Update submodules from pool/gitea-tea#1 and create patchinfo.20251126115642933537.93181000773252/_patchinfo

PR: products/PackageHub!216

.gitmodules

@@ -26106,3 +26106,31 @@
 	path = perl-MCP
 	url = ../../pool/perl-MCP
 	branch = leap-16.0
+[submodule "fprintd"]
+	path = fprintd
+	url = ../../pool/fprintd
+	branch = leap-16.0
+[submodule "python-acme"]
+	path = python-acme
+	url = ../../pool/python-acme
+	branch = leap-16.0
+[submodule "python-certbot"]
+	path = python-certbot
+	url = ../../pool/python-certbot
+	branch = leap-16.0
+[submodule "python-certbot-nginx"]
+	path = python-certbot-nginx
+	url = ../../pool/python-certbot-nginx
+	branch = leap-16.0
+[submodule "python-ConfigArgParse"]
+	path = python-ConfigArgParse
+	url = ../../pool/python-ConfigArgParse
+	branch = leap-16.0
+[submodule "python-josepy"]
+	path = python-josepy
+	url = ../../pool/python-josepy
+	branch = leap-16.0
+[submodule "python-pyRFC3339"]
+	path = python-pyRFC3339
+	url = ../../pool/python-pyRFC3339
+	branch = leap-16.0

0Backports/Backports.productcompose

@@ -147,6 +147,8 @@ packagesets:
   - kernel-livepatch-6_12_0-160000_4-rt
   - kernel-livepatch-6_12_0-160000_5-default
   - kernel-livepatch-6_12_0-160000_5-rt
+  - kernel-livepatch-6_12_0-160000_6-default
+  - kernel-livepatch-6_12_0-160000_6-rt
   - kernel-rt-livepatch
   - kernel-rt-livepatch-devel
   - krb5-mini
@@ -271,6 +273,12 @@ packagesets:
   - update-test-retracted
   - update-test-security
   - update-test-trivial
+  - xen
+  - xen-devel
+  - xen-libs
+  - xen-doc-html
+  - xen-tools
+  - xen-tools-domU
   - yum-utils
 
 # TODO: unneeded Leap package per architecture

patchinfo.20251016111300220521.93181000773252/_patchinfo

@@ -0,0 +1,17 @@
+<patchinfo incident="packagehub-11">
+  <issue tracker="bnc" id="1250487">VUL-0: CVE-2025-59682: python-Django,python-Django4: Potential partial directory-traversal via archive.extract()</issue>
+  <issue tracker="cve" id="2025-59682">VUL-0: CVE-2025-59682: python-Django,python-Django4: Potential partial directory-traversal via archive.extract()</issue>
+  <issue tracker="cve" id="2025-59681"/>
+  <issue tracker="bnc" id="1250485">VUL-0: CVE-2025-59681: python-Django,python-Django4: Potential SQL injection in QuerySet.annotate(), alias(), aggregate(), and extra() on MySQL and MariaDB</issue>
+  <packager>mcalabkova</packager>
+  <rating>important</rating>
+  <category>security</category>
+  <summary>Security update for python-Django</summary>
+  <description>This update for python-Django fixes the following issues:
+
+- CVE-2025-59681: Fixed a potential SQL injection in QuerySet.annotate(), alias(), aggregate(), and extra() on MySQL and MariaDB (boo#1250485)
+- CVE-2025-59682: Fixed a potential partial directory-traversal via archive.extract() (boo#1250487)
+</description>
+  <package>python-Django</package>
+  <seperate_build_arch/>
+</patchinfo>

patchinfo.20251023150135882810.90520734224245/_patchinfo

@@ -0,0 +1,11 @@
+<patchinfo incident="packagehub-9">
+  <packager>dgarcia</packager>
+  <rating>moderate</rating>
+  <category>optional</category>
+  <summary>Optional update for fprintd</summary>
+  <description>
+This update ships fprintd 1.94.4 to openSUSE Leap 16.0 and SLES Package Hub 16.0
+</description>
+  <package>fprintd</package>
+  <seperate_build_arch/>
+</patchinfo>

