Update submodules from pool/orthanc#1, pool/gdcm#1, pool/orthanc-authorization#1, pool/orthanc-dicomweb#1, pool/orthanc-gdcm#1, pool/orthanc-indexer#1, pool/orthanc-mysql#1, pool/orthanc-neuro#1 and create patchinfo.20260209124750281584.93181000773252/_patchinfo

PR: products/PackageHub!393

.gitmodules

@@ -12966,6 +12966,10 @@
 	path = perl-Data-Visitor
 	url = ../../pool/perl-Data-Visitor
 	branch = leap-16.0
+[submodule "perl-Date-Manip"]
+	path = perl-Date-Manip
+	url = ../../pool/perl-Date-Manip
+	branch = leap-16.0
 [submodule "perl-DateTime-Calendar-Mayan"]
 	path = perl-DateTime-Calendar-Mayan
 	url = ../../pool/perl-DateTime-Calendar-Mayan
@@ -13750,6 +13754,10 @@
 	path = perl-Mojolicious-Plugin-OAuth2
 	url = ../../pool/perl-Mojolicious-Plugin-OAuth2
 	branch = leap-16.0
+[submodule "perl-Mojolicious-Plugin-OpenAPI"]
+	path = perl-Mojolicious-Plugin-OpenAPI
+	url = ../../pool/perl-Mojolicious-Plugin-OpenAPI
+	branch = leap-16.0
 [submodule "perl-Mojolicious-Plugin-Webpack"]
 	path = perl-Mojolicious-Plugin-Webpack
 	url = ../../pool/perl-Mojolicious-Plugin-Webpack
@@ -14346,6 +14354,10 @@
 	path = perl-TAP-Formatter-GitHubActions
 	url = ../../pool/perl-TAP-Formatter-GitHubActions
 	branch = leap-16.0
+[submodule "perl-TAP-Harness-JUnit"]
+	path = perl-TAP-Harness-JUnit
+	url = ../../pool/perl-TAP-Harness-JUnit
+	branch = leap-16.0
 [submodule "perl-Task-Weaken"]
 	path = perl-Task-Weaken
 	url = ../../pool/perl-Task-Weaken

patchinfo.20260127094025704164.93181000773252/_patchinfo

@@ -0,0 +1,11 @@
+<patchinfo incident="packagehub-108">
+  <packager>eroca</packager>
+  <rating>moderate</rating>
+  <category>recommended</category>
+  <summary>Recommended update for perl-Date-Manip</summary>
+  <description>This update for perl-Date-Manip fixes the following issues:
+
+Introduce perl-Date-Manip.
+</description>
+  <package>perl-Date-Manip</package>
+</patchinfo>

patchinfo.20260128085041420529.93181000773252/_patchinfo

@@ -0,0 +1,11 @@
+<patchinfo incident="packagehub-107">
+  <packager>eroca</packager>
+  <rating>moderate</rating>
+  <category>recommended</category>
+  <summary>Recommended update for perl-TAP-Harness-JUnit</summary>
+  <description>This update for perl-TAP-Harness-JUnit fixes the following issues:
+
+Introduce perl-TAP-Harness-JUnit.
+</description>
+  <package>perl-TAP-Harness-JUnit</package>
+</patchinfo>

