www.knot-dns.cz/2025-10-16-version-351.html
+
+update to version 3.5.0, see
+
+  https://www.knot-dns.cz/2025-09-18-version-350.html
+
+update to version 3.4.8, see
+
+  https://www.knot-dns.cz/2025-07-29-version-348.html
+
+Use the libngtcp2_crypto_gnutls-devel instead of libngtcp2-devel
+to account for the openssl and gnutls devel files split in ngtcp2.
+
+update to version 3.4.7, see
+
+  https://www.knot-dns.cz/2025-06-04-version-347.html
+</description>
+  <package>knot</package>
+</patchinfo>

patchinfo.20251027103924170417.187004354831441/_patchinfo

@@ -0,0 +1,27 @@
+<patchinfo incident="packagehub-17">
+  <issue tracker="cve" id="2025-59438">VUL-0: CVE-2025-59438: TRACKERBUG: mbedtls: padding oracle attack possible through timing of cipher error reporting</issue>
+  <packager>dheidler</packager>
+  <rating>moderate</rating>
+  <category>security</category>
+  <summary>Security update for micropython</summary>
+  <description>This update for micropython fixes the following issues:
+
+Changes in micropython:
+
+- Build with mbedtls-3.6.5 instead of bundled 3.6.2 to fix CVE-2025-59438
+
+Version 1.26.0:
+
+  * Added machine.I2CTarget for creating I2C target devices on multiple ports.
+  * New MCU support: STM32N6xx (800 MHz, ML accel) &amp; ESP32-C2 (WiFi + BLE).
+  * Major float accuracy boost (~28% → ~98%), constant folding in compiler.
+  * Optimized native/Viper emitters; reduced heap use for slices.
+  * Time functions standardized (1970–2099); new boards across ESP32, SAMD, STM32, Zephyr.
+  * ESP32: ESP-IDF 5.4.2, flash auto-detect, PCNT class, LAN8670 PHY.
+  * RP2: compressed errors, better lightsleep, hard IRQ timers.
+  * Zephyr v4.0.0: PWM, SoftI2C/SPI, BLE runtime services, boot.py/main.py support.
+  * mpremote adds fs tree, improved df, portable config paths.
+  * Updated lwIP, LittleFS, libhydrogen, stm32lib; expanded hardware/CI tests.
+</description>
+  <package>micropython</package>
+</patchinfo>

patchinfo.20251030080843825030.187004354831441/_patchinfo

@@ -0,0 +1,56 @@
+<patchinfo incident="packagehub-12">
+  <issue tracker="cve" id="2025-12441"/>
+  <issue tracker="cve" id="2025-12429"/>
+  <issue tracker="cve" id="2025-12431"/>
+  <issue tracker="cve" id="2025-12444"/>
+  <issue tracker="cve" id="2025-12428"/>
+  <issue tracker="cve" id="2025-12438"/>
+  <issue tracker="cve" id="2025-12435"/>
+  <issue tracker="cve" id="2025-12437"/>
+  <issue tracker="cve" id="2025-12443"/>
+  <issue tracker="cve" id="2025-12430"/>
+  <issue tracker="cve" id="2025-12440"/>
+  <issue tracker="cve" id="2025-12445"/>
+  <issue tracker="cve" id="2025-12446"/>
+  <issue tracker="cve" id="2025-12432"/>
+  <issue tracker="cve" id="2025-12436"/>
+  <issue tracker="cve" id="2025-12434"/>
+  <issue tracker="cve" id="2025-54874">VUL-0: CVE-2025-54874: TRACKERBUG: openjpeg: missing error check can lead to the use of an uninitialized pointer and cause an out-of-bounds heap</issue>
+  <issue tracker="cve" id="2025-12433"/>
+  <issue tracker="bnc" id="1252881">VUL-0: chromium: release 142.0.7444.59</issue>
+  <issue tracker="cve" id="2025-12439"/>
+  <issue tracker="cve" id="2025-12447"/>
+  <packager>AndreasStieger</packager>
+  <rating>important</rating>
+  <category>security</category>
+  <summary>Security update for chromium</summary>
+  <description>This update for chromium fixes the following issues:
+
+Chromium 142.0.7444.59, the stable channel promotion of 142.
+
+Security fixes (boo#1252881):
+
+  * CVE-2025-12428: Type Confusion in V8
+  * CVE-2025-12429: Inappropriate implementation in V8
+  * CVE-2025-12430: Object lifecycle issue in Media
+  * CVE-2025-12431: Inappropriate implementation in Extensions
+  * CVE-2025-12432: Race in V8
+  * CVE-2025-12433: Inappropriate implementation in V8
+  * CVE-2025-12434: Race in Storage
+  * CVE-2025-12435: Incorrect security UI in Omnibox
+  * CVE-2025-12436: Policy bypass in Extensions
+  * CVE-2025-12437: Use after free in PageInfo
+  * CVE-2025-12438: Use after free in Ozone
+  * CVE-2025-12439: Inappropriate implementation in App-Bound Encryption
+  * CVE-2025-12440: Inappropriate implementation in Autofill
+  * CVE-2025-12441: Out of bounds read in V8
+  * CVE-2025-12443: Out of bounds read in WebXR
+  * CVE-2025-12444: Incorrect security UI in Fullscreen UI
+  * CVE-2025-12445: Policy bypass in Extensions
+  * CVE-2025-12446: Incorrect security UI in SplitView
+  * CVE-2025-12447: Incorrect security UI in Omnibox
+
+</description>
+  <package>chromium</package>
+  <seperate_build_arch/>
+</patchinfo>