patchinfo.20251025182237146698.93181000773252/_patchinfo

@@ -0,0 +1,129 @@
+<patchinfo incident="packagehub-13">
+  <packager>os-autoinst-obs-workflow</packager>
+  <rating>moderate</rating>
+  <category>recommended</category>
+  <summary>Recommended update for openQA, os-autoinst</summary>
+  <description>This update for openQA, os-autoinst fixes the following issues:
+
+Changes in openQA:
+
+- Update to version 5.1761296552.ae7c17aa:
+  * Add tests for file_security_policy
+  * Pass parameter $is_userfile to log_url
+  * Remove redirect and serve files as attachments if necessary
+  * Serve files uploaded by tests via asset domain
+  * Use direct link to subdomain for the test assets
+  * Revert "Don't redirect to asset domain via /needles/ID/(image|json) route"
+  * Revert "Don't redirect screenshots, thumbs and needles to files_domain"
+
+- Update to version 5.1761228068.a3a7f84d:
+  * Dependency cron 2025-10-23
+
+- Update to version 5.1761037330.ad78558e:
+  * Avoid needless check for number of clones
+  * Avoid creation of `git_clone` tasks for jobs with empty `DISTRI`
+
+- Update to version 5.1760515610.a802d1dd:
+  * Lower the prio of archiving jobs to avoid piling up finalize jobs
+  * Add signatures in Schema::Result::ApiKeys
+
+- Update to version 5.1760245411.e3aeaaec:
+  * Dependency cron 2025-10-12
+
+- Update to version 5.1760108577.fd2f2a48:
+  * Log unavailability due to high load only as warning
+  * Filter job stats of scheduled products also by arch and build
+  * Document how to disable image optimizations
+  * Make image optimization errors stop the job producing an incomplete job
+  * Improve wording in description about job stats API
+  * Run `optipng` for real and handle errors if it fails
+
+- Update to version 5.1759912962.689b31ed:
+  * Avoid failing `obs_rsync_run` jobs when restarting `openqa-gru.service`
+
+- Update to version 5.1759834744.06a7028a:
+  * parser: ktap: Return earlier if subtest result is SKIP
+  * parser: ktap: Fallback to subtest index if name is not available
+
+- Update to version 5.1759440640.bb989cab:
+  * Don't redirect to asset domain via /needles/ID/(image|json) route
+
+- Update to version 5.1759402042.49e912c3:
+  * Introduce array job settings
+  * Retry `obs_rsync_update_*` tasks if Gru service terminates
+
+- Update to version 5.1759329378.3b8e8685:
+  * Reduce the number of required checks for Mergify again
+  * Ensure a failing cache service is seen as such by the worker/scheduler
+
+- Update to version 5.1759248257.70b23b32:
+  * Increase number of successful checks in Mergify config again
+  * Disable Helm Chart CI checks temporarily
+  * Consider all jobs for cleanup, not just jobs that were executed
+  * Verify job deletion when dependent job present
+
+- Update to version 5.1759149505.49c40b0b:
+  * Use always the latest PostgreSQL image in Compose and documentation
+  * Update the PostgreSQL version in the contributing documentation
+  * Update PostgreSQL data path in Docker Compose file after updating to v18
+  * Specify PostgreSQL version in Docker Compose configuration explicitly
+  * mergify: Allow more time for dependabot update reaction
+  * Remove version property from docker-compose
+  * README: Fix openQA badge after switch to UEFI
+  * build(deps-dev): bump eslint from 9.35.0 to 9.36.0
+
+- Update to version 5.1758910696.7549bb98:
+  * Replace argument assignment with signatures on ObsRsync/Task
+  * Enable automatic dependabot updates again after improvements
+  * docs: Add instructions for a continuous dashboard setup
+  * Replace argument assignment with signatures Folders package
+  * Fully cover WebAPI::Plugin::ObsRsync::Controller::Folders
+  * script: Also use OPENQA_WEBUI_MODE for related services
+
+- Update to version 5.1758814503.03d923a4:
+  * Use Mojo::File in Worker for is_qemu_running
+  * Use Mojo::File in Worker for meminfo
+  * Document archiving of important jobs
+
+- Update to version 5.1758729450.b88c0b40:
+  * Reject jobs if worker is broken when receiving a new job
+
+- Update to version 5.1758711845.e5c02221:
+  * script: Allow to configure openQA mode
+  * t: run at least once Memorylimit register with max_rss_limit &gt; 0
+  * Replace argument assignation with signatures on MemoryLimit
+
+Changes in os-autoinst:
+
+- Update to version 5.1761036042.c43e4ab:
+  * Update perltidy
+  * Allow redirects in needle NeedleDownloader
+  * Don't overwrite firewall xml
+  * Add UEFI support for ipxe kernel boot
+  * os-autoinst-setup-multi-machine: Simplify determine_ethernet_interface
+
+- Update to version 5.1759328765.e7438f7:
+  * Allow redirects in needle NeedleDownloader
+  * Don't overwrite firewall xml
+  * Add UEFI support for ipxe kernel boot
+  * t: Use consistent Mojo::File in 08-autotest as well
+  * os-autoinst-setup-multi-machine: Simplify determine_ethernet_interface
+
+- Update to version 5.1759134946.e08d7c7:
+  * Add UEFI support for ipxe kernel boot
+  * t: Use consistent Mojo::File in 08-autotest as well
+  * os-autoinst-setup-multi-machine: Simplify determine_ethernet_interface
+  * os-autoinst-setup-multi-machine: Only call zypper when necessary
+  * os-autoinst-setup-multi-machine: Improve network interface check
+</description>
+  <package>openQA</package>
+  <package>openQA:openQA-devel-test</package>
+  <package>openQA:openQA-test</package>
+  <package>openQA:openQA-worker-test</package>
+  <package>openQA:openQA-client-test</package>
+  <package>os-autoinst</package>
+  <package>os-autoinst:os-autoinst-test</package>
+  <package>os-autoinst:os-autoinst-devel-test</package>
+  <package>os-autoinst:os-autoinst-openvswitch-test</package>
+  <seperate_build_arch/>
+</patchinfo>

patchinfo.20251025182836794674.93181000773252/_patchinfo

@@ -0,0 +1,28 @@
+<patchinfo incident="packagehub-18">
+  <packager>jsulig</packager>
+  <rating>moderate</rating>
+  <category>recommended</category>
+  <summary>Recommended update for amarok</summary>
+  <description>This update for amarok fixes the following issues:
+
+Changes in amarok:
+
+- Update to version 3.3.1
+  * Enable saving and loading script console items, autocompletion
+    in script console, and re-enable some more scripting functionality
+  * Convert the remaining main UI toolbuttons to use icons from theme
+  * Clear out remnants of the now-discontinued MusicDNS service
+  * Fix example permission grant command in database settings (kde#386004)
+  * Fix equalizer gains not updating when selecting some presets (kde#463908)
+  * Fix continuing playback after timecoded tracks (cue files etc, (kde#270003)
+  * Fix MusicBrainz search
+  * Properly start CD playback if Amarok is not already running (kde#503310)
+  * Also transmit embedded cover art through MPRIS (kde#357620)
+  * Don't show transcoding dialog after canceling download (kde#275840)
+  * Load network information earlier to avoid crashes on startup (kde#507497)
+  * Try to export as-compatible-as-possible playlist files (kde#507329)
+  * Fix some random crashes during playback
+
+</description>
+  <package>amarok</package>
+</patchinfo>

patchinfo.20251027101618101208.187004354831441/_patchinfo

@@ -0,0 +1,32 @@
+<patchinfo incident="packagehub-16">
+  <packager>miska</packager>
+  <rating>moderate</rating>
+  <category>recommended</category>
+  <summary>Recommended update for knot</summary>
+  <description>This update for knot fixes the following issues:
+
+Changes in knot:
+
+- disable quic in stable releases due to the missing libraries
+
+update to version 3.5.1, see
+
+  https://www.knot-dns.cz/2025-10-16-version-351.html
+
+update to version 3.5.0, see
+
+  https://www.knot-dns.cz/2025-09-18-version-350.html
+
+update to version 3.4.8, see
+
+  https://www.knot-dns.cz/2025-07-29-version-348.html
+
+Use the libngtcp2_crypto_gnutls-devel instead of libngtcp2-devel
+to account for the openssl and gnutls devel files split in ngtcp2.
+
+update to version 3.4.7, see
+
+  https://www.knot-dns.cz/2025-06-04-version-347.html
+</description>
+  <package>knot</package>
+</patchinfo>

