Update submodules from pool/gn#2 and create patchinfo.20260211134802096631.255638743075857/_patchinfo

PR: products/PackageHub!400

.gitmodules

@@ -10602,10 +10602,6 @@
 	path = most
 	url = ../../pool/most
 	branch = leap-16.0
-[submodule "motif"]
-	path = motif
-	url = ../../pool/motif
-	branch = leap-16.0
 [submodule "motion"]
 	path = motion
 	url = ../../pool/motion

patchinfo.20260203120457648647.93181000773252/_patchinfo

@@ -0,0 +1,14 @@
+<patchinfo incident="packagehub-117">
+  <issue tracker="bnc" id="1257190">pdfarranger does not start, but raises RuntimeError: context has already been set</issue>
+  <packager>dgarcia</packager>
+  <rating>moderate</rating>
+  <category>recommended</category>
+  <summary>Recommended update for pdfarranger</summary>
+  <description>This update for pdfarranger fixes the following issues:
+
+Changes in pdfarranger:
+
+- Fixed compatibility with python313 (boo#1257190).
+</description>
+  <package>pdfarranger</package>
+</patchinfo>

patchinfo.20260203171624727972.93181000773252/_patchinfo

@@ -0,0 +1,92 @@
+<patchinfo incident="packagehub-118">
+  <issue tracker="bnc" id="1255366">VUL-0: CVE-2025-64702: trivy: github.com/quic-go/quic-go/http3: quic-go HTTP/3 QPACK Header Expansion DoS</issue>
+  <issue tracker="cve" id="2025-66564">CVE-2025-66564 github.com/sigstore/timestamp-authority: Sigstore Timestamp Authority: Denial of Service via excessive OID or Content-Type header parsing</issue>
+  <issue tracker="cve" id="2025-64702">VUL-0: CVE-2025-64702: TRACKERBUG: github.com/quic-go/quic-go/http3: quic-go HTTP/3 QPACK Header Expansion DoS</issue>
+  <packager>dirkmueller</packager>
+  <rating>important</rating>
+  <category>security</category>
+  <summary>Security update for trivy</summary>
+  <description>This update for trivy fixes the following issues:
+
+Changes in trivy:
+
+- Update to version 0.69.0 (bsc#1255366, CVE-2025-64702):
+  * release: v0.69.0 [main] (#9886)
+  * chore: bump trivy-checks to v2 (#9875)
+  * chore(deps): bump github.com/theupdateframework/go-tuf/v2 from 2.3.1 to 2.4.1 (#10091)
+  * fix(repo): return a nil interface for gitAuth if missing (#10097)
+  * fix(java): correctly inherit properties from parent fields for pom.xml files (#9111)
+  * fix(rust): implement version inheritance for Cargo mono repos (#10011)
+  * feat(activestate): add support ActiveState images (#10081)
+  * feat(vex): support per-repo tls configuration (#10030)
+  * refactor: allow per-request transport options override (#10083)
+  * chore(deps): bump github.com/sigstore/rekor from 1.4.3 to 1.5.0 (#10084)
+  * chore(deps): bump github.com/sigstore/sigstore from 1.10.3 to 1.10.4 (#10085)
+  * fix(java): correctly propagate repositories from upper POMs to dependencies (#10077)
+  * feat(rocky): enable modular package vulnerability detection (#10069)
+  * chore(deps): bump github.com/theupdateframework/go-tuf/v2 from 2.3.0 to 2.3.1 (#10079)
+  * docs: fix mistake in config file example for skip-dirs/skip-files flag (#10070)
+  * feat(report): add Trivy version to JSON output (#10065)
+  * fix(rust): add cargo workspace members glob support (#10032)
+  * feat: add AnalyzedBy field to track which analyzer detected packages (#10059)
+  * fix: use canonical SPDX license IDs from embeded licenses.json (#10053)
+  * docs: fix link to Docker Image Specification (#10057)
+  * feat(secret): add detection for Symfony default secret key (#9892)
+  * refactor(misconf): move common logic to base value and simplify typed values (#9986)
+  * fix(java): add hash of GAV+root pom file path for pkgID for packages from pom.xml files (#9880)
+  * feat(misconf): use Terraform plan configuration to partially restore schema (#9623)
+  * feat(misconf): add action block to Terraform schema (#10035)
