Pull request for optional update for authselect

.gitmodules

@@ -1150,6 +1150,10 @@
 	path = autocutsel
 	url = ../../pool/autocutsel
 	branch = leap-16.0
+[submodule "authselect"]
+	path = authselect
+	url = ../../pool/authselect
+	branch = leap-16.0
 [submodule "autojump"]
 	path = autojump
 	url = ../../pool/autojump
@@ -17350,10 +17354,6 @@
 	path = rasqal
 	url = ../../pool/rasqal
 	branch = leap-16.0
-[submodule "rawtherapee"]
-	path = rawtherapee
-	url = ../../pool/rawtherapee
-	branch = leap-16.0
 [submodule "raw-thumbnailer"]
 	path = raw-thumbnailer
 	url = ../../pool/raw-thumbnailer

0Backports/Backports.productcompose

@@ -701,9 +701,6 @@ packagesets:
   - cargo-packaging
   - cargo1.87
   - cargo1.88
-  - cargo1.89
-  - cargo1.90
-  - cargo1.91
   - catatonit
   - cblas-devel
   - cblas-devel-static
@@ -1411,6 +1408,7 @@ packagesets:
   - gobject-introspection-devel
   - golang-github-cpuguy83-go-md2man
   - golang-github-google-jsonnet
+  - golang-github-prometheus-prometheus
   - golang-github-prometheus-promu
   - golang-packaging
   - google-errorprone-annotation
@@ -6798,9 +6796,6 @@ packagesets:
   - rhino-engine
   - rhino-javadoc
   - rhino-runtime
-  - rmt-server
-  - rmt-server-config
-  - rmt-server-pubcloud
   - rollback-helper
   - rootlesskit
   - rp-pppoe
@@ -6857,9 +6852,6 @@ packagesets:
   - rust-keylime
   - rust1.87
   - rust1.88
-  - rust1.89
-  - rust1.90
-  - rust1.91
   - samba
   - samba-ad-dc
   - samba-ad-dc-libs
@@ -7088,6 +7080,7 @@ packagesets:
   - system-user-news
   - system-user-nobody
   - system-user-ntp
+  - system-user-prometheus
   - system-user-pulse
   - system-user-qemu
   - system-user-root

_config

@@ -168,7 +168,7 @@ Macros:
 
 # Leap specific package list, the same list with excludebuild must add to Backports project
 # Most of package should be built in Backports
-%if 0%{?_is_in_project}
+%if "%_project" == "openSUSE:Backports:SLE-16.0"
 # we build ffado:ffado-mixer for openSUSE, the main one is built in SLFO
 BuildFlags: excludebuild:ffado
 # build gpgme:qt flavor for qt5 support

patchinfo.20251117132509463589.187004354831441/_patchinfo

@@ -1,14 +0,0 @@
-<patchinfo incident="packagehub-49">
-  <packager>okurz</packager>
-  <rating>moderate</rating>
-  <category>recommended</category>
-  <summary>Recommended update for perl-Mojolicious-Plugin-Webpack</summary>
-  <description>This update for perl-Mojolicious-Plugin-Webpack fixes the following issues:
-
-Changes in perl-Mojolicious-Plugin-Webpack:
-
-- See https://github.com/jhthorsen/mojolicious-plugin-webpack/pull/17
-</description>
-  <package>perl-Mojolicious-Plugin-Webpack</package>
-  
-</patchinfo>

