Update patchinfo.20251025182836794674.93181000773252/_patchinfo

removed  <seperate_build_arch/>

.gitmodules

@@ -26106,3 +26106,7 @@
 	path = perl-MCP
 	url = ../../pool/perl-MCP
 	branch = leap-16.0
+[submodule "fprintd"]
+	path = fprintd
+	url = ../../pool/fprintd
+	branch = leap-16.0

patchinfo.20251016111300220521.93181000773252/_patchinfo

@@ -0,0 +1,17 @@
+<patchinfo incident="packagehub-11">
+  <issue tracker="bnc" id="1250487">VUL-0: CVE-2025-59682: python-Django,python-Django4: Potential partial directory-traversal via archive.extract()</issue>
+  <issue tracker="cve" id="2025-59682">VUL-0: CVE-2025-59682: python-Django,python-Django4: Potential partial directory-traversal via archive.extract()</issue>
+  <issue tracker="cve" id="2025-59681"/>
+  <issue tracker="bnc" id="1250485">VUL-0: CVE-2025-59681: python-Django,python-Django4: Potential SQL injection in QuerySet.annotate(), alias(), aggregate(), and extra() on MySQL and MariaDB</issue>
+  <packager>mcalabkova</packager>
+  <rating>important</rating>
+  <category>security</category>
+  <summary>Security update for python-Django</summary>
+  <description>This update for python-Django fixes the following issues:
+
+- CVE-2025-59681: Fixed a potential SQL injection in QuerySet.annotate(), alias(), aggregate(), and extra() on MySQL and MariaDB (boo#1250485)
+- CVE-2025-59682: Fixed a potential partial directory-traversal via archive.extract() (boo#1250487)
+</description>
+  <package>python-Django</package>
+  <seperate_build_arch/>
+</patchinfo>

patchinfo.20251023150135882810.90520734224245/_patchinfo

@@ -0,0 +1,11 @@
+<patchinfo incident="packagehub-9">
+  <packager>dgarcia</packager>
+  <rating>moderate</rating>
+  <category>optional</category>
+  <summary>Optional update for fprintd</summary>
+  <description>
+This update ships fprintd 1.94.4 to openSUSE Leap 16.0 and SLES Package Hub 16.0
+</description>
+  <package>fprintd</package>
+  <seperate_build_arch/>
+</patchinfo>