patchinfo.20251030134459405257.187004354831441/_patchinfo

@@ -1,4 +1,4 @@
-<patchinfo>
+<patchinfo incident="packagehub-14">
   <packager>adrianSuSE</packager>
   <rating>moderate</rating>
   <category>recommended</category>
@@ -21,4 +21,4 @@ Update to version 0.6.14:
 </description>
   <package>product-composer</package>
   <seperate_build_arch/>
-</patchinfo>
+</patchinfo>

patchinfo.20251104153107003768.187004354831441/_patchinfo

@@ -0,0 +1,63 @@
+<patchinfo incident="packagehub-15">
+  <issue tracker="cve" id="2025-11710"/>
+  <issue tracker="cve" id="2025-11709"/>
+  <issue tracker="cve" id="2025-11715"/>
+  <issue tracker="bnc" id="1247774">[SLFO:Main] [SLES16.0] MozillaFirefox fails to build on s390x</issue>
+  <issue tracker="cve" id="2025-11712"/>
+  <issue tracker="cve" id="2025-11708"/>
+  <issue tracker="cve" id="2025-11714"/>
+  <issue tracker="cve" id="2025-11713"/>
+  <issue tracker="cve" id="2025-11711"/>
+  <issue tracker="bnc" id="1251263">VUL-0: MozillaFirefox / MozillaThunderbird: update to 144.0 and 140.4esr</issue>
+  <packager>MSirringhaus</packager>
+  <rating>moderate</rating>
+  <category>security</category>
+  <summary>Security update for MozillaThunderbird</summary>
+  <description>This update for MozillaThunderbird fixes the following issues:
+
+Mozilla Thunderbird 140.4:
+
+  * changed: Account Hub is now disabled by default for second
+    email account
+  * changed: Flatpak runtime has been updated to Freedesktop SDK
+    24.08
+  * fixed: Users could not read mail signed with OpenPGP v6 and
+    PQC keys
+  * fixed: Image preview in Insert Image dialog failed with CSP
+    error for web resources
+  * fixed: Emptying trash on exit did not work with some
+    providers
+  * fixed: Thunderbird could crash when applying filters
+  * fixed: Users were unable to override expired mail server
+    certificate
+  * fixed: Opening Website header link in RSS feed incorrectly
+    re-encoded URL parameters
+  * fixed: Security fixes
+
+MFSA 2025-85 (bsc#1251263):
+
+  * CVE-2025-11708
+    Use-after-free in MediaTrackGraphImpl::GetInstance()
+  * CVE-2025-11709
+    Out of bounds read/write in a privileged process triggered by
+    WebGL textures
+  * CVE-2025-11710
+    Cross-process information leaked due to malicious IPC
+    messages
+  * CVE-2025-11711
+    Some non-writable Object properties could be modified
+  * CVE-2025-11712
+    An OBJECT tag type attribute overrode browser behavior on web
+    resources without a content-type
+  * CVE-2025-11713
+    Potential user-assisted code execution in “Copy as cURL”
+    command
+  * CVE-2025-11714
+    Memory safety bugs fixed in Firefox ESR 115.29, Firefox ESR
+    140.4, Thunderbird ESR 140.4, Firefox 144 and Thunderbird 144
+  * CVE-2025-11715
+    Memory safety bugs fixed in Firefox ESR 140.4, Thunderbird
+    ESR 140.4, Firefox 144 and Thunderbird 144
+</description>
+  <package>MozillaThunderbird</package>
+</patchinfo>