patchinfo.20251201094954024941.93181000773252/_patchinfo

@@ -1,209 +0,0 @@
-<patchinfo incident="packagehub-54">
-  <issue tracker="bnc" id="1251651">VUL-0: CVE-2025-58190: hauler: golang.org/x/net/html: excessive memory consumption by `html.ParseFragment` when processing specially crafted input</issue>
-  <issue tracker="cve" id="2025-22872">cve#2025-22872 not resolved: 404 Client Error: Not Found for url: https://bugzilla.suse.com/api2/issues/?references__name=CVE-2025-22872</issue>
-  <issue tracker="cve" id="2025-58058">cve#2025-58058 not resolved: 404 Client Error: Not Found for url: https://bugzilla.suse.com/api2/issues/?references__name=CVE-2025-58058</issue>
-  <issue tracker="cve" id="2024-45338">cve#2024-45338 not resolved: 404 Client Error: Not Found for url: https://bugzilla.suse.com/api2/issues/?references__name=CVE-2024-45338</issue>
-  <issue tracker="bnc" id="1241184">VUL-0: CVE-2024-0406: hauler: mholt/archiver: access to restricted files or directories when unpacking specially crafted tar file</issue>
-  <issue tracker="bnc" id="1235332">VUL-0: CVE-2024-45338: hauler: golang.org/x/net/html: denial of service due to non-linear parsing of case-insensitive content</issue>
-  <issue tracker="cve" id="2025-11579">cve#2025-11579 not resolved: 404 Client Error: Not Found for url: https://bugzilla.suse.com/api2/issues/?references__name=CVE-2025-11579</issue>
-  <issue tracker="cve" id="2024-0406">cve#2024-0406 not resolved: 404 Client Error: Not Found for url: https://bugzilla.suse.com/api2/issues/?references__name=CVE-2024-0406</issue>
-  <issue tracker="cve" id="2025-47911">cve#2025-47911 not resolved: 404 Client Error: Not Found for url: https://bugzilla.suse.com/api2/issues/?references__name=CVE-2025-47911</issue>
-  <issue tracker="cve" id="2025-46569">cve#2025-46569 not resolved: 404 Client Error: Not Found for url: https://bugzilla.suse.com/api2/issues/?references__name=CVE-2025-46569</issue>
-  <issue tracker="bnc" id="1246722">VUL-0: CVE-2025-46569: hauler: github.com/open-policy-agent/opa: HTTP request path can be crafted to inject Rego code into a constructed query when a virtual document is requested through the Data API</issue>
-  <issue tracker="bnc" id="1248937">VUL-0: CVE-2025-58058: hauler: github.com/ulikunitz/xz: github.com/ulikunitz/xz leaks memory</issue>
-  <issue tracker="bnc" id="1241804">VUL-0: CVE-2025-22872: hauler: golang.org/x/net/html: incorrectly interpreted tags can cause content to be placed wrong scope during DOM construction</issue>
-  <issue tracker="bnc" id="1251516">VUL-0: CVE-2025-47911: hauler: golang.org/x/net/html: various algorithms with quadratic complexity when parsing HTML documents</issue>
-  <issue tracker="cve" id="2025-58190">cve#2025-58190 not resolved: 404 Client Error: Not Found for url: https://bugzilla.suse.com/api2/issues/?references__name=CVE-2025-58190</issue>
-  <issue tracker="bnc" id="1251891">VUL-0: CVE-2025-11579: hauler: github.com/nwaples/rardecode: failure to restrict the dictionary size when processing RAR files allows for excessive memory consumpti</issue>
-  <packager>dirkmueller</packager>
-  <rating>important</rating>
-  <category>security</category>
-  <summary>Security update for hauler</summary>
-  <description>This update for hauler fixes the following issues:
-
-- Update to version 1.3.1 (bsc#1251516, CVE-2025-47911,
-  bsc#1251891, CVE-2025-11579, bsc#1251651, CVE-2025-58190,
-  bsc#1248937, CVE-2025-58058):
-  * bump github.com/containerd/containerd (#474)
-  * another fix to tests for new tests (#472)
-  * fixed typo in testdata (#471)
-  * fixed/cleaned new tests (#470)
-  * trying a new way for hauler testing (#467)
-  * update for cosign v3 verify (#469)
-  * added digests view to info (#465)
-  * bump github.com/nwaples/rardecode/v2 from 2.1.1 to 2.2.0 in the go_modules group across 1 directory (#457)
-  * update oras-go to v1.2.7 for security patches (#464)
-  * update cosign to v3.0.2+hauler.1 (#463)
-  * fixed homebrew directory deprecation (#462)
-  * add registry logout command (#460)
-
-- Update to version 1.3.0:
-  * bump the go_modules group across 1 directory with 2 updates (#455)
-  * upgraded versions/dependencies/deprecations (#454)
-  * allow loading of docker tarballs (#452)
-  * bump the go_modules group across 1 directory with 2 updates (#449)
-
-- update to 1.2.5 (bsc#1246722, CVE-2025-46569):
-  * Bump github.com/open-policy-agent/opa from 1.1.0 to 1.4.0 in
-    the go_modules group across 1 directory (CVE-2025-46569)
-  * deprecate auth from hauler store copy
-  * Bump github.com/cloudflare/circl from 1.3.7 to 1.6.1 in the
-    go_modules group across 1 directory
-  * Bump github.com/go-viper/mapstructure/v2 from 2.2.1 to 2.3.0
-    in the go_modules group across 1 directory
-  * upgraded go and dependencies versions
-
-- Update to version 1.2.5:
-  * upgraded go and dependencies versions (#444)
-  * Bump github.com/go-viper/mapstructure/v2 (#442)
-  * bump github.com/cloudflare/circl (#441)
-  * deprecate auth from hauler store copy (#440)
-  * Bump github.com/open-policy-agent/opa (#438)
-
-- update to 1.2.4 (CVE-2025-22872, bsc#1241804):
-  * Bump golang.org/x/net from 0.37.0 to 0.38.0 in the go_modules
-    group across 1 directory
-  * minor tests updates
-
-- Update to version 1.2.3:
-  * formatting and flag text updates
-  * add keyless signature verification (#434)
-  * bump helm.sh/helm/v3 in the go_modules group across 1 directory (#430)
-  * add --only flag to hauler store copy (for images) (#429)
-  * fix tlog verification error/warning output (#428)
-
-- Update to version 1.2.2 (bsc#1241184, CVE-2024-0406):
-  * cleanup new tlog flag typos and add shorthand (#426)
-  * default public transparency log verification to false to be airgap friendly but allow override (#425)
-  * bump github.com/golang-jwt/jwt/v4 (#423)
-  * bump the go_modules group across 1 directory with 2 updates (#422)