patchinfo.20251025182237146698.93181000773252/_patchinfo

@@ -0,0 +1,129 @@
+<patchinfo incident="packagehub-13">
+  <packager>os-autoinst-obs-workflow</packager>
+  <rating>moderate</rating>
+  <category>recommended</category>
+  <summary>Recommended update for openQA, os-autoinst</summary>
+  <description>This update for openQA, os-autoinst fixes the following issues:
+
+Changes in openQA:
+
+- Update to version 5.1761296552.ae7c17aa:
+  * Add tests for file_security_policy
+  * Pass parameter $is_userfile to log_url
+  * Remove redirect and serve files as attachments if necessary
+  * Serve files uploaded by tests via asset domain
+  * Use direct link to subdomain for the test assets
+  * Revert "Don't redirect to asset domain via /needles/ID/(image|json) route"
+  * Revert "Don't redirect screenshots, thumbs and needles to files_domain"
+
+- Update to version 5.1761228068.a3a7f84d:
+  * Dependency cron 2025-10-23
+
+- Update to version 5.1761037330.ad78558e:
+  * Avoid needless check for number of clones
+  * Avoid creation of `git_clone` tasks for jobs with empty `DISTRI`
+
+- Update to version 5.1760515610.a802d1dd:
+  * Lower the prio of archiving jobs to avoid piling up finalize jobs
+  * Add signatures in Schema::Result::ApiKeys
+
+- Update to version 5.1760245411.e3aeaaec:
+  * Dependency cron 2025-10-12
+
+- Update to version 5.1760108577.fd2f2a48:
+  * Log unavailability due to high load only as warning
+  * Filter job stats of scheduled products also by arch and build
+  * Document how to disable image optimizations
+  * Make image optimization errors stop the job producing an incomplete job
+  * Improve wording in description about job stats API
+  * Run `optipng` for real and handle errors if it fails
+
+- Update to version 5.1759912962.689b31ed:
+  * Avoid failing `obs_rsync_run` jobs when restarting `openqa-gru.service`
+
+- Update to version 5.1759834744.06a7028a:
+  * parser: ktap: Return earlier if subtest result is SKIP
+  * parser: ktap: Fallback to subtest index if name is not available
+
+- Update to version 5.1759440640.bb989cab:
+  * Don't redirect to asset domain via /needles/ID/(image|json) route
+
+- Update to version 5.1759402042.49e912c3:
+  * Introduce array job settings
+  * Retry `obs_rsync_update_*` tasks if Gru service terminates
+
+- Update to version 5.1759329378.3b8e8685:
+  * Reduce the number of required checks for Mergify again
+  * Ensure a failing cache service is seen as such by the worker/scheduler
+
+- Update to version 5.1759248257.70b23b32:
+  * Increase number of successful checks in Mergify config again
+  * Disable Helm Chart CI checks temporarily
+  * Consider all jobs for cleanup, not just jobs that were executed
+  * Verify job deletion when dependent job present
+
+- Update to version 5.1759149505.49c40b0b:
+  * Use always the latest PostgreSQL image in Compose and documentation
+  * Update the PostgreSQL version in the contributing documentation
+  * Update PostgreSQL data path in Docker Compose file after updating to v18
+  * Specify PostgreSQL version in Docker Compose configuration explicitly
+  * mergify: Allow more time for dependabot update reaction
+  * Remove version property from docker-compose
+  * README: Fix openQA badge after switch to UEFI
+  * build(deps-dev): bump eslint from 9.35.0 to 9.36.0
+
+- Update to version 5.1758910696.7549bb98:
+  * Replace argument assignment with signatures on ObsRsync/Task
+  * Enable automatic dependabot updates again after improvements
+  * docs: Add instructions for a continuous dashboard setup
+  * Replace argument assignment with signatures Folders package
+  * Fully cover WebAPI::Plugin::ObsRsync::Controller::Folders
+  * script: Also use OPENQA_WEBUI_MODE for related services
+
+- Update to version 5.1758814503.03d923a4:
+  * Use Mojo::File in Worker for is_qemu_running
+  * Use Mojo::File in Worker for meminfo
+  * Document archiving of important jobs
+
+- Update to version 5.1758729450.b88c0b40:
+  * Reject jobs if worker is broken when receiving a new job
+
+- Update to version 5.1758711845.e5c02221:
+  * script: Allow to configure openQA mode
+  * t: run at least once Memorylimit register with max_rss_limit &gt; 0
+  * Replace argument assignation with signatures on MemoryLimit
+
+Changes in os-autoinst:
+
+- Update to version 5.1761036042.c43e4ab:
+  * Update perltidy
+  * Allow redirects in needle NeedleDownloader
+  * Don't overwrite firewall xml
+  * Add UEFI support for ipxe kernel boot
+  * os-autoinst-setup-multi-machine: Simplify determine_ethernet_interface
+
+- Update to version 5.1759328765.e7438f7:
+  * Allow redirects in needle NeedleDownloader
+  * Don't overwrite firewall xml
+  * Add UEFI support for ipxe kernel boot
+  * t: Use consistent Mojo::File in 08-autotest as well
+  * os-autoinst-setup-multi-machine: Simplify determine_ethernet_interface
+
+- Update to version 5.1759134946.e08d7c7:
+  * Add UEFI support for ipxe kernel boot
+  * t: Use consistent Mojo::File in 08-autotest as well
+  * os-autoinst-setup-multi-machine: Simplify determine_ethernet_interface
+  * os-autoinst-setup-multi-machine: Only call zypper when necessary
+  * os-autoinst-setup-multi-machine: Improve network interface check
+</description>
+  <package>openQA</package>
+  <package>openQA:openQA-devel-test</package>
+  <package>openQA:openQA-test</package>
+  <package>openQA:openQA-worker-test</package>
+  <package>openQA:openQA-client-test</package>
+  <package>os-autoinst</package>
+  <package>os-autoinst:os-autoinst-test</package>
+  <package>os-autoinst:os-autoinst-devel-test</package>
+  <package>os-autoinst:os-autoinst-openvswitch-test</package>
+  <seperate_build_arch/>
+</patchinfo>