patchinfo.20251106083153138720.187004354831441/_patchinfo

@@ -0,0 +1,23 @@
+<patchinfo incident="packagehub-19">
+  <issue tracker="bnc" id="1253089">VUL-0: chromium: release 142.0.7444.134</issue>
+  <issue tracker="cve" id="2025-12727"/>
+  <issue tracker="cve" id="2025-12725"/>
+  <issue tracker="cve" id="2025-12729">VUL-0: chromium: release 142.0.7444.134</issue>
+  <issue tracker="cve" id="2025-12728"/>
+  <issue tracker="cve" id="2025-12726"/>
+  <packager>AndreasStieger</packager>
+  <rating>moderate</rating>
+  <category>security</category>
+  <summary>Security update for chromium</summary>
+  <description>This update for chromium fixes the following issues:
+
+Chromium 142.0.7444.134 (boo#1253089):
+
+  * CVE-2025-12725: Out of bounds write in WebGPU
+  * CVE-2025-12726: Inappropriate implementation in Views
+  * CVE-2025-12727: Inappropriate implementation in V8
+  * CVE-2025-12728: Inappropriate implementation in Omnibox
+  * CVE-2025-12729: Inappropriate implementation in Omnibox
+</description>
+  <package>chromium</package>
+</patchinfo>

patchinfo.20251111094408723997.187004354831441/_patchinfo

@@ -0,0 +1,14 @@
+<patchinfo incident="packagehub-20">
+  <packager>adrianSuSE</packager>
+  <rating>moderate</rating>
+  <category>recommended</category>
+  <summary>Recommended update for product-composer</summary>
+  <description>This update for product-composer fixes the following issues:
+
+Update to version 0.6.17:
+
+  - fix multiarch media handling of updateinfo id's
+</description>
+  <package>product-composer</package>
+  <seperate_build_arch/>
+</patchinfo>

patchinfo.20251112154630847363.187004354831441/_patchinfo

@@ -0,0 +1,16 @@
+<patchinfo incident="packagehub-21">
+  <issue tracker="bnc" id="1253267">VUL-0: chromium: release 142.0.7444.162</issue>
+  <issue tracker="cve" id="2025-13042">VUL-0: chromium: release 142.0.7444.162</issue>
+  <packager>AndreasStieger</packager>
+  <rating>important</rating>
+  <category>security</category>
+  <summary>Security update for chromium</summary>
+  <description>This update for chromium fixes the following issues:
+
+Chromium 142.0.7444.162 (boo#1253267):
+
+  * CVE-2025-13042: Inappropriate implementation in V8
+</description>
+  <package>chromium</package>
+  <seperate_build_arch/>
+</patchinfo>

patchinfo.20251114110535882810.90520734224245/_patchinfo

@@ -0,0 +1,16 @@
+<patchinfo incident="packagehub-22">
+  <packager>AndreasStieger</packager>
+  <rating>important</rating>
+  <category>security</category>
+  <summary>Security update for certbot</summary>
+  <description>This update for certbot fixes the following issues:
+
+This update adds the certbot stack. (python modules: ConfigArgParse, acme, certbot, certbot-nginx, josepy, pyRFC3339).
+</description>
+<package>python-ConfigArgParse</package>
+<package>python-acme</package>
+<package>python-certbot</package>
+<package>python-certbot-nginx</package>
+<package>python-josepy</package>
+<package>python-pyRFC3339</package>
+</patchinfo>

staging.config

@@ -1,4 +1,4 @@
 {
   "ObsProject": "openSUSE:Backports:SLE-16.0",
-  "StagingProject": "openSUSE:Backports:SLE-16.0:PullRequest"
+  "StagingProject": "openSUSE:Backports:SLE-16.0:PullRequest",
 }