patchinfo.20260203102131310899.93181000773252/_patchinfo

@@ -0,0 +1,117 @@
+<patchinfo incident="packagehub-106">
+  <issue tracker="cve" id="2025-15059"/>
+  <issue tracker="cve" id="2025-14422"/>
+  <issue tracker="cve" id="2025-14424"/>
+  <issue tracker="bnc" id="1255766">VUL-0: CVE-2025-15059: gimp: GIMP PSP File Parsing Heap-based Buffer Overflow Remote Code Execution Vulnerability</issue>
+  <issue tracker="bnc" id="1255294">VUL-0: CVE-2025-14423: gimp: LBM File Parsing Stack-based Buffer Overflow Remote Code Execution Vulnerability</issue>
+  <issue tracker="cve" id="2025-14425"/>
+  <issue tracker="cve" id="2025-14423"/>
+  <issue tracker="bnc" id="1255293">VUL-0: CVE-2025-14422: gimp: PNM File Parsing Integer Overflow Remote Code Execution Vulnerability</issue>
+  <issue tracker="bnc" id="1255295">VUL-0: CVE-2025-14424: gimp: XCF File Parsing Use-After-Free Remote Code Execution Vulnerability</issue>
+  <issue tracker="bnc" id="1255296">VUL-0: CVE-2025-14425: gimp: JP2 File Parsing Heap-based Buffer Overflow Remote Code Execution Vulnerability</issue>
+  <packager>mgorse</packager>
+  <rating>moderate</rating>
+  <category>recommended</category>
+  <summary>Recommended update for gimp</summary>
+  <description>This update for gimp fixes the following issues:
+
+Changes in gimp:
+
+- Update to 3.0.8
+  - Font Loading Performance
+    - Improvements in start-up time for users with a large number
+      of fonts was backported from our 3.2 RC2 release. As a
+      result, we now wait to load images until fonts are
+      initialized - this prevents some occasional odd displays and
+      other issues when an XCF file tried to access a partially
+      loaded font.
+  - Assorted updates and fixes
+    - Daniel Plakhotich helped us identify an issue when exporting
+      a lossless WEBP image could be affected by lossy settings
+      (such as Quality being less than 100%). We’ve updated our
+      WEBP plug-in to prevent this from happening.
+    - Thanks to Jehan‘s efforts, the standard gimp-3.0 executable
+      can now be run with a --no-interface flag instead of
+      requiring users to call gimp-console-3.0 even on devices with
+      no display. The --show-debug-menu flag is now visible as
+      well.
+    - programmer_ceds improved our flatpak by adding safe guards to
+      show the correct configuration directory regardless of
+      whether XDG_CONFIG_HOME is defined on the user’s system. This
+      should make it much easier for flatpak users to install and
+      use third party plug-ins.
+    - We fixed a rare but possible crash when using the Equalize
+      filter on images with NaN values. Images that contain these
+      are usually created from scientific or mapping data, so
+      you’re unlikely to come across them in standard editing.
+    - Jeremy Bicha fixed an internal issue where the wrong version
+      number could be used when installing minor releases (such as
+      the 3.2 release candidates and upcoming 3.2 stable release).
+    - As noted in our 3.2RC2 news post, we have updated our SVG
+      import code to improve the rendered path.
+    - Further improvements have been made to our non-destructive
+      filter code to improve stability, especially when copying and
+      pasting layers and images with filters attached to them. Some
+      issues related to applying NDE filters on Quick Masks have
+      also been corrected.
+    - An unintended Search pop-up that appeared when typing while
+      the Channels dockable was selected has been turned off.
+    - When saving XCFs for GIMP 2.10 compatibility, we
+      unintentionally saved Grid color using the new color format.
+      This caused errors when reopening the XCF in 2.10. This
+      problem has now been fixed! If you encounter any other XCF
+      incompatibility, please let us know.
+  - Themes and UX
+    - The Navigation and Selection Editor dockables no longer show
+      a large bright texture when no image is actively selected.
+      This was especially noticeable on dark themes.
+    - When a layer has no active filters, the Fx column had the
+      same “checkbox” outline when hovered over as the lock column.
+      This led to confusion about clicking it to add filters. We
+      have removed the outline on hover as a small step to help
+      address this.
+    - Ondřej Míchal fixed alignment and cut-off issues with the
+      buttons on our Transform tool overlays. All buttons should
+      now be properly centered and visible.
+    - The options for filling layers with colors when resizing the
+      canvas will be turned off when not relevant (such as when you
+      set layers to not be resized).
+    - More GUI elements such as dialog header icons will now
+      respond to your icon size preferences.
+    - Ondřej Míchal has continued his work to update our UI with
+      the more usable Spin Scale widget. He has also updated the
+      widget itself to improve how it works for users and
+      developers alike.
+  - Security fixes
+    - Jacob Boerema and Gabriele Barbero continued to patch
+      potential security issues related to some of our file format
+      plug-ins. In addition to existing fixes mentioned in the
+      release candidate news posts, the following exploits are now
+      prevented: ZDI-CAN-28232 ZDI-CAN-28265 ZDI-CAN-28530
+      ZDI-CAN-28591 ZDI-CAN-28599
+    - Another potential issue related to ICO files with incorrect
+      metadata was reported by Dhiraj. It does not have a CVE
+      number yet, but it has been fixed for GIMP 3.0.8. Jacob
+      Boerema also fixed a potential issue with loading Creator
+      blocks in Paintshop Pro PSP images.
+  - API
+    - For plug-in and script developers, a few new public APIs were
+      backported to GIMP 3.0.8. gimp_cairo_surface_get_buffer ()
+      allows you to retrieve a GEGL buffer from a Cairo surface
+      (such as a text layer). Note that this deprecates
+      gimp_cairo_surface_create_buffer ().
+    - gimp_config_set_xcf_version () and
+      gimp_config_get_xcf_version () can be used to specify a
+      particular XCF version for a configuration. This will allow
+      you to have that data serialized/deserialized for certain
+      versions of GIMP if there were differences (such as the Grid
+      colors mentioned above).
+    - Fixes were made for retrieving image metadata via scripting.
+      GimpMetadata is now a visible child of GExiv2Metadata, so you
+      can use standard gexiv2 functions to retrieve information
+      from it.
+    - Original thumbnail metadata is also now removed on export to
+      prevent potential issues when exporting into a new format.
+</description>
+  <package>gimp</package>
+</patchinfo>