-  * bump github.com/go-jose/go-jose/v3 (#417)
-  * bump github.com/go-jose/go-jose/v4 (#415)
-  * clear default manifest name if product flag used with sync (#412)
-  * updates for v1.2.0 (#408)
-  * fixed remote code (#407)
-  * added remote file fetch to load (#406)
-  * added remote and multiple file fetch to sync (#405)
-  * updated save flag and related logs (#404)
-  * updated load flag and related logs [breaking change] (#403)
-  * updated sync flag and related logs [breaking change] (#402)
-  * upgraded api update to v1/updated dependencies (#400)
-  * fixed consts for oci declarations (#398)
-  * fix for correctly grabbing platform post cosign 2.4 updates (#393)
-  * use cosign v2.4.1+carbide.2 to address containerd annotation in index.json (#390)
-  * Bump the go_modules group across 1 directory with 2 updates (#385)
-  * replace mholt/archiver with mholt/archives (#384)
-  * forked cosign bump to 2.4.1 and use as a library vs embedded binary (#383)
-  * cleaned up registry and improved logging (#378)
-  * Bump golang.org/x/crypto in the go_modules group across 1 directory (#377)
-- bump net/html dependencies (bsc#1235332, CVE-2024-45338)
-
-- Update to version 1.1.1:
-  * fixed cli desc for store env var (#374)
-  * updated versions for go/k8s/helm (#373)
-  * updated version flag to internal/flags (#369)
-  * renamed incorrectly named consts (#371)
-  * added store env var (#370)
-  * adding ignore errors and retries for continue on error/fail on error (#368)
-  * updated/fixed hauler directory (#354)
-  * standardize consts (#353)
-  * removed cachedir code (#355)
-  * removed k3s code (#352)
-  * updated dependencies for go, helm, and k8s (#351)
-  * [feature] build with boring crypto where available (#344)
-  * updated workflow to goreleaser builds (#341)
-  * added timeout to goreleaser workflow (#340)
-  * trying new workflow build processes (#337)
-  * improved workflow performance (#336)
-  * have extract use proper ref (#335)
-  * yet another workflow goreleaser fix (#334)
-  * even more workflow fixes (#333)
-  * added more fixes to github workflow (#332)
-  * fixed typo in hauler store save (#331)
-  * updates to fix build processes (#330)
-  * added integration tests for non hauler tarballs (#325)
-  * bump: golang &gt;= 1.23.1 (#328)
-  * add platform flag to store save (#329)
-  * Update feature_request.md
-  * updated/standardize command descriptions (#313)
-  * use new annotation for 'store save' manifest.json (#324)
-  * enable docker load for hauler tarballs (#320)
-  * bump to cosign v2.2.3-carbide.3 for new annotation (#322)
-  * continue on error when adding images to store (#317)
-  * Update README.md (#318)
-  * fixed completion commands (#312)
-  * github.com/rancherfederal/hauler =&gt; hauler.dev/go/hauler (#311)
-  * pages: enable go install hauler.dev/go/hauler (#310)
-  * Create CNAME
-  * pages: initial workflow (#309)
-  * testing and linting updates (#305)
-  * feat-273: TLS Flags (#303)
-  * added list-repos flag (#298)
-  * fixed hauler login typo (#299)
-  * updated cobra function for shell completion (#304)
-  * updated install.sh to remove github api (#293)
-  * fix image ref keys getting squashed when containing sigs/atts (#291)
-  * fix missing versin info in release build (#283)
-  * bump github.com/docker/docker in the go_modules group across 1 directory (#281)
-  * updated install script (`install.sh`) (#280)
-  * fix digest images being lost on load of hauls (Signed). (#259)
-  * feat: add readonly flag (#277)
-  * fixed makefile for goreleaser v2 changes (#278)
-  * updated goreleaser versioning defaults (#279)
-  * update feature_request.md (#274)
-  * updated old references
-  * updated actions workflow user
-  * added dockerhub to github actions workflow
-  * removed helm chart
-  * added debug container and workflow
-  * updated products flag description
-  * updated chart for release
-  * fixed workflow errors/warnings
-  * fixed permissions on testdata
-  * updated chart versions (will need to update again)
-  * last bit of fixes to workflow
-  * updated unit test workflow
-  * updated goreleaser deprecations
-  * added helm chart release job
-  * updated github template names
-  * updated imports (and go fmt)
-  * formatted gitignore to match dockerignore
-  * formatted all code (go fmt)
-  * updated chart tests for new features
-  * Adding the timeout flag for fileserver command
-  * Configure chart commands to use helm clients for OCI and private registry support
-  * Added some documentation text to sync command
-  * Bump golang.org/x/net from 0.17.0 to 0.23.0
-  * fix for dup digest smashing in cosign
-  * removed vagrant scripts
-  * last bit of updates and formatting of chart
-  * updated hauler testdata
-  * adding functionality and cleaning up
-  * added initial helm chart
-  * removed tag in release workflow
-  * updated/fixed image ref in release workflow
-  * updated/fixed platforms in release workflow
-  * updated/cleaned github actions (#222)
-  * Make Product Registry configurable (#194)
-  * updated fileserver directory name (#219)
-  * fix logging for files
-  * add extra info for the tempdir override flag
-  * tempdir override flag for load
-  * deprecate the cache flag instead of remove
-  * switch to using bci-golang as builder image
-  * fix: ensure /tmp for hauler store load
-  * added the copy back for now
-  * remove copy at the image sync not needed with cosign update
-  * removed misleading cache flag
-  * better logging when adding to store
-  * update to v2.2.3 of our cosign fork
-  * add: dockerignore
-  * add: Dockerfile
-  * Bump google.golang.org/protobuf from 1.31.0 to 1.33.0
-  * Bump github.com/docker/docker
-  * updated and added new logos
-  * updated github files
-</description>
-  <package>hauler</package>
-  <seperate_build_arch/>
-</patchinfo>