+  * fix(misconf): correct typos in block and attribute names (#9993)
+  * test(misconf): simplify test values using *Test helpers (#9985)
+  * fix(misconf): safely parse rotation_period in google_kms_crypto_key (#9980)
+  * feat(misconf): support for ARM resources defined as an object (#9959)
+  * feat(misconf): support for azurerm_*_web_app (#9944)
+  * test: migrate private test helpers to `export_test.go` convention (#10043)
+  * chore(deps): bump github.com/sigstore/cosign/v2 from 2.2.4 to 2.6.2 (#10048)
+  * fix(secret): improve word boundary detection for Hugging Face tokens (#10046)
+  * fix(go): use ldflags version for all pseudo-versions    (#10037)
+  * chore: switch to ID from AVDID in internal and user-facing fields (#9655)
+  * refactor(misconf)!: use ID instead of AVDID for providers mapping (#9752)
+  * fix: move enum into items for array-type fields in JSON Schema (#10039)
+  * docs: fix incorrect documentation URLs (#10038)
+  * feat(sbom): exclude PEP 770 SBOMs in .dist-info/sboms/ (#10033)
+  * fix(docker): fix non-det scan results for images with embedded SBOM (#9866)
+  * chore(deps): bump the github-actions group with 11 updates (#10001)
+  * test: fix assertion after 2026 roll over (#10002)
+  * fix(vuln): skip vulns detection for CentOS Stream family without scan failure (#9964)
+  * fix(license): normalize licenses for PostAnalyzers (#9941)
+  * feat(nodejs): parse licenses from `package-lock.json` file (#9983)
+  * chore: update reference links to Go Wiki (#9987)
+  * refactor: add xslices.Map and replace lo.Map usages (#9984)
+  * fix(image): race condition in image artifact inspection (#9966)
+  * feat(flag): add JSON Schema for trivy.yaml configuration file (#9971)
+  * refactor(debian): use txtar format for test data (#9957)
+  * chore(deps): bump `golang.org/x/tools` to `v0.40.0` + `gopls` to `v0.21.0` (#9973)
+  * feat(rootio): Update trivy db to support usage of Severity from root.io feed (#9930)
+  * feat(vuln): skip vulnerability scanning for third-party packages in Debian/Ubuntu (#9932)
+  * docs: add info that `--file-pattern` flag doesn't disable default behaviuor (#9961)
+  * perf(misconf): optimize string concatenation in azure scanner (#9969)
+  * chore: add client option to install script (#9962)
+  * ci(helm): bump Trivy version to 0.68.2 for Trivy Helm Chart 0.20.1 (#9956)
+  * chore(deps): bump github.com/quic-go/quic-go from 0.54.1 to 0.57.0 (#9952)
+  * docs: update binary signature verification for sigstore bundles (#9929)
+  * chore(deps): bump alpine from `3.22.1` to `3.23.0` (#9935)
+  * chore(alpine): add EOL date for alpine 3.23 (#9934)
+  * feat(cloudformation): add support for Fn::ForEach (#9508)
+  * ci: enable `check-latest` for `setup-go` (#9931)
+  * feat(debian): detect third-party packages using maintainer list (#9917)
+  * fix(vex): add CVE-2025-66564 as not_affected into Trivy VEX file (#9924)
+  * feat(helm): add sslCertDir parameter (#9697)
+  * fix(misconf): respect .yml files when Helm charts are detected (#9912)
+  * feat(php): add support for dev dependencies in Composer (#9910)
+  * chore(deps): bump the common group across 1 directory with 9 updates (#9903)
+  * chore(deps): bump github.com/docker/cli from 29.0.3+incompatible to 29.1.1+incompatible in the docker group (#9859)
+  * fix: remove trailing tab in statefulset template (#9889)
+  * feat(julia): enable vulnerability scanning for the Julia language ecosystem (#9800)
+  * feat(misconf): initial ansible scanning support (#9332)
+  * feat(misconf): Update Azure Database schema (#9811)
+  * ci(helm): bump Trivy version to 0.68.1 for Trivy Helm Chart 0.20.0 (#9869)
+  * chore: update the install script (#9874)
+</description>
+  <package>trivy</package>
+</patchinfo>