patchinfo.20251025182836794674.93181000773252/_patchinfo

@@ -0,0 +1,28 @@
+<patchinfo>
+  <packager>jsulig</packager>
+  <rating>moderate</rating>
+  <category>recommended</category>
+  <summary>Recommended update for amarok</summary>
+  <description>This update for amarok fixes the following issues:
+
+Changes in amarok:
+
+- Update to version 3.3.1
+  * Enable saving and loading script console items, autocompletion
+    in script console, and re-enable some more scripting functionality
+  * Convert the remaining main UI toolbuttons to use icons from theme
+  * Clear out remnants of the now-discontinued MusicDNS service
+  * Fix example permission grant command in database settings (kde#386004)
+  * Fix equalizer gains not updating when selecting some presets (kde#463908)
+  * Fix continuing playback after timecoded tracks (cue files etc, (kde#270003)
+  * Fix MusicBrainz search
+  * Properly start CD playback if Amarok is not already running (kde#503310)
+  * Also transmit embedded cover art through MPRIS (kde#357620)
+  * Don't show transcoding dialog after canceling download (kde#275840)
+  * Load network information earlier to avoid crashes on startup (kde#507497)
+  * Try to export as-compatible-as-possible playlist files (kde#507329)
+  * Fix some random crashes during playback
+
+</description>
+  <package>amarok</package>
+</patchinfo>

patchinfo.20251027101939269288.187004354831441/_patchinfo

@@ -0,0 +1,48 @@
+<patchinfo incident="packagehub-10">
+  <issue tracker="cve" id="2025-10527">This vulnerability affects Firefox &lt; 143, Firefox ESR &lt; 140.3, Thunderbird &lt; 143, and Thunderbird &lt; 140.3.</issue>
+  <issue tracker="cve" id="2025-10536">This vulnerability affects Firefox &lt; 143, Firefox ESR &lt; 140.3, Thunderbird &lt; 143, and Thunderbird &lt; 140.3.</issue>
+  <issue tracker="cve" id="2025-10528">This vulnerability affects Firefox &lt; 143, Firefox ESR &lt; 140.3, Thunderbird &lt; 143, and Thunderbird &lt; 140.3.</issue>
+  <issue tracker="cve" id="2025-10537">Memory safety bugs present in Firefox ESR 140.2, Thunderbird ESR 140.2, Firefox 142 and Thunderbird 142. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability affects Firefox &lt; 143, Firefox ESR &lt; 140.3, Thunderbird &lt; 143, and Thunderbird &lt; 140.3.</issue>
+  <issue tracker="cve" id="2025-10529">This vulnerability affects Firefox &lt; 143, Firefox ESR &lt; 140.3, Thunderbird &lt; 143, and Thunderbird &lt; 140.3.</issue>
+  <issue tracker="cve" id="2025-10532">This vulnerability affects Firefox &lt; 143, Firefox ESR &lt; 140.3, Thunderbird &lt; 143, and Thunderbird &lt; 140.3.</issue>
+  <issue tracker="cve" id="2025-10533">This vulnerability affects Firefox &lt; 143, Firefox ESR &lt; 115.28, Firefox ESR &lt; 140.3, Thunderbird &lt; 143, and Thunderbird &lt; 140.3.</issue>
+  <issue tracker="bnc" id="1249391">VUL-0: MozillaFirefox / MozillaThunderbird: update to 143.0 and 140.3esr</issue>
+  <packager>Yoshio_Sato</packager>
+  <rating>important</rating>
+  <category>security</category>
+  <summary>Security update for MozillaThunderbird</summary>
+  <description>This update for MozillaThunderbird fixes the following issues:
+
+Changes in MozillaThunderbird:
+
+Mozilla Thunderbird 140.3.0 ESR:
+
+  * Right-clicking 'List-ID' -&gt; 'Unsubscribe' created double encoded
+    draft subject
+  * Thunderbird could crash on startup
+  * Thunderbird could crash when importing mail
+  * Opening Website header link in RSS feed incorrectly re-encoded
+    URL parameters
+  MFSA 2025-78 (bsc#1249391)
+  * CVE-2025-10527
+    Sandbox escape due to use-after-free in the Graphics:
+    Canvas2D component
+  * CVE-2025-10528
+    Sandbox escape due to undefined behavior, invalid pointer in
+    the Graphics: Canvas2D component
+  * CVE-2025-10529
+    Same-origin policy bypass in the Layout component
+  * CVE-2025-10532
+    Incorrect boundary conditions in the JavaScript: GC component
+  * CVE-2025-10533
+    Integer overflow in the SVG component
+  * CVE-2025-10536
+    Information disclosure in the Networking: Cache component
+  * CVE-2025-10537
+    Memory safety bugs fixed in Firefox ESR 140.3, Thunderbird
+    ESR 140.3, Firefox 143 and Thunderbird 143
+
+</description>
+  <package>MozillaThunderbird</package>
+  <seperate_build_arch/>
+</patchinfo>