patchinfo.20251205103932570835.187004354831441/_patchinfo

@@ -1,127 +0,0 @@
-<patchinfo incident="packagehub-51">
-  <packager>dirkmueller</packager>
-  <rating>moderate</rating>
-  <category>recommended</category>
-  <summary>Recommended update for trivy</summary>
-  <description>This update for trivy fixes the following issues:
-
-Changes in trivy:
-
-Update to version 0.68.1:
-
-  * fix: update cosing settings for GoReleaser after bumping cosing to v3 (#9863)
-  * chore(deps): bump the testcontainers group with 2 updates (#9506)
-  * feat(aws): Add support for dualstack ECR endpoints (#9862)
-  * fix(vex): use a separate `visited` set for each DFS path (#9760)
-  * docs: catch some missed docs -&gt; guide (#9850)
-  * refactor(misconf): parse azure_policy_enabled to addonprofile.azurepolicy.enabled (#9851)
-  * chore(cli): Remove Trivy Cloud (#9847)
-  * fix(misconf): ensure value used as ignore marker is non-null and known (#9835)
-  * fix(misconf): map healthcheck start period flag to --start-period instead of --startPeriod (#9837)
-  * chore(deps): bump the docker group with 3 updates (#9776)
-  * chore(deps): bump golang.org/x/crypto from 0.41.0 to 0.45.0 (#9827)
-  * chore(deps): bump the common group across 1 directory with 20 updates (#9840)
-  * feat(image): add Sigstore bundle SBOM support (#9516)
-  * chore(deps): bump the aws group with 7 updates (#9691)
-  * test(k8s): update k8s integrtion test (#9725)
-  * chore(deps): bump github.com/containerd/containerd from 1.7.28 to 1.7.29 (#9764)
-  * feat(sbom): add support for SPDX attestations (#9829)
-  * docs(misconf): Remove duplicate sections (#9819)
-  * feat(misconf): Update Azure network schema for new checks (#9791)
-  * feat(misconf): Update AppService schema (#9792)
-  * fix(misconf): ensure boolean metadata values are correctly interpreted (#9770)
-  * feat(misconf): support https_traffic_only_enabled in Az storage account (#9784)
-  * docs: restructure docs for new hosting (#9799)
-  * docs(server): fix info about scanning licenses on the client side. (#9805)
-  * ci: remove unused preinstalled software/images for build tests to free up disk space. (#9814)
-  * feat(report): add fingerprint generation for vulnerabilities (#9794)
-  * chore: trigger the trivy-www workflow (#9737)
-  * fix: update all documentation links (#9777)
-  * feat(suse): Add new openSUSE, Micro and SLES releases end of life dates (#9788)
-  * test(go): set `GOPATH` for tests (#9785)
-  * feat(flag): add `--cacert` flag (#9781)
-  * fix(misconf): handle unsupported experimental flags in Dockerfile (#9769)
-  * test(go): refactor mod_test.go to use txtar format (#9775)
-  * docs: Fix typos and linguistic errors in documentation / hacktoberfest (#9586)
-  * chore(deps): bump github.com/opencontainers/selinux from 1.12.0 to 1.13.0 (#9778)
-  * chore(deps): bump github.com/containerd/containerd/v2 from 2.1.4 to 2.1.5 (#9763)
-  * fix(java): use `true` as default value for Repository Release|Snapshot Enabled in pom.xml and settings.xml files (#9751)
-  * docs: add info that `SSL_CERT_FILE` works on `Unix systems other than macOS` only (#9772)
-  * docs: change SecObserve URLs in documentatio (#9771)
-  * feat(db): enable concurrent access to vulnerability database (#9750)
-  * feat(misconf): add agentpools to azure container schema (#9714)
-  * feat(report): switch ReportID from UUIDv4 to UUIDv7 (#9749)
-  * feat(misconf): Update Azure Compute schema (#9675)
-  * feat(misconf): Update azure storage schema (#9728)
-  * feat(misconf): Update SecurityCenter schema (#9674)
-  * feat(image): pass global context to docker/podman image save func (#9733)
-  * chore(deps): bump the github-actions group with 4 updates (#9739)
-  * fix(flag): remove viper.SetDefault to fix IsSet() for config-only flags (#9732)
-  * feat(license): use separate SPDX ids to ignore SPDX expressions (#9087)
-  * feat(dotnet): add dependency graph support for .deps.json files (#9726)
-  * feat(misconf): Add support for configurable Rego error limit (#9657)
-  * feat(misconf): Add RoleAssignments attribute (#9396)
-  * feat(report): add image reference to report metadata (#9729)
-  * fix(os): Add photon 5.0 in supported OS (#9724)
-  * fix(license): handle SPDX WITH exceptions as single license in category detection (#9380)
-  * refactor: add case-insensitive string set implementation (#9720)
-  * feat: include registry and repository in artifact ID calculation (#9689)
-  * feat(java): add support remote repositories from settings.xml files (#9708)
-  * fix(sbom): don’t panic on SBOM format if scanned CycloneDX file has empty metadata (#9562)
-  * docs: update vulnerability reporting guidelines in SECURITY.md (#9395)
-  * docs: add info about `java-db` subdir (#9706)
-  * fix(report): correct field order in SARIF license results (#9712)
-  * test: improve golden file management in integration tests (#9699)
-  * ci: get base_sha using base.ref (#9704)
-  * refactor(misconf): mark AVDID fields as deprecated and use ID internally (#9576)
-  * fix(nodejs): fix npmjs parser.pkgNameFromPath() panic issue (#9688)
-  * fix: close all opened resources if an error occurs (#9665)
-  * refactor(misconf): type-safe parser results in generic scanner (#9685)
-  * feat(image): add RepoTags support for Docker archives (#9690)
-  * chore(deps): bump github.com/quic-go/quic-go from 0.52.0 to 0.54.1 (#9694)
-  * feat(misconf): Update Azure Container Schema (#9673)
-  * ci: use merge commit for apidiff to avoid false positives (#9622)
-  * feat(misconf): include map key in manifest snippet for diagnostics (#9681)
-  * refactor(misconf): add ManifestFromYAML for unified manifest parsing (#9680)
-  * test: update golden files for TestRepository* integration tests (#9684)
-  * refactor(cli): Update the cloud config command (#9676)
-  * fix(sbom): add `buildInfo` info as properties (#9683)
-  * feat: add ReportID field to scan reports (#9670)
-  * docs: add vulnerability database contribution guide (#9667)
-  * feat(cli): Add trivy cloud suppport (#9637)
-  * feat: add ArtifactID field to uniquely identify scan targets (#9663)
-  * fix(nodejs): use the default ID format to match licenses in pnpm packages. (#9661)
-  * feat(sbom): use SPDX license IDs list to validate SPDX IDs  (#9569)
-  * fix: use context for analyzers (#9538)
-  * chore(deps): bump the docker group with 3 updates (#9545)
-  * chore(deps): bump the aws group with 6 updates (#9547)
-  * ci(helm): bump Trivy version to 0.67.2 for Trivy Helm Chart 0.19.1 (#9641)
-  * test(helm): bump up Yamale dependency for Helm chart-testing-action (#9653)
-  * fix: Trim the end-of-range suffix (#9618)
-  * test(k8s): use a specific bundle for k8s misconfig scan (#9633)
-  * fix: Use `fetch-level: 1` to check out trivy-repo in the release workflow (#9636)
-  * refactor: move the aws config (#9617)
-  * fix(license): don't normalize `unlicensed` licenses into `unlicense` (#9611)
-  * fix: using SrcVersion instead of Version for echo detector (#9552)
-  * feat(fs): change artifact type to repository when git info is detected (#9613)
-  * fix: add `buildInfo` for `BlobInfo` in `rpc` package (#9608)
-  * fix(vex): don't use reused BOM (#9604)
-  * ci: use pull_request_target for apidiff workflow to support fork PRs (#9605)
-  * fix: restore compatibility for google.protobuf.Value (#9559)
-  * ci: add API diff workflow (#9600)
-  * chore(deps): update to module-compatible docker-credential-gcr/v2 (#9591)
-  * docs: improve documentation for scanning raw IaC configurations (#9571)
-  * feat: allow ignoring findings by type in Rego (#9578)
-  * docs: bump pygments from 2.18.0 to 2.19.2 (#9596)
-  * refactor(misconf): add ID to scan.Rule (#9573)
-  * fix(java): update order for resolving package fields from multiple demManagement (#9575)
-  * chore(deps): bump the github-actions group across 1 directory with 9 updates (#9563)
-  * chore(deps): bump the common group across 1 directory with 7 updates (#9590)
-  * chore(deps): Switch to go-viper/mapstructure (#9579)
-  * chore: add context to the cache interface (#9565)
-  * ci(helm): bump Trivy version to 0.67.0 for Trivy Helm Chart 0.19.0 (#9554)
-  * fix: validate backport branch name (#9548)
-</description>
-  <package>trivy</package>
-  <seperate_build_arch/>
-</patchinfo>