patchinfo.20260204115012215375.93181000773252/_patchinfo

@@ -0,0 +1,30 @@
+<patchinfo incident="packagehub-113">
+  <issue tracker="bnc" id="1257403">VUL-0: CVE-2025-14550: python-Django,python3-Django,python-Django6: Potential denial-of-service vulnerability via repeated headers when using ASGI</issue>
+  <issue tracker="bnc" id="1257406">VUL-0: CVE-2026-1285: python-Django,python3-Django,python-Django6: Potential denial-of-service vulnerability in django.utils.text.Truncator HTML methods</issue>
+  <issue tracker="bnc" id="1257405">VUL-0: CVE-2026-1207: python-Django,python3-Django,python-Django6: Potential SQL injection via raster lookups on PostGIS</issue>
+  <issue tracker="cve" id="2026-1207"/>
+  <issue tracker="cve" id="2026-1312"/>
+  <issue tracker="cve" id="2026-1287"/>
+  <issue tracker="bnc" id="1257407">VUL-0: CVE-2026-1287: python-Django,python3-Django,python-Django6: Potential SQL injection in column aliases via control characters</issue>
+  <issue tracker="cve" id="2025-13473"/>
+  <issue tracker="bnc" id="1257401">VUL-0: CVE-2025-13473: python-Django,python3-Django,python-Django6: Username enumeration through timing difference in mod_wsgi authentication handler</issue>
+  <issue tracker="bnc" id="1257408">VUL-0: CVE-2026-1312: python-Django,python3-Django,python-Django6: Potential SQL injection via QuerySet.order_by and FilteredRelation</issue>
+  <issue tracker="cve" id="2025-14550"/>
+  <issue tracker="cve" id="2026-1285"/>
+  <packager>mcalabkova</packager>
+  <rating>important</rating>
+  <category>security</category>
+  <summary>Security update for python-Django</summary>
+  <description>This update for python-Django fixes the following issues:
+
+Changes in python-Django:
+
+- CVE-2026-1312: Fixed potential SQL injection via QuerySet.order_by and FilteredRelation (bsc#1257408).
+- CVE-2026-1287: Fixed potential SQL injection in column aliases via control characters (bsc#1257407).
+- CVE-2026-1207: Fixed potential SQL injection via raster lookups on PostGIS (bsc#1257405).
+- CVE-2026-1285: Fixed potential denial-of-service in django.utils.text.Truncator HTML methods (bsc#1257406).
+- CVE-2025-13473: Fixed username enumeration through timing difference in mod_wsgi authentication handler (bsc#1257401).
+- CVE-2025-14550: Fixed potential denial-of-service via repeated headers when using ASGI (bsc#1257403).
+</description>
+  <package>python-Django</package>
+</patchinfo>

patchinfo.20260204115510991084.93181000773252/_patchinfo

@@ -0,0 +1,22 @@
+<patchinfo incident="packagehub-112">
+  <issue tracker="cve" id="2026-1862"/>
+  <issue tracker="cve" id="2026-1861"/>
+  <issue tracker="bnc" id="1257650">VUL-0: chromium: release 144.0.7559.132</issue>
+  <packager>oertel</packager>
+  <rating>important</rating>
+  <category>security</category>
+  <summary>Security update for chromium</summary>
+  <description>This update for chromium fixes the following issues:
+
+Changes in chromium:
+
+- Chromium 144.0.7559.132 (boo#1257650)
+  * CVE-2026-1861: Heap buffer overflow in libvpx in Google Chrome
+    prior to 144.0.7559.132 allowed a remote attacker to potentially
+    exploit heap corruption via a crafted HTML page.
+  * CVE-2026-1862: Type Confusion in V8 in Google Chrome prior to
+    144.0.7559.132 allowed a remote attacker to potentially exploit
+    heap corruption via a crafted HTML page.
+</description>
+  <package>chromium</package>
+</patchinfo>