patchinfo.20251030080843825030.187004354831441/_patchinfo

@@ -0,0 +1,56 @@
+<patchinfo incident="packagehub-12">
+  <issue tracker="cve" id="2025-12441"/>
+  <issue tracker="cve" id="2025-12429"/>
+  <issue tracker="cve" id="2025-12431"/>
+  <issue tracker="cve" id="2025-12444"/>
+  <issue tracker="cve" id="2025-12428"/>
+  <issue tracker="cve" id="2025-12438"/>
+  <issue tracker="cve" id="2025-12435"/>
+  <issue tracker="cve" id="2025-12437"/>
+  <issue tracker="cve" id="2025-12443"/>
+  <issue tracker="cve" id="2025-12430"/>
+  <issue tracker="cve" id="2025-12440"/>
+  <issue tracker="cve" id="2025-12445"/>
+  <issue tracker="cve" id="2025-12446"/>
+  <issue tracker="cve" id="2025-12432"/>
+  <issue tracker="cve" id="2025-12436"/>
+  <issue tracker="cve" id="2025-12434"/>
+  <issue tracker="cve" id="2025-54874">VUL-0: CVE-2025-54874: TRACKERBUG: openjpeg: missing error check can lead to the use of an uninitialized pointer and cause an out-of-bounds heap</issue>
+  <issue tracker="cve" id="2025-12433"/>
+  <issue tracker="bnc" id="1252881">VUL-0: chromium: release 142.0.7444.59</issue>
+  <issue tracker="cve" id="2025-12439"/>
+  <issue tracker="cve" id="2025-12447"/>
+  <packager>AndreasStieger</packager>
+  <rating>important</rating>
+  <category>security</category>
+  <summary>Security update for chromium</summary>
+  <description>This update for chromium fixes the following issues:
+
+Chromium 142.0.7444.59, the stable channel promotion of 142.
+
+Security fixes (boo#1252881):
+
+  * CVE-2025-12428: Type Confusion in V8
+  * CVE-2025-12429: Inappropriate implementation in V8
+  * CVE-2025-12430: Object lifecycle issue in Media
+  * CVE-2025-12431: Inappropriate implementation in Extensions
+  * CVE-2025-12432: Race in V8
+  * CVE-2025-12433: Inappropriate implementation in V8
+  * CVE-2025-12434: Race in Storage
+  * CVE-2025-12435: Incorrect security UI in Omnibox
+  * CVE-2025-12436: Policy bypass in Extensions
+  * CVE-2025-12437: Use after free in PageInfo
+  * CVE-2025-12438: Use after free in Ozone
+  * CVE-2025-12439: Inappropriate implementation in App-Bound Encryption
+  * CVE-2025-12440: Inappropriate implementation in Autofill
+  * CVE-2025-12441: Out of bounds read in V8
+  * CVE-2025-12443: Out of bounds read in WebXR
+  * CVE-2025-12444: Incorrect security UI in Fullscreen UI
+  * CVE-2025-12445: Policy bypass in Extensions
+  * CVE-2025-12446: Incorrect security UI in SplitView
+  * CVE-2025-12447: Incorrect security UI in Omnibox
+
+</description>
+  <package>chromium</package>
+  <seperate_build_arch/>
+</patchinfo>

patchinfo.20251030134459405257.187004354831441/_patchinfo

@@ -0,0 +1,24 @@
+<patchinfo incident="packagehub-14">
+  <packager>adrianSuSE</packager>
+  <rating>moderate</rating>
+  <category>recommended</category>
+  <summary>Recommended update for product-composer</summary>
+  <description>This update for product-composer fixes the following issues:
+
+Update to version 0.6.16:
+
+  - merge updateinfo's with same id into one
+  - error out on updateinfo with same id, but non-mergable content
+
+Update to version 0.6.15:
+
+  * Support updateinfo handling in arch specific meta data
+
+Update to version 0.6.14:
+
+  * option to disable joliet extensions on media
+  * no joliet extensions on source and debug media anymore
+</description>
+  <package>product-composer</package>
+  <seperate_build_arch/>
+</patchinfo>

staging.config

@@ -1,4 +1,10 @@
 {
   "ObsProject": "openSUSE:Backports:SLE-16.0",
-  "StagingProject": "openSUSE:Backports:SLE-16.0:PullRequest"
+  "StagingProject": "openSUSE:Backports:SLE-16.0:PullRequest",
+  "QA": [
+    {
+      "Name": "Leap",
+      "Origin": "openSUSE:Leap:16.0:Products"
+    },
+  ]
 }