patchinfo.20251208090415508822.187004354831441/_patchinfo

@@ -0,0 +1,12 @@
+<patchinfo>
+  <packager>dcermak</packager>
+  <rating>moderate</rating>
+  <category>security</category>
+  <summary>Optional update for authselect</summary>
+  <description>This update for authselect fixes the following issues:
+
+Adds authselect to PackageHub
+</description>
+  <package>authselect</package>
+</patchinfo>
+

patchinfo.20251208125318499450.93181000773252/_patchinfo

@@ -1,18 +0,0 @@
-<patchinfo incident="packagehub-50">
-  <issue tracker="bnc" id="1254437">VUL-0: CVE-2025-64460,CVE-2025-13372: python-Django: Algorithmic complexity in `django.core.serializers.xml_serializer.getInnerText()` allows a remote attacker to cause a potential denial-of-service attack triggering CPU and memory exhaustion</issue>
-  <issue tracker="bnc" id="1252926">VUL-0: CVE-2025-64459: python-Django,python-Django4: Potential SQL injection via `_connector` keyword argument in `QuerySet` and `Q` objects</issue>
-  <issue tracker="cve" id="2025-13372">cve#2025-13372 not resolved: 404 Client Error: Not Found for url: https://bugzilla.suse.com/api2/issues/?references__name=CVE-2025-13372</issue>
-  <issue tracker="cve" id="2025-64460">cve#2025-64460 not resolved: 404 Client Error: Not Found for url: https://bugzilla.suse.com/api2/issues/?references__name=CVE-2025-64460</issue>
-  <issue tracker="cve" id="2025-64459">cve#2025-64459 not resolved: 404 Client Error: Not Found for url: https://bugzilla.suse.com/api2/issues/?references__name=CVE-2025-64459</issue>
-  <packager>mcalabkova</packager>
-  <rating>important</rating>
-  <category>security</category>
-  <summary>Security update for python-Django</summary>
-  <description>This update for python-Django fixes the following issues:
-
-- CVE-2025-64459: Fixed a potential SQL injection via `_connector` keyword argument in `QuerySet` and `Q` objects (bsc#1252926)
-- CVE-2025-13372,CVE-2025-64460: Fixed Denial of Service in 'django.core.serializers.xml_serializer.getInnerText()' (bsc#1254437)
-</description>
-  <package>python-Django</package>
-  <seperate_build_arch/>
-</patchinfo>