patchinfo.20260204155545137018.93181000773252/_patchinfo

@@ -0,0 +1,195 @@
+<patchinfo incident="packagehub-119">
+  <issue tracker="cve" id="2025-22869"/>
+  <issue tracker="bnc" id="1248920">VUL-0: CVE-2025-58058: tailscale: github.com/ulikunitz/xz: github.com/ulikunitz/xz leaks memory</issue>
+  <issue tracker="cve" id="2025-58058"/>
+  <packager>rrahl0</packager>
+  <rating>important</rating>
+  <category>security</category>
+  <summary>Security update for tailscale</summary>
+  <description>This update for tailscale fixes the following issues:
+
+Changes in tailscale:
+
+- Update to version 1.94.0:
+  * IS SET and NOT SET have been added as device posture operators
+  * India DERP Region City Name updated
+  * Custom DERP servers support GCP Certificate Manager
+  * Tailscale SSH authentication, when successful, results in LOGIN audit
+    messages being sent to the kernel audit subsystem
+  * Tailscale Peer Relay throughput is improved when the SO_REUSEPORT socket
+    option is supported on multi-core systems
+  * Tailscale Peer Relay server handshake transmission is guarded against
+    routing loops over Tailscale
+  * MagicDNS always resolves when using resolv.conf without a DNS manager
+  * tailscaled_peer_relay_forwarded_packets_total and
+    tailscaled_peer_relay_forwarded_bytes_total client metrics are available for
+    Tailscale Peer Relays
+  * Identity tokens are automatically generated for workload identities
+  * --audience flag added to tailscale up command to support auto generation of
+    ID tokens for workload identity
+  * tsnet nodes can host Tailscale Services
+  * The tailscale lock status -json command returns tailnet key authority (TKA)
+    data in a stable format
+  * Tailscale Peer Relays deliver improved throughput through monotonic time
+    comparison optimizations and reduced lock contention
+  * Tailscale Services virtual IPs are now automatically accepted by clients
+    across all platforms regardless of the status of the --accept-routes
+    feature
+
+- Update to version 1.94.0:
+  * derp/derpserver: add a unique sender cardinality estimate
+  * syncs: add means of declare locking assumptions for debug mode
+  * cmd/k8s-operator: add support for taiscale.com/http-redirect
+  * cmd/k8s-operator fix populateTLSSecret on tests
+  * feature/posture: log method and full URL for posture identity requests
+  * k8s-operator: Fix typos in egress-pod-readiness.go
+  * cmd/tailscale,ipn: add Unix socket support for serve
+  * client/systray: change systray to start after graphical.target
+  * cmd/k8s-operator: warn if users attempt to expose a headless Service
+  * cmd/tailscale/cli, util/qrcodes: format QR codes on Linux consoles
+  * tsnet: ensure funnel listener cleans up after itself when closed
+  * ipn/store/kubestore: don't load write replica certs in memory
+  * tsnet: allow for automatic ID token generation
+
+- Update to version 1.92.5:
+  * types/persist: omit Persist.AttestationKey based on IsZero
+  * disable hardware attestation for kubernetes
+  * allow opting out of ACME order replace extension
+- Update to version 1.92.4:
+  * nothing of importance
+
+- Update to version 1.92.3:
+  * WireGuard configuration that occurs automatically in the client, no longer
+    results in a panic
+
+- Update to version 1.92.2:
+  * cmd/derper: add GCP Certificate Manager support
+
+- Update to version 1.92.1:
+  * fix LocalBackend deadlock when packet arrives during profile switch
+  * wgengine: fix TSMP/ICMP callback leak
+- Update to version 1.92.0:
+  * no changelog provided
+- Update to version 1.90.9:
+  * tailscaled no longer deadlocks during event bursts
+  * The client no longer hangs after wake up
+
+- Update to version 1.90.8:
+  * tka: move RemoveAll() to CompactableChonk
+- Update to version 1.90.7:
+  * wgengine/magicsock: validate endpoint.derpAddr
+  * wgengine/magicsock: fix UDPRelayAllocReq/Resp deadlock
+  * net/udprelay: replace VNI pool with selection algorithm
+  * feature/relayserver,ipn/ipnlocal,net/udprelay: plumb DERPMap
+  * feature/relayserver: fix Shutdown() deadlock
+  * net/netmon: do not abandon a subscriber when exiting early
+  * tka: don't try to read AUMs which are partway through being written
+  * tka: rename a mutex to mu instead of single-letter l
+  * ipn/ipnlocal: use an in-memory TKA store if FS is unavailable
+
+- Update to version 1.90.6:
+  * Routes no longer stall and fail to apply when updated repeatedly in a short
+    period of time
+  * Tailscale SSH no longer hangs for 10s when connecting to tsrecorder. This
+    affected tailnets that use Tailscale SSH recording