patchinfo.20251027101939269288.187004354831441/_patchinfo

@@ -0,0 +1,48 @@
+<patchinfo incident="packagehub-10">
+  <issue tracker="cve" id="2025-10527">This vulnerability affects Firefox &lt; 143, Firefox ESR &lt; 140.3, Thunderbird &lt; 143, and Thunderbird &lt; 140.3.</issue>
+  <issue tracker="cve" id="2025-10536">This vulnerability affects Firefox &lt; 143, Firefox ESR &lt; 140.3, Thunderbird &lt; 143, and Thunderbird &lt; 140.3.</issue>
+  <issue tracker="cve" id="2025-10528">This vulnerability affects Firefox &lt; 143, Firefox ESR &lt; 140.3, Thunderbird &lt; 143, and Thunderbird &lt; 140.3.</issue>
+  <issue tracker="cve" id="2025-10537">Memory safety bugs present in Firefox ESR 140.2, Thunderbird ESR 140.2, Firefox 142 and Thunderbird 142. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability affects Firefox &lt; 143, Firefox ESR &lt; 140.3, Thunderbird &lt; 143, and Thunderbird &lt; 140.3.</issue>
+  <issue tracker="cve" id="2025-10529">This vulnerability affects Firefox &lt; 143, Firefox ESR &lt; 140.3, Thunderbird &lt; 143, and Thunderbird &lt; 140.3.</issue>
+  <issue tracker="cve" id="2025-10532">This vulnerability affects Firefox &lt; 143, Firefox ESR &lt; 140.3, Thunderbird &lt; 143, and Thunderbird &lt; 140.3.</issue>
+  <issue tracker="cve" id="2025-10533">This vulnerability affects Firefox &lt; 143, Firefox ESR &lt; 115.28, Firefox ESR &lt; 140.3, Thunderbird &lt; 143, and Thunderbird &lt; 140.3.</issue>
+  <issue tracker="bnc" id="1249391">VUL-0: MozillaFirefox / MozillaThunderbird: update to 143.0 and 140.3esr</issue>
+  <packager>Yoshio_Sato</packager>
+  <rating>important</rating>
+  <category>security</category>
+  <summary>Security update for MozillaThunderbird</summary>
+  <description>This update for MozillaThunderbird fixes the following issues:
+
+Changes in MozillaThunderbird:
+
+Mozilla Thunderbird 140.3.0 ESR:
+
+  * Right-clicking 'List-ID' -&gt; 'Unsubscribe' created double encoded
+    draft subject
+  * Thunderbird could crash on startup
+  * Thunderbird could crash when importing mail
+  * Opening Website header link in RSS feed incorrectly re-encoded
+    URL parameters
+  MFSA 2025-78 (bsc#1249391)
+  * CVE-2025-10527
+    Sandbox escape due to use-after-free in the Graphics:
+    Canvas2D component
+  * CVE-2025-10528
+    Sandbox escape due to undefined behavior, invalid pointer in
+    the Graphics: Canvas2D component
+  * CVE-2025-10529
+    Same-origin policy bypass in the Layout component
+  * CVE-2025-10532
+    Incorrect boundary conditions in the JavaScript: GC component
+  * CVE-2025-10533
+    Integer overflow in the SVG component
+  * CVE-2025-10536
+    Information disclosure in the Networking: Cache component
+  * CVE-2025-10537
+    Memory safety bugs fixed in Firefox ESR 140.3, Thunderbird
+    ESR 140.3, Firefox 143 and Thunderbird 143
+
+</description>
+  <package>MozillaThunderbird</package>
+  <seperate_build_arch/>
+</patchinfo>

patchinfo.20251027103924170417.187004354831441/_patchinfo

@@ -0,0 +1,27 @@
+<patchinfo incident="packagehub-17">
+  <issue tracker="cve" id="2025-59438">VUL-0: CVE-2025-59438: TRACKERBUG: mbedtls: padding oracle attack possible through timing of cipher error reporting</issue>
+  <packager>dheidler</packager>
+  <rating>moderate</rating>
+  <category>security</category>
+  <summary>Security update for micropython</summary>
+  <description>This update for micropython fixes the following issues:
+
+Changes in micropython:
+
+- Build with mbedtls-3.6.5 instead of bundled 3.6.2 to fix CVE-2025-59438
+
+Version 1.26.0:
+
+  * Added machine.I2CTarget for creating I2C target devices on multiple ports.
+  * New MCU support: STM32N6xx (800 MHz, ML accel) &amp; ESP32-C2 (WiFi + BLE).
+  * Major float accuracy boost (~28% → ~98%), constant folding in compiler.
+  * Optimized native/Viper emitters; reduced heap use for slices.
+  * Time functions standardized (1970–2099); new boards across ESP32, SAMD, STM32, Zephyr.
+  * ESP32: ESP-IDF 5.4.2, flash auto-detect, PCNT class, LAN8670 PHY.
+  * RP2: compressed errors, better lightsleep, hard IRQ timers.
+  * Zephyr v4.0.0: PWM, SoftI2C/SPI, BLE runtime services, boot.py/main.py support.
+  * mpremote adds fs tree, improved df, portable config paths.
+  * Updated lwIP, LittleFS, libhydrogen, stm32lib; expanded hardware/CI tests.
+</description>
+  <package>micropython</package>
+</patchinfo>