patchinfo.20251208143300643166.187004354831441/_patchinfo

@@ -1,63 +0,0 @@
-<patchinfo incident="packagehub-61">
-  <packager>bigironman</packager>
-  <rating>moderate</rating>
-  <category>recommended</category>
-  <summary>Recommended update for icinga-php-thirdparty, icinga-php-library, icingaweb2</summary>
-  <description>This update for icinga-php-thirdparty, icinga-php-library, icingaweb2 fixes the following issues:
-
-Changes in icinga-php-thirdparty:
-
-- Update to 0.13.1
-
-  - No changelog from upstream.
-
-- Update to 0.12.1
-
-  - No changelog from upstream.
-
-Changes in icinga-php-library:
-
-- Update to 1.17.0
-
-  - No changelog from upstream.
-
-Changes in icingaweb2:
-
-- Update to 2.12.6
-
-  - Search box shows many magnifying glasses for some community themes #5395
-  - Authentication hooks are not called with external backends #5415
-  - Improve Minimal layout #5386
-
-- Update to 2.12.5
-
-  * PHP 8.4 Support
-    We're again a little behind schedule, but now we support PHP 8.4!
-    This means that installations on Ubuntu 25.04 and Fedora 42+ can
-    now install Icinga Web without worrying about PHP related
-    incompatibilities. Icinga packages will be available in the
-    next few days.
-  * Good Things Take Time
-    There's only a single (notable) recent issue that is fixed
-    with this release. All the others are a bit older.
-    - External URLs set up as dashlets are not embedded the same
-      as navigation items #5346
-  * But the team sat together a few weeks ago and fixed a bug here
-    and there. And of course, also in Icinga Web!
-    - Users who are not allowed to change the theme, cannot change
-      the theme mode either #5385
-    - Improved compatibility with several SSO authentication
-      providers #5000, #5227
-    - Filtering for older-than events with relative time does not
-      work #5263
-    - Empty values are NULL in CSV exports #5350
-  * Breaking, Somewhat
-    This is mainly for developers.
-    With the support of PHP 8.4, we introduced a new environment
-    variable, ICINGAWEB_ENVIRONMENT. Unless set to dev, Icinga Web
-    will not show nor log deprecation notices anymore.
-</description>
-  <package>icinga-php-thirdparty</package>
-  <package>icinga-php-library</package>
-  <package>icingaweb2</package>
-</patchinfo>

patchinfo.20251209165835367165.93181000773252/_patchinfo

@@ -1,13 +0,0 @@
-<patchinfo incident="packagehub-52">
-  <issue tracker="cve" id="2025-53881">cve#2025-53881 not resolved: 404 Client Error: Not Found for url: https://bugzilla.suse.com/api2/issues/?references__name=CVE-2025-53881</issue>
-  <issue tracker="bnc" id="1246457">VUL-0: CVE-2025-53881: exim: SUSE-specific logrotate configuration allows escalation from mail user/group to root</issue>
-  <packager>bigironman</packager>
-  <rating>moderate</rating>
-  <category>security</category>
-  <summary>Security update for exim</summary>
-  <description>This update for exim fixes the following issues:
-
-- CVE-2025-53881: Fixed a potential security issue with logfile rotation (bsc#1246457)
-</description>
-  <package>exim</package>
-</patchinfo>

patchinfo.20251210101443200408.93181000773252/_patchinfo

@@ -1,18 +0,0 @@
-<patchinfo incident="packagehub-53">
-  <packager>michals</packager>
-  <rating>moderate</rating>
-  <category>recommended</category>
-  <summary>Recommended update for virtme</summary>
-  <description>This update for virtme fixes the following issues:
-
-- Update to 1.40:
-  * No significant change, this is just a very small hotfix release
-    to solve a packaging problem introduced by a conflict with the
-    new vng-mcp tool.
-  * While at it, there're also some small improved hints in the MCP
-    server, so that AI agents can better understand how to build
-    the kernel using vng --build.
-</description>
-  <package>virtme</package>
-  <seperate_build_arch/>
-</patchinfo>

patchinfo.20251210102155991569.93181000773252/_patchinfo

@@ -1,20 +0,0 @@
-<patchinfo incident="packagehub-57">
-  <issue tracker="bnc" id="1254531">cmake-extras: Could not locate qmlplugindump</issue>
-  <issue tracker="bnc" id="1239788">cmake4: build failure tracker bug.</issue>
-  <packager>hillwood</packager>
-  <rating>moderate</rating>
-  <category>recommended</category>
-  <summary>Recommended update for cmake-extras</summary>
-  <description>This update for cmake-extras fixes the following issues:
-
-- Support both qmlplugindump-qt5 and qmlplugindump-qt6 (boo#1254531)
-- Fix filename and path of qmlplugindump-qt5 for openSUSE
-- Update to 1.9
-  * add support for CMake 4.0
-- Update to 1.8
-  * GMock: wire dependencies between GMock step and library files
-  * QmlPlugins: Crude support for qt6
-</description>
-  <package>cmake-extras</package>
-  <seperate_build_arch/>
-</patchinfo>