patchinfo.20260204115645891071.93181000773252/_patchinfo

@@ -0,0 +1,14 @@
+<patchinfo incident="packagehub-109">
+  <packager>letsfindaway</packager>
+  <rating>moderate</rating>
+  <category>recommended</category>
+  <summary>Recommended update for OpenBoard</summary>
+  <description>This update for OpenBoard fixes the following issues:
+
+Changes in OpenBoard:
+
+- add AppData in metainfo.xml
+- update to release version 1.7.5
+</description>
+  <package>OpenBoard</package>
+</patchinfo>

patchinfo.20260204120853139168.93181000773252/_patchinfo

@@ -0,0 +1,11 @@
+<patchinfo incident="packagehub-111">
+  <packager>eroca</packager>
+  <rating>moderate</rating>
+  <category>recommended</category>
+  <summary>Recommended update for perl-Mojolicious-Plugin-OpenAPI</summary>
+  <description>This update for perl-Mojolicious-Plugin-OpenAPI fixes the following issues:
+
+Introduce perl-Mojolicious-Plugin-OpenAPI.
+</description>
+  <package>perl-Mojolicious-Plugin-OpenAPI</package>
+</patchinfo>

patchinfo.20260204160351183292.93181000773252/_patchinfo

@@ -0,0 +1,14 @@
+<patchinfo incident="packagehub-110">
+  <issue tracker="bnc" id="1256465">Week numbers are off by one in Evolution's calendar (Year view)</issue>
+  <packager>mgorse</packager>
+  <rating>moderate</rating>
+  <category>recommended</category>
+  <summary>Recommended update for evolution</summary>
+  <description>This update for evolution fixes the following issues:
+
+Changes in evolution:
+
+- Fix incorrect week numbers in calendar year view (bsc#1256465).
+</description>
+  <package>evolution</package>
+</patchinfo>

patchinfo.20260209124750281584.93181000773252/_patchinfo

@@ -0,0 +1,141 @@
+<patchinfo>
+  <issue tracker="cve" id="2024-25569">VUL-0: CVE-2024-25569: gdcm: out-of-bounds read in the RAWCodec:DecodeBytes functionality</issue>
+  <issue tracker="cve" id="2024-22391">VUL-0: CVE-2024-22391: gdcm: heap-based buffer overflow in the LookupTable:SetLUT functionality</issue>
+  <issue tracker="cve" id="2024-22373">VUL-0: CVE-2024-22373: gdcm: out-of-bounds write in the JPEG2000Codec:DecodeByStreamsCommon functionality</issue>
+  <packager>DocB</packager>
+  <rating>important</rating>
+  <category>security</category>
+  <summary>Security update for orthanc, gdcm, orthanc-authorization, orthanc-dicomweb, orthanc-gdcm, orthanc-indexer, orthanc-mysql, orthanc-neuro</summary>
+  <description>This update for orthanc, gdcm, orthanc-authorization, orthanc-dicomweb, orthanc-gdcm, orthanc-indexer, orthanc-mysql, orthanc-neuro fixes the following issues:
+
+Changes in orthanc:
+
+- dcmtk 370 breaks TW build
+
+- switch to lua 5.4
+
+- remove boost component system from framework
+
+- version 1.12.10
+  ' long changelog - see NEWS for details
+
+- Stop trying to pull libboost_system-devel in all orthanc packages.
+
+- remove libboost_system-devel for TW (removed in boost 1.89)
+
+- version 1.12.9
+  * long changelog - see NEWS for details
+
+Changes in gdcm:
+
+- apply fix for poppler 25.10 build error
+
+Changes in orthanc-authorization:
+
+- version 0.10.3
+  * New default permissions for worklists
+  * New default permissions for tools/metrics-prometheus
+  * New default permissions for tools/generate-uid
+
+- version 0.10.2
+  * New default permissions to add/delete modalities through the Rest API
+    https://discourse.orthanc-server.org/t/managing-modalities-using-the-rest-api-and-keycloak/6137
+  * New standard configuration "stl"
+
+- remove libboost_system-devel for TW (removed in boost 1.89)-
+
+- version 0.10.1
+  * Fix audit-logs export in CSV format.
+  * New configuration "ExtraPermissions" to ADD new permissions to
+    the default "Permissions" entries.
+  * Improved handling of "Anonymous" user profiles (when no auth-tokens
+    are provided):  The plugin will now request the auth-service to
+    get an anonymous user profile even if there are no auth-tokens in the
+    HTTP request.
+  * The User profile can now contain a "groups" field if the auth-service
+    provides it.
+  * The User profile can now contain an "id" field if the auth-service
+    provides it.
+  * New experimental feature: audit-logs
+    - Enabled by the "EnableAuditLogs" configuration.
+    - Audit-logs are currently handled by the PostgreSQL plugin and can be
+      browsed through the route /auth/audit-logs.
+    - New default permission "audit-logs" to grant access to the
+      "/auth/audit-logs" route.
+  * Fix: The "server-id" field is now included in all requests sent to the
+    auth-service.
+
+Changes in orthanc-dicomweb:
+
+- version 1.22
+  * framework2.diff added for compatibilty with Orthanc framework &lt;= 1.12.10
+  * Fixed a possible deadlock when using "WadoRsLoaderThreadsCount" &gt; 1 when the HTTP
+    client disconnects while downloading the response.
+  * Fixed "Success: Success" errors when trying to send resources synchronously to a remote DICOMweb
+    server while the Orthanc job engine was busy with other tasks.
+
+- remove libboost_system-devel for TW (removed in boost 1.89)
+
+- version 1.21
+  * New configuration "WadoRsLoaderThreadsCount" to configure how many threads are loading
+    files from the storage when answering to a WADO-RS query.  A value &gt; 1 is meaningful
+    only if the storage is a distributed network storage (e.g object storage plugin).
+    A value of 0 means reading and writing are performed in sequence (default behaviour).
+  * New configuration "EnablePerformanceLogs" to display performance logs.  Currently
+    only showing the time required to execute a WADO-RS query.  For example:
+    WADO-RS: elapsed: 26106623 us, rate: 14.86 instances/s, 155.23Mbps
+  * Fix false errors logs generated e.g when OHIF requests the /dicom-web/studies/../metadata route:
+    "dicom-web:/Configuration.cpp:643] Unsupported return MIME type: application/dicom+json, multipart/related; type=application/octet-stream; transfer-syntax=*, will return DICOM+JSON"
+
+Changes in orthanc-gdcm:
+
+- version 1.8
+  * Prevent transcoding of DICOM images with empty
+    SharedFunctionalGroupsSequence (5200,9229), as this might crash GDCM.
+  * The built-in Orthanc transcoder being usually more stable, the default
+    value of the "RestrictTransferSyntaxes" configuration has been updated
+    to configure the GDCM plugin for J2K transfer syntaxes only since these
+    transfer syntaxes are currently not supported by the built-in Orthanc
+    transcoder.
+    - If "RestrictTransferSyntaxes" is not specified in your configuration,
+      it is now equivalent to
+        "RestrictTransferSyntaxes" : [
+          "1.2.840.10008.1.2.4.90",   // JPEG 2000 Image Compression (Lossless Only)
+          "1.2.840.10008.1.2.4.91",   // JPEG 2000 Image Compression
+          "1.2.840.10008.1.2.4.92",   // JPEG 2000 Part 2 Multicomponent Image Compression (Lossless Only)
+          "1.2.840.10008.1.2.4.93"    // JPEG 2000 Part 2 Multicomponent Image Compression
+        ]
+      which was the recommended configuration.
+    - If "RestrictTransferSyntaxes" is defined but empty, the GDCM plugin will
+      now be used to transcode ALL transfer syntaxes (this was the default
+      behaviour up to version 1.7)
+
+- remove libboost_system-devel for TW (removed in boost 1.89)
+
+- version 1.7
+  * Upgrade to GDCM 3.0.24 for static builds. Fixes:
+    - CVE-2024-22373: https://nvd.nist.gov/vuln/detail/CVE-2024-22373
+    - CVE-2024-22391: https://nvd.nist.gov/vuln/detail/CVE-2024-22391
+    - CVE-2024-25569: https://nvd.nist.gov/vuln/detail/CVE-2024-25569
+
+Changes in orthanc-indexer:
+
+- remove libboost_system-devel for TW (removed in boost 1.89)
+
+Changes in orthanc-mysql:
+
+- remove libboost_system-devel for TW (removed in boost 1.89)
+
+Changes in orthanc-neuro:
+
+- remove libboost_system-devel for TW (removed in boost 1.89)
+</description>
+  <package>orthanc</package>
+  <package>gdcm</package>
+  <package>orthanc-authorization</package>
+  <package>orthanc-dicomweb</package>
+  <package>orthanc-gdcm</package>
+  <package>orthanc-indexer</package>
+  <package>orthanc-mysql</package>
+  <package>orthanc-neuro</package>
+</patchinfo>