patchinfo.20251030080843825030.187004354831441/_patchinfo

@@ -0,0 +1,56 @@
+<patchinfo incident="packagehub-12">
+  <issue tracker="cve" id="2025-12441"/>
+  <issue tracker="cve" id="2025-12429"/>
+  <issue tracker="cve" id="2025-12431"/>
+  <issue tracker="cve" id="2025-12444"/>
+  <issue tracker="cve" id="2025-12428"/>
+  <issue tracker="cve" id="2025-12438"/>
+  <issue tracker="cve" id="2025-12435"/>
+  <issue tracker="cve" id="2025-12437"/>
+  <issue tracker="cve" id="2025-12443"/>
+  <issue tracker="cve" id="2025-12430"/>
+  <issue tracker="cve" id="2025-12440"/>
+  <issue tracker="cve" id="2025-12445"/>
+  <issue tracker="cve" id="2025-12446"/>
+  <issue tracker="cve" id="2025-12432"/>
+  <issue tracker="cve" id="2025-12436"/>
+  <issue tracker="cve" id="2025-12434"/>
+  <issue tracker="cve" id="2025-54874">VUL-0: CVE-2025-54874: TRACKERBUG: openjpeg: missing error check can lead to the use of an uninitialized pointer and cause an out-of-bounds heap</issue>
+  <issue tracker="cve" id="2025-12433"/>
+  <issue tracker="bnc" id="1252881">VUL-0: chromium: release 142.0.7444.59</issue>
+  <issue tracker="cve" id="2025-12439"/>
+  <issue tracker="cve" id="2025-12447"/>
+  <packager>AndreasStieger</packager>
+  <rating>important</rating>
+  <category>security</category>
+  <summary>Security update for chromium</summary>
+  <description>This update for chromium fixes the following issues:
+
+Chromium 142.0.7444.59, the stable channel promotion of 142.
+
+Security fixes (boo#1252881):
+
+  * CVE-2025-12428: Type Confusion in V8
+  * CVE-2025-12429: Inappropriate implementation in V8
+  * CVE-2025-12430: Object lifecycle issue in Media
+  * CVE-2025-12431: Inappropriate implementation in Extensions
+  * CVE-2025-12432: Race in V8
+  * CVE-2025-12433: Inappropriate implementation in V8
+  * CVE-2025-12434: Race in Storage
+  * CVE-2025-12435: Incorrect security UI in Omnibox
+  * CVE-2025-12436: Policy bypass in Extensions
+  * CVE-2025-12437: Use after free in PageInfo
+  * CVE-2025-12438: Use after free in Ozone
+  * CVE-2025-12439: Inappropriate implementation in App-Bound Encryption
+  * CVE-2025-12440: Inappropriate implementation in Autofill
+  * CVE-2025-12441: Out of bounds read in V8
+  * CVE-2025-12443: Out of bounds read in WebXR
+  * CVE-2025-12444: Incorrect security UI in Fullscreen UI
+  * CVE-2025-12445: Policy bypass in Extensions
+  * CVE-2025-12446: Incorrect security UI in SplitView
+  * CVE-2025-12447: Incorrect security UI in Omnibox
+
+</description>
+  <package>chromium</package>
+  <seperate_build_arch/>
+</patchinfo>

patchinfo.20251030134459405257.187004354831441/_patchinfo

@@ -0,0 +1,24 @@
+<patchinfo incident="packagehub-14">
+  <packager>adrianSuSE</packager>
+  <rating>moderate</rating>
+  <category>recommended</category>
+  <summary>Recommended update for product-composer</summary>
+  <description>This update for product-composer fixes the following issues:
+
+Update to version 0.6.16:
+
+  - merge updateinfo's with same id into one
+  - error out on updateinfo with same id, but non-mergable content
+
+Update to version 0.6.15:
+
+  * Support updateinfo handling in arch specific meta data
+
+Update to version 0.6.14:
+
+  * option to disable joliet extensions on media
+  * no joliet extensions on source and debug media anymore
+</description>
+  <package>product-composer</package>
+  <seperate_build_arch/>
+</patchinfo>

patchinfo.20251104153107003768.187004354831441/_patchinfo

@@ -0,0 +1,63 @@
+<patchinfo incident="packagehub-15">
+  <issue tracker="cve" id="2025-11710"/>
+  <issue tracker="cve" id="2025-11709"/>
+  <issue tracker="cve" id="2025-11715"/>
+  <issue tracker="bnc" id="1247774">[SLFO:Main] [SLES16.0] MozillaFirefox fails to build on s390x</issue>
+  <issue tracker="cve" id="2025-11712"/>
+  <issue tracker="cve" id="2025-11708"/>
+  <issue tracker="cve" id="2025-11714"/>
+  <issue tracker="cve" id="2025-11713"/>
+  <issue tracker="cve" id="2025-11711"/>
+  <issue tracker="bnc" id="1251263">VUL-0: MozillaFirefox / MozillaThunderbird: update to 144.0 and 140.4esr</issue>
+  <packager>MSirringhaus</packager>
+  <rating>moderate</rating>
+  <category>security</category>
+  <summary>Security update for MozillaThunderbird</summary>
+  <description>This update for MozillaThunderbird fixes the following issues:
+
+Mozilla Thunderbird 140.4:
+
+  * changed: Account Hub is now disabled by default for second
+    email account
+  * changed: Flatpak runtime has been updated to Freedesktop SDK
+    24.08
+  * fixed: Users could not read mail signed with OpenPGP v6 and
+    PQC keys
+  * fixed: Image preview in Insert Image dialog failed with CSP
+    error for web resources
+  * fixed: Emptying trash on exit did not work with some
+    providers
+  * fixed: Thunderbird could crash when applying filters
+  * fixed: Users were unable to override expired mail server
+    certificate
+  * fixed: Opening Website header link in RSS feed incorrectly
+    re-encoded URL parameters
+  * fixed: Security fixes
+
+MFSA 2025-85 (bsc#1251263):
+
+  * CVE-2025-11708
+    Use-after-free in MediaTrackGraphImpl::GetInstance()
+  * CVE-2025-11709
+    Out of bounds read/write in a privileged process triggered by
+    WebGL textures
+  * CVE-2025-11710
+    Cross-process information leaked due to malicious IPC
+    messages
+  * CVE-2025-11711
+    Some non-writable Object properties could be modified
+  * CVE-2025-11712
+    An OBJECT tag type attribute overrode browser behavior on web
+    resources without a content-type
+  * CVE-2025-11713
+    Potential user-assisted code execution in “Copy as cURL”
+    command
+  * CVE-2025-11714
+    Memory safety bugs fixed in Firefox ESR 115.29, Firefox ESR
+    140.4, Thunderbird ESR 140.4, Firefox 144 and Thunderbird 144
+  * CVE-2025-11715
+    Memory safety bugs fixed in Firefox ESR 140.4, Thunderbird
+    ESR 140.4, Firefox 144 and Thunderbird 144
+</description>
+  <package>MozillaThunderbird</package>
+</patchinfo>