patchinfo.20251210175743200408.93181000773252/_patchinfo

@@ -1,11 +0,0 @@
-<patchinfo incident="packagehub-58">
-  <packager>pgajdos</packager>
-  <rating>moderate</rating>
-  <category>optional</category>
-  <summary>Optional update for rawtherapee</summary>
-  <description>This update for rawtherapee fixes the following issues:
-
-Ship rawtherapee image editor.
-</description>
-  <package>rawtherapee</package>
-</patchinfo>

patchinfo.20251211092111744764.93181000773252/_patchinfo

@@ -1,17 +0,0 @@
-<patchinfo incident="packagehub-55">
-  <issue tracker="cve" id="2025-14372">cve#2025-14372 not resolved: 404 Client Error: Not Found for url: https://bugzilla.suse.com/api2/issues/?references__name=CVE-2025-14372</issue>
-  <issue tracker="bnc" id="1254776">VUL-0: chromium: release 143.0.7499.109</issue>
-  <issue tracker="cve" id="2025-14373">cve#2025-14373 not resolved: 404 Client Error: Not Found for url: https://bugzilla.suse.com/api2/issues/?references__name=CVE-2025-14373</issue>
-  <packager>AndreasStieger</packager>
-  <rating>important</rating>
-  <category>security</category>
-  <summary>Security update for chromium</summary>
-  <description>This update for chromium fixes the following issues:
-
-- Chromium 143.0.7499.109 (boo#1254776):
-  * CVE-2025-14372: Use after free in Password Manager
-  * CVE-2025-14373: Inappropriate implementation in Toolbar
-  * third issue with an exploit is known to exist in the wild
-</description>
-  <package>chromium</package>
-</patchinfo>

patchinfo.20251214181248399975.93181000773252/_patchinfo

@@ -1,15 +0,0 @@
-<patchinfo incident="packagehub-56">
-  <issue tracker="bnc" id="1254386">labwc crashes when turning display off with wlr-randr (fixed in upstream and Factory)</issue>
-  <packager>lucsansag</packager>
-  <rating>moderate</rating>
-  <category>recommended</category>
-  <summary>Recommended update for labwc</summary>
-  <description>This update for labwc fixes the following issues:
-
-Changes in labwc:
-
-- Fixed layershell unmap segfault when no outputs left (boo#1254386)
-</description>
-  <package>labwc</package>
-  <seperate_build_arch/>
-</patchinfo>