+
+- Update to version 1.90.4:
+  * deadlock issue no longer occurs in the client when checking
+    for the network to be available
+  * tailscaled no longer sporadically panics when a
+    Trusted Platform Module (TPM) device is present
+
+- Update to version 1.90.3:
+  * tailscaled shuts down as expected and without panic
+  * tailscaled starts up as expected in a no router configuration environment
+
+- Update to version 1.90.2:
+  * util/linuxfw: fix 32-bit arm regression with iptables
+  * health: compare warnable codes to avoid errors on release branch
+  * feature/tpm: check TPM family data for compatibility
+
+- Upate to version 1.90.1:
+  * Clients can use configured DNS resolvers for all domains
+  * Node keys will be renewed seamlessly
+  * Unnecessary path discovery packets over DERP servers are suppressed
+  * Node key sealing is GA (generally available) and enabled by default
+
+- update to version 1.88.3:
+  * cmd/tailscale/cli: add ts2021 debug flag to set a dial plan
+  * control/controlhttp: simplify, fix race dialing, remove priority concept
+- update to version 1.88.2:
+  * k8s-operator: reset service status before append
+- require the minimum go version directly, in comparison to using the golang(API)
+  symbol
+
+- update to version 1.88.1:
+  * Tailscale CLI prompts users to confirm impactful actions
+  * Tailscale SSH works as expected when using an IP address instead of a
+    hostname and MagicDNS is disabled
+  * fixed: Taildrive sharing when su not present
+  * Taildrive files remain consistently accessible
+  * new: Tailscale tray GUI
+  * DERP IPs changed for Singapore and Tokyo
+- Fixing CVE-2025-58058, bsc#1248920
+
+- update to version 1.86.5:
+  * cmd/k8s-proxy,k8s-operator: fix serve config for userspace mode
+- update to version 1.86.4:
+  * nothing of relevance
+- update to version 1.86.3:
+  * nothing of relevance
+
+- update to version 1.86.2:
+  * A deadlock issue that may have occurred in the client
+  * An occasional crash when establishing a new port mapping with a gateway or
+    firewall
+
+- update to version 1.86.0:
+  * tsStateEncrypted device posture attribute for checking whether the
+    Tailscale client state is encrypted at rest
+  * Cross-site request forgery (CSRF) issue that may have resulted in a log in
+    error when accessing the web interface
+  * Recommended exit node when the previously recommended exit node is offline
+  * tailscale up --exit-node=auto:any and tailscale set --exit-node=auto:any
+    CLI commands track the recommended exit node and automatically switches to
+    it when available exit nodes or network conditions change
+  * tailscaled CLI command flag --encrypt-state encrypts the node state file on
+    the disk using trusted platform module (TPM)
+
+- update to 1.84.3:
+  * ipn/ipnlocal: Update hostinfo to control on service config change
+
+- update to 1.84.2:
+  * Re-enable setting —accept-dns by using TS_EXTRA_ARGS. This issue resulted
+    from stricter CLI arguments parsing introduced in Tailscale v1.84.0
+
+- update to 1.84.1:
+  * net/dns: cache dns.Config for reuse when compileConfig fails
+
+- update to 1.84.0:
+  * The --reason flag is added to the tailscale down command
+  * ReconnectAfter policy setting, which configures the maximum period of time
+    between a user disconnecting Tailscale and the client automatically
+    reconnecting
+  * Tailscale CLI commands throw an error if multiple of the same flag are detected
+  * Network connectivity issues when creating a new profile or switching
+    profiles while using an exit node
+  * DNS-over-TCP fallback works correctly with upstream servers reachable only
+    via the tailnet
+
+- update to 1.82.5:
+  * A panic issue related to CUBIC congestion control in userspace mode is resolved.
+
+- update to 1.82.0:
+  * DERP functionality within the client supports certificate pinning for
+    self-signed IP address certificates for those unable to use Let's Encrypt
+    or WebPKI certificates.
+  * Go is updated to version 1.24.1
+  * NAT traversal code uses the DERP connection that a packet arrived on as an
+    ultimate fallback route if no other information is available
+  * Captive portal detection reliability is improved on some in-flight Wi-Fi networks
+  * Port mapping success rate is improved
+  * Helsinki is added as a DERP region.
+</description>
+  <package>tailscale</package>
+</patchinfo>

patchinfo.20260204160233168297.93181000773252/_patchinfo

@@ -0,0 +1,202 @@
+<patchinfo incident="packagehub-121">
+  <issue tracker="bnc" id="1242186">yt-dlp is outdated</issue>
+  