patchinfo.20251106083153138720.187004354831441/_patchinfo

@@ -0,0 +1,23 @@
+<patchinfo incident="packagehub-19">
+  <issue tracker="bnc" id="1253089">VUL-0: chromium: release 142.0.7444.134</issue>
+  <issue tracker="cve" id="2025-12727"/>
+  <issue tracker="cve" id="2025-12725"/>
+  <issue tracker="cve" id="2025-12729">VUL-0: chromium: release 142.0.7444.134</issue>
+  <issue tracker="cve" id="2025-12728"/>
+  <issue tracker="cve" id="2025-12726"/>
+  <packager>AndreasStieger</packager>
+  <rating>moderate</rating>
+  <category>security</category>
+  <summary>Security update for chromium</summary>
+  <description>This update for chromium fixes the following issues:
+
+Chromium 142.0.7444.134 (boo#1253089):
+
+  * CVE-2025-12725: Out of bounds write in WebGPU
+  * CVE-2025-12726: Inappropriate implementation in Views
+  * CVE-2025-12727: Inappropriate implementation in V8
+  * CVE-2025-12728: Inappropriate implementation in Omnibox
+  * CVE-2025-12729: Inappropriate implementation in Omnibox
+</description>
+  <package>chromium</package>
+</patchinfo>

patchinfo.20251111094408723997.187004354831441/_patchinfo

@@ -0,0 +1,14 @@
+<patchinfo incident="packagehub-20">
+  <packager>adrianSuSE</packager>
+  <rating>moderate</rating>
+  <category>recommended</category>
+  <summary>Recommended update for product-composer</summary>
+  <description>This update for product-composer fixes the following issues:
+
+Update to version 0.6.17:
+
+  - fix multiarch media handling of updateinfo id's
+</description>
+  <package>product-composer</package>
+  <seperate_build_arch/>
+</patchinfo>

patchinfo.20251112154630847363.187004354831441/_patchinfo

@@ -0,0 +1,16 @@
+<patchinfo incident="packagehub-21">
+  <issue tracker="bnc" id="1253267">VUL-0: chromium: release 142.0.7444.162</issue>
+  <issue tracker="cve" id="2025-13042">VUL-0: chromium: release 142.0.7444.162</issue>
+  <packager>AndreasStieger</packager>
+  <rating>important</rating>
+  <category>security</category>
+  <summary>Security update for chromium</summary>
+  <description>This update for chromium fixes the following issues:
+
+Chromium 142.0.7444.162 (boo#1253267):
+
+  * CVE-2025-13042: Inappropriate implementation in V8
+</description>
+  <package>chromium</package>
+  <seperate_build_arch/>
+</patchinfo>

patchinfo.20251113160751974202.187004354831441/_patchinfo

@@ -0,0 +1,16 @@
+<patchinfo incident="packagehub-28">
+  <packager>adrianSuSE</packager>
+  <rating>moderate</rating>
+  <category>recommended</category>
+  <summary>Recommended update for product-composer</summary>
+  <description>This update for product-composer fixes the following issues:
+
+Changes in product-composer:
+
+Update to version 0.6.18:
+
+  - Fix filtering of not used rpms in updateinfo
+</description>
+  <package>product-composer</package>
+  <seperate_build_arch/>
+</patchinfo>

patchinfo.20251113161402184432.187004354831441/_patchinfo

@@ -0,0 +1,140 @@
+<patchinfo incident="packagehub-29">
+  <packager>mgorse</packager>
+  <rating>moderate</rating>
+  <category>recommended</category>
+  <summary>Recommended update for gramps</summary>
+  <description>This update for gramps fixes the following issues:
+
+Changes in gramps:
+
+Update to version 6.0.3:
+
+  * Revert “Pass an object rather than a handle to the note editor callback”.
+    Fixes #13884.
+  * Update translations.
+
+Update to version 6.0.2;
+
+  * Fix date modifiers for lt.
+  * Update translation template for new release.
+  * Add optimization to HasIdOf rules.
+  * Connect the Help button in the repository reference editor. Fixes #13352.
+  * Pass an object rather than a handle to the note editor callback. Fixes
+    #13702.
+  * Fix broken compound dates with bce year in XML import. Fixes #13631.
+  * Avoid multiple copies of Rules after Plugin manager reload. Fixes #13844.
+  * Fix bad surname list after upgrade from bsddb. Fixes #13807.
+  * Fix narrated web when two places have same name but a different type. Fixes
+    #13841.
+  * Fix crash in citation view due to wrong filter_info. Fixes #13796.
+  * Don’t attempt to call set_orientation if self.pui is None. Fixes #13820.
+  * Don’t crash in search_changed if self.search_list has no active item. Fixes
+    #13793.
+  * Fix incorrect addons project after upgrade from Gramps 5.2. Fixes #13789.
+  * Respect user choice of CSS files for existing narrated web site. Fixes
+    #13792.
+  * Ensure that the spell checker gets removed with the editor. Fixes #13795.
+  * Fix Optimizer class when combining sub-filters. Fixes #13799.
+  * Remove check for Gtk translations in Snap packages.
+  * Update translations.
+
+Update to version 6.0.1:
+
+  * Update translations: ar, br, ca, cs, de, de_AT, el, en_GB, es, fi, fr, ga,
+    he, it, ja, ko, nb, nl, pl, pt_PT, ro, sk, sv, tr, uk, zh_CN.
+  * Update translation template for new release.
+  * Extend SearchBar so that it supports text search and filters. Fixes #13720.
+  * Fix patronymic in name display. Fixes #13764.
+  * Update links in the README to v6.0.
+  * Update the INSTALL file. Issue #13717.
+
+    + Change install from setup.py to pip.
+    + Update typical installation locations.
+    + Remove the --resourcepath option which no longer exists.
+
+  * Fix wiki help link in the Addon Manager. Fixes #13735.
+  * Remove the outer progress meter from the filter prepare phase. Fixes #13725.
+  * Fix error when importing a GEDCOM file into an existing tree. Fixes #13726.
+  * Avoid empty metadata fields. Fixes #13721.
+  * Update Italian date modifiers.
+
+Update to version 6.0.0:
+
+  * Full changelog available at
+    https://gramps-project.org/blog/2025/03/gramps-6-0-0-released/
+  * Reports
+
+    + The narrative web report has four main improvements:
+
+      - New indexes for big databases.
+      - Add heatmap.
+      - Improve language and hamburger menus.
+      - Show other roles for an event.
+
+    + Other report changes:
+
+      - Add gender symbol option to the detailed descendant, detailed ancestral
+        and descendant report.
+      - Add Gramps ID option to Kinship Report.
+      - Tree reports convert images to thumbnails for embedding. This allows
+        cropped rectangles selected in the media references to be displayed.
+      - Report options are now memorised on a per family tree (database) level.
+
+  * Gramplets
+
+    + Improvements to the backlinks (References) gramplets:
+    + Allow an object to be made active from within the backlinks gramplet.
+    + Add a context menu to make “Edit” and “Make Active” more discoverable.
+    + Allow objects in the backlinks gramplets to be dragged to the clipboard.
+    + Add edit capability to the notes gramplets.
+    + Enhanced version of the Filter gramplet.
+
+  * Selector dialogs
+    + A standard search bar has been added to the person selector dialog. It
+      may default to selecting men or women by default, but selecting on other
+      columns is possible.
+    + It is now possible to select multiple media objects in the media selector
+      and gallery tabs.
+    + The media selector has a new path column.
+
+  * Other changes
+
+    + Improvements to the Probably Alive code.
+    + New rules: “Has Event”, “Has Source” and “Having Note of Type”.
+    + New Gedcom 7.0 event roles: “Father”, Mother”, “Parent”, “Child”, “Multiple”, Friend”, “Neighbour” and “Officiator”.
+    + Allow web-accessible file references in media objects.
+    + Add a preference option for the selection of the toolbar style.
+    + Enhancements to the help display. This is ongoing though.
+    + Enable Web Connection menu in all list views.
+
+Update to version 5.2.4:
+
+  * Fix Citations gramplet to recognize event reference citations. Fixes #13555.
+  * Fix exception when finding relationship to home person. Fixes #13495.
+  * Fix mouse scroll direction in pedigree view.
+  * Fix incorrect usage of exec. As of PEP558, locals() is not populated by
+    exec(). This change means that this call is broken on Python 3.13.
+  * Remove some usage of globals().
+  * Remove unnecessary use of exec.
+  * Test current_date being an empty date in probably alive function. Fixes #13431.
+  * Improve warning message in date_test.py when 3 tests are skipped.
+  * Correctly assign sortval = 0 when a date is EMPTY. Fixes #13415, #13423.
+  * Fix unicode conversion bug when upgrading from schema 16 to 17.
+  * Correct the documentation for the match() method of the Date class. Also
+    added more detail to documentation in 3 other cases. Fixes #13428.
+  * Gramps version output now reports OS rather than Platform. Fixes #12285.
+  * Downgrade upgrade messages from warning to informational level. Fixes #13464.
+  * Fix list size option in the top surnames gramplet. Allow users to specify
+    how many surnames appear in the list from 10 to 1000. Fixes #13448.
+  * Correct misleading description of GUI element placement.
+  * Use the preferred calendar for new dates only in the date editor. Fixes #13403.
+  * Fix docs typo in INSTALL file.
+  * Fix printing of Books. Fixes #12804.
+  * Render reports with styled notes containing subscript and strikethrough. Fixes #13417.
+  * Remove broken link to svn2cl package in the About dialog. Fixes #13152.
+  * Improve media performance in the narrative web report. Fixes #13370.
+  * Updated translations.
+</description>
+  <package>gramps</package>
+  <seperate_build_arch/>
+</patchinfo>

patchinfo.20251114110535882810.90520734224245/_patchinfo

@@ -0,0 +1,16 @@
+<patchinfo incident="packagehub-22">
+  <packager>AndreasStieger</packager>
+  <rating>important</rating>
+  <category>security</category>
+  <summary>Security update for certbot</summary>
+  <description>This update for certbot fixes the following issues:
+
+This update adds the certbot stack. (python modules: ConfigArgParse, acme, certbot, certbot-nginx, josepy, pyRFC3339).
+</description>
+<package>python-ConfigArgParse</package>
+<package>python-acme</package>
+<package>python-certbot</package>
+<package>python-certbot-nginx</package>
+<package>python-josepy</package>
+<package>python-pyRFC3339</package>
+</patchinfo>

patchinfo.20251117132013106524.187004354831441/_patchinfo

@@ -0,0 +1,31 @@
+<patchinfo incident="packagehub-23">
+  <issue tracker="bnc" id="1238516">quilt: cannot refresh patches for non-x86 code</issue>
+  <issue tracker="bnc" id="1236907">rpm,quilt: update to rpm 4.20 breaks many "quilt setup" invocations</issue>
+  <packager>jdelvare</packager>
+  <rating>important</rating>
+  <category>recommended</category>
+  <summary>Recommended update for quilt</summary>
+  <description>This update for quilt fixes the following issues:
+
+Changes in quilt:
+
+Update to version 0.69:
+
+  * Fix escaping of % and backslash in patch names
+  * new: Stop claiming support of option -p ab
+  * patches: Several performance optimizations
+  * series: Simplify the code
+
+- Make it possible to run "quilt setup" on a spec file which excludes the local
+  architecture (boo#1238516).
+
+- Fix building noarch packages with rpm &gt;= 4.20 (boo#1236907).
+- Make it possible to preprocess spec files which do not comply with the standard. Most
+  notably multibuild OBS spec files need to be preprocessed. Use
+  option "--spec-filter=obs" for these (boo#1236907).
+- Detect the change of build root path hierarchy introduced by rpm 4.20 (boo#1236907).
+- Install the bash completion file to the right directory (reported
+  by rpmlint).
+</description>
+  <package>quilt</package>
+</patchinfo>

patchinfo.20251118105940725571.187004354831441/_patchinfo

@@ -0,0 +1,19 @@
+<patchinfo incident="packagehub-24">
+  <issue tracker="bnc" id="1253698">(CVE-2025-13223) (CVE-2025-13224) VUL-0 chromium: release 142.0.7444.175</issue>
+  <issue tracker="cve" id="2025-13224">(CVE-2025-13223) (CVE-2025-13224) VUL-0 chromium: release 142.0.7444.175</issue>
+  <issue tracker="cve" id="2025-13223"/>
+  <packager>oertel</packager>
+  <rating>important</rating>
+  <category>security</category>
+  <summary>Security update for chromium</summary>
+  <description>This update for chromium fixes the following issues:
+
+Changes in chromium:
+
+Chromium 142.0.7444.175 (boo#1253698):
+
+  * CVE-2025-13223: Type Confusion in V8
+  * CVE-2025-13224: Type Confusion in V8
+</description>
+  <package>chromium</package>
+</patchinfo>

patchinfo.20251118110024655567.187004354831441/_patchinfo

@@ -0,0 +1,67 @@
+<patchinfo incident="packagehub-27">
+  <issue tracker="cve" id="2025-13016">firefox: Incorrect boundary conditions in the JavaScript: WebAssembly component</issue>
+  <issue tracker="cve" id="2025-13019">firefox: Same-origin policy bypass in the DOM: Workers component</issue>
+  <issue tracker="cve" id="2025-13020">firefox: Use-after-free in the WebRTC: Audio/Video component</issue>
+  <issue tracker="cve" id="2025-13017">firefox: Same-origin policy bypass in the DOM: Notifications component</issue>
+  <issue tracker="cve" id="2025-13015">firefox: Spoofing issue in Firefox</issue>
+  <issue tracker="cve" id="2025-13012">VUL-0: MozillaFirefox / MozillaThunderbird: update to 145.0 and 140.5esr</issue>
+  <issue tracker="cve" id="2025-13018">firefox: Mitigation bypass in the DOM: Security component</issue>
+  <issue tracker="cve" id="2025-13014">firefox: Use-after-free in the Audio/Video component</issue>
+  <issue tracker="cve" id="2025-13013">firefox: Mitigation bypass in the DOM: Core &amp; HTML component</issue>
+  <issue tracker="bnc" id="1253188">VUL-0: MozillaFirefox / MozillaThunderbird: update to 145.0 and 140.5esr</issue>
+  <packager>Yoshio_Sato</packager>
+  <rating>important</rating>
+  <category>security</category>
+  <summary>Security update for MozillaThunderbird</summary>
+  <description>This update for MozillaThunderbird fixes the following issues:
+
+Changes in MozillaThunderbird:
+
+Mozilla Thunderbird 140.5.0 ESR
+
+MFSA 2025-91 (bsc#1253188):
+
+  * CVE-2025-13012
+    Race condition in the Graphics component
+  * CVE-2025-13016
+    Incorrect boundary conditions in the JavaScript: WebAssembly
+    component
+  * CVE-2025-13017
+    Same-origin policy bypass in the DOM: Notifications component
+  * CVE-2025-13018
+    Mitigation bypass in the DOM: Security component
+  * CVE-2025-13019
+    Same-origin policy bypass in the DOM: Workers component
+  * CVE-2025-13013
+    Mitigation bypass in the DOM: Core &amp; HTML component
+  * CVE-2025-13020
+    Use-after-free in the WebRTC: Audio/Video component
+  * CVE-2025-13014
+    Use-after-free in the Audio/Video component
+  * CVE-2025-13015
+    Spoofing issue in Thunderbird
+  * fixed: Could not drag and drop ICS file to Today Pane
+  * fixed: With Thunderbird closed, clicking a 'mailto:' link to
+    send signed message failed
+  * fixed: Upgrade from 128.x-&gt;140.x broke authentication for
+    @att.net using Yahoo backend
+
+Mozilla Thunderbird 140.4.0 ESR
+
+  * Account Hub is now disabled by default for second email account
+  * Users could not read mail signed with OpenPGP v6 and PQC keys
+  * Image preview in Insert Image dialog failed with CSP error for web resources
+  * Emptying trash on exit did not work with some providers
+  * Thunderbird could crash when applying filters
+  * Users were unable to override expired mail server certificate
+  * Opening Website header link in RSS feed incorrectly re-encoded
+    URL parameters
+
+Mozilla Thunderbird 140.3.1 ESR:
+
+  * several bugfixes listed here
+    https://www.thunderbird.net/en-US/thunderbird/140.3.1esr/releasenotes
+-------------------------------------------------------------------
+</description>
+  <package>MozillaThunderbird</package>
+</patchinfo>

patchinfo.20251119124936938893.187004354831441/_patchinfo

@@ -0,0 +1,25 @@
+<patchinfo incident="packagehub-26">
+  <packager>cfconrad</packager>
+  <rating>moderate</rating>
+  <category>recommended</category>
+  <summary>Recommended update for synce4l</summary>
+  <description>This update for synce4l fixes the following issues:
+
+synce4l was updated to 1.1.1:
+
+  * fix possible resource leak
+  * fix requested thread stack size
+  * fix scorecard.yml
+  * initialize pin ID to -1
+  * fix crash in dpll_rt_recv()
+  * create scorecard.yml
+  * unlink smc_socket_path before binding
+  * check smc_socket_path length
+  * change default smc_socket_path to /run/synce4l_socket
+  * fix more compiler warnings
+
+- Initial packaging of version 1.0.0.
+</description>
+  <package>synce4l</package>
+  <seperate_build_arch/>
+</patchinfo>

patchinfo.20251119130842836205.187004354831441/_patchinfo

@@ -0,0 +1,54 @@
+<patchinfo incident="packagehub-25">
+  <issue tracker="bnc" id="1247368">nmon does not support max cpu configuration</issue>
+  <packager>dirkmueller</packager>
+  <rating>moderate</rating>
+  <category>recommended</category>
+  <summary>Recommended update for nmon</summary>
+  <description>This update for nmon fixes the following issues:
+
+Changes in nmon:
+
+- Increase CPU MAX to 2048 (bsc#1247368)
+
+update to 16q:
+
+  * bugfixes
+  * POWER pool_capacity now correctly divided by 100.
+  * Online view POWER Welcome panel on POWER reports the top MHz
+  Small changes only:
+  * Boottime shown online in the Kernel "k" panel
+  * Utilisation stats: /proc/stat now reports 10 Utilisation stats
+  * Bug caused Seg Faults core dumps fixed while collecting to a
+  * Fix: Improved memory handling for extreme numbers of processes
+    (1000's) or rapid exec of processes  (100's in a millisecond)
+    for large Linux servers. We have examples on Intel of 80 CPU
+  * Online Dot "." command no longer also changes what is displayed
+    as users said it was confusing.
+  * Minor online start-up flash screen text changes to include C
+    concise CPU stats and U for full  Utilisation stats (all 10 of
+    them) instead of a file.
+  * Copyright and GPL v3 notice in the code plus online "h" and
+  * Source code re-indented.
+  * Fixes for Welcome screen on Mainframe
+  * Fixed for Curses handling when collecting data to file - big
+    bug for main frame and x86.
+  * Fixes for Welcome screen on Mainframe
+  * Fixed for Curses handling when collecting data to file - big
+    bug for main frame and x86.
+    + You need a S822LC With NVIDIA GPU(s) and Nvidia Library
+      installed libnvidia-ml.so
+  * CPU Wide View - online view for up to 192 CPUs
+  * CPU MHz per Core ratings for machine that allow cores with
+    different MHz - online &amp; saved to file
+  * lscpu stats capture - online &amp; to file
+  * Z experiment mode showing CPU interrupts - Renamed U stats in
+    version 16b - online only
+  * Online colourising stats to aid usability - online only
+  * Massive improvement in help information: nmon -? and nmon -h
+  * Code change to alphabetic order for getopt() and key input
+  * New nmon logo on flash screen - online only
+  * Extra kernel stats - online only
+</description>
+  <package>nmon</package>
+  <seperate_build_arch/>
+</patchinfo>

patchinfo.20251126115642933537.93181000773252/_patchinfo

@@ -0,0 +1,86 @@
+<patchinfo>
+  <issue tracker="bnc" id="1251471">VUL-0: CVE-2025-47911: gitea-tea: golang.org/x/net/html: various algorithms with quadratic complexity when parsing HTML documents</issue>
+  <issue tracker="bnc" id="1251663">VUL-0: CVE-2025-58190: gitea-tea: golang.org/x/net/html: excessive memory consumption by `html.ParseFragment` when processing specially crafted input</issue>
+  <issue tracker="cve" id="2025-58190">cve#2025-58190 not resolved: 404 Client Error: Not Found for url: https://bugzilla.suse.com/api2/issues/?references__name=CVE-2025-58190</issue>
+  <issue tracker="cve" id="2025-47911">cve#2025-47911 not resolved: 404 Client Error: Not Found for url: https://bugzilla.suse.com/api2/issues/?references__name=CVE-2025-47911</issue>
+  <packager>olh</packager>
+  <rating>moderate</rating>
+  <category>security</category>
+  <summary>Security update for gitea-tea</summary>
+  <description>This update for gitea-tea fixes the following issues:
+
+Changes in gitea-tea:
+
+- update to 0.11.1:
+  * 61d4e57 Fix Pr Create crash (#823)
+  * 4f33146 add test for matching logins (#820)
+  * 08b8398 Update README.md (#819)
+
+- CVE-2025-58190: golang.org/x/net/html: excessive memory consumption by `html.ParseFragment` when processing specially crafted input (boo#1251663)
+- CVE-2025-47911: golang.org/x/net/html: various algorithms with quadratic complexity when parsing HTML documents (boo#1251471)
+
+- update to 0.11.0:
+  * Fix yaml output single quote (#814)
+  * generate man page (#811)
+  * feat: add validation for object-format flag in repo create
+    command (#741)
+  * Fix release version (#815)
+  * update gitea sdk to v0.22 (#813)
+  * don't fallback login directly (#806)
+  * Check duplicated login name in interact mode when creating new
+    login (#803)
+  * Fix bug when output json with special chars (#801)
+  * add debug mode and update readme (#805)
+  * update go.mod to retract the wrong tag v1.3.3 (#802)
+  * revert completion scripts removal (#808)
+  * Remove pagination from context (#807)
+  * Continue auth when failed to open browser (#794)
+  * Fix bug (#793)
+  * Fix tea login add with ssh public key bug (#789)
+  * Add temporary authentication via environment variables (#639)
+  * Fix attachment size (#787)
+  * deploy image when tagging (#792)
+  * Add Zip URL for release list (#788)
+  * Use bubbletea instead of survey for interacting with TUI (#786)
+  * capitalize a few items
+  * rm out of date comparison file
+  * README: Document logging in to gitea (#790)
+  * remove autocomplete command (#782)
+  * chore(deps): update ghcr.io/devcontainers/features/git-lfs
+    docker tag to v1.2.5 (#773)
+  * replace arch package url (#783)
+  * fix: Reenable -p and --limit switches (#778)
+
+- Update to 0.10.1+git.1757695903.cc20b52:
+  - feat: add validation for object-format flag in repo create
+    command (see gh#openSUSE/openSUSE-git#60)
+  - Fix release version
+  - update gitea sdk to v0.22
+  - don't fallback login directly
+  - Check duplicated login name in interact mode when creating
+    new login
+  - Fix bug when output json with special chars
+  - add debug mode and update readme
+  - update go.mod to retract the wrong tag v1.3.3
+  - revert completion scripts removal
+  - Remove pagination from context
+  - Continue auth when failed to open browser
+  - Fix bug
+  - Fix tea login add with ssh public key bug
+  - Add temporary authentication via environment variables
+  - Fix attachment size
+  - deploy image when tagging
+  - Add Zip URL for release list
+  - Use bubbletea instead of survey for interacting with TUI
+  - capitalize a few items
+  - rm out of date comparison file
+  - README: Document logging in to gitea
+  - remove autocomplete command
+  - chore(deps): update ghcr.io/devcontainers/features/git-lfs
+    docker tag to v1.2.5
+  - replace arch package url
+  - fix: Reenable `-p` and `--limit` switches
+</description>
+  <package>gitea-tea</package>
+  <seperate_build_arch/>
+</patchinfo>

staging.config

@@ -1,4 +1,4 @@
 {
   "ObsProject": "openSUSE:Backports:SLE-16.0",
-  "StagingProject": "openSUSE:Backports:SLE-16.0:PullRequest"
+  "StagingProject": "openSUSE:Backports:SLE-16.0:PullRequest",
 }