patchinfo.20251217091639760898.93181000773252/_patchinfo

@@ -1,65 +0,0 @@
-<patchinfo incident="packagehub-59">
-  <issue tracker="cve" id="2025-21614">CVE-2025-21614 go-git: go-git clients vulnerable to DoS via maliciously crafted Git server replies</issue>
-  <issue tracker="bnc" id="1247629">VUL-0: CVE-2025-21613: cheat: github.com/go-git/go-git/v5: argument injection via the URL field</issue>
-  <issue tracker="cve" id="2025-58181">VUL-0: CVE-2025-58181: TRACKERBUG: golang.org/x/crypto/ssh: invalidated number of mechanisms can cause unbounded memory consumption</issue>
-  <issue tracker="cve" id="2025-21613">VUL-0: CVE-2025-21613: TRACKERBUG: github.com/go-git/go-git/v5: argument injection via the URL field</issue>
-  <issue tracker="cve" id="2025-47913">VUL-0: CVE-2025-47913: TRACKERBUG: golang.org/x/crypto/ssh/agent: client process termination when receiving an unexpected message type in response to a key listing or</issue>
-  <issue tracker="bnc" id="1253922">VUL-0: CVE-2025-58181: cheat: golang.org/x/crypto/ssh: invalidated number of mechanisms can cause unbounded memory consumption</issue>
-  <issue tracker="cve" id="2025-47914">VUL-0: CVE-2025-47914: TRACKERBUG: golang.org/x/crypto/ssh/agent: non validated message size can cause a panic due to an out of bounds read</issue>
-  <issue tracker="cve" id="2025-22870">VUL-0: CVE-2025-22870: TRACKERBUG: golang.org/net/http, golang.org/x/net/proxy, golang.org/x/net/http/httpproxy: proxy bypass using IPv6 zone IDs</issue>
-  <issue tracker="cve" id="2023-48795">VUL-0: CVE-2023-48795: openssh: prefix truncation breaking ssh channel integrity aka Terrapin Attack</issue>
-  <issue tracker="bnc" id="1254051">VUL-0: CVE-2025-47914: cheat: golang.org/x/crypto/ssh/agent: non validated message size can cause a panic due to an out of bounds read</issue>
-  <issue tracker="bnc" id="1253593">VUL-0: CVE-2025-47913: cheat: golang.org/x/crypto/ssh/agent: client process termination when receiving an unexpected message type in response to a key listing or signing request</issue>
-  <issue tracker="cve" id="2025-22869">VUL-0: CVE-2025-22869: TRACKERBUG: golang.org/x/crypto/ssh: Denial of Service in the Key Exchange of golang.org/x/crypto/ssh</issue>
-  <packager>witekbedyk</packager>
-  <rating>important</rating>
-  <category>security</category>
-  <summary>Security update for cheat</summary>
-  <description>This update for cheat fixes the following issues:
-
-- Security:
-  * CVE-2025-47913: Fix client process termination (bsc#1253593)
-  * CVE-2025-58181: Fix potential unbounded memory consumption (bsc#1253922)
-  * CVE-2025-47914: Fix panic due to an out of bounds read (bsc#1254051)
-  * Replace golang.org/x/crypto=golang.org/x/crypto@v0.45.0
-  * Replace golang.org/x/net=golang.org/x/net@v0.47.0
-  * Replace golang.org/x/sys=golang.org/x/sys@v0.38.0
-
-- Packaging improvements:
-  * Drop Requires: golang-packaging. The recommended Go toolchain
-    dependency expression is BuildRequires: golang(API) &gt;= 1.x or
-    optionally the metapackage BuildRequires: go
-  * Use BuildRequires: golang(API) &gt;= 1.19 matching go.mod
-  * Build PIE with pattern that may become recommended procedure:
-    %%ifnarch ppc64 GOFLAGS="-buildmode=pie" %%endif go build
-    A go toolchain buildmode default config would be preferable
-    but none exist at this time.
-  * Drop mod=vendor, go1.14+ will detect vendor dir and auto-enable
-  * Remove go build -o output binary location and name. Default
-    binary has the same name as package of func main() and is
-    placed in the top level of the build directory.
-  * Add basic %check to execute binary --help
-
-- Packaging improvements:
-  * Service go_modules replace dependencies with CVEs
-  * Replace github.com/cloudflare/circl=github.com/cloudflare/circl@v1.6.1
-    Fix GO-2025-3754 GHSA-2x5j-vhc8-9cwm
-  * Replace golang.org/x/net=golang.org/x/net@v0.36.0
-    Fixes GO-2025-3503 CVE-2025-22870
-  * Replace golang.org/x/crypto=golang.org/x/crypto@v0.35.0
-    Fixes GO-2023-2402 CVE-2023-48795 GHSA-45x7-px36-x8w8
-    Fixes GO-2025-3487 CVE-2025-22869
-  * Replace github.com/go-git/go-git/v5=github.com/go-git/go-git/v5@v5.13.0
-    Fixes GO-2025-3367 CVE-2025-21614 GHSA-r9px-m959-cxf4
-    Fixes GO-2025-3368 CVE-2025-21613 GHSA-v725-9546-7q7m
-  * Service tar_scm set mode manual from disabled
-  * Service tar_scm create archive from git so we can exclude
-    vendor directory upstream committed to git. Committed vendor
-    directory contents have build issues even after go mod tidy.
-  * Service tar_scm exclude dir vendor
-  * Service set_version set mode manual from disabled
-  * Service set_version remove param basename not needed
-</description>
-  <package>cheat</package>
-  <seperate_build_arch/>
-</patchinfo>

patchinfo.20251218074156387460.187004354831441/_patchinfo

@@ -1,21 +0,0 @@
-<patchinfo incident="packagehub-60">
-  <issue tracker="cve" id="2025-14766">VUL-0: chromium: release 143.0.7499.146</issue>
-  <issue tracker="cve" id="2025-14174">Google Chrome: chromium: Out of bounds memory access via crafted HTML page</issue>
-  <issue tracker="bnc" id="1255115">VUL-0: chromium: release 143.0.7499.146</issue>
-  <issue tracker="cve" id="2025-14765">VUL-0: chromium: release 143.0.7499.146</issue>
-  <packager>oertel</packager>
-  <rating>important</rating>
-  <category>security</category>
-  <summary>Security update for chromium</summary>
-  <description>This update for chromium fixes the following issues:
-
-Changes in chromium:
-
-Chromium 143.0.7499.146 (boo#1255115):
-
-  * CVE-2025-14765: Use after free in WebGPU
-  * CVE-2025-14766: Out of bounds read and write in V8
-  * CVE-2025-14174: Out of bounds memory access in ANGLE
-</description>
-  <package>chromium</package>
-</patchinfo>

patchinfo.20251227105549305039.187004354831441/_patchinfo

@@ -1,31 +0,0 @@
-<patchinfo>
-  <packager>DocB</packager>
-  <rating>moderate</rating>
-  <category>recommended</category>
-  <summary>Recommended update for gnuhealth, trytond, tryton</summary>
-  <description>This update for gnuhealth, trytond, tryton fixes the following issues:
-
-Changes in gnuhealth:
-
-version 5.0.2
-
-  * inconsistent naming of package and directories, switch to local copy
-  * gnuhealth.keyring removed due to local copy
-  * Remove unused dependencies from health module
-  * Wrong cursor field teeth (dentistry module)
-  * remove pillow dependency from lab and dentistry
-
-Changes in trytond:
-
-- Version 7.0.42 - Bugfix Release
-- Version 7.0.36 - Security Release for issue #14220
-
-Changes in tryton:
-
-- Version 7.0.31 - Bugfix Release
-</description>
-  <package>gnuhealth</package>
-  <package>trytond</package>
-  <package>tryton</package>
-  <seperate_build_arch/>
-</patchinfo>

workflow.config

@@ -65,7 +65,6 @@
         "mschnitzer",
         "msmeissn",
         "openqa-maintenance",
-        "rfrohl",
         "foursixnine-openqa",
         "szarate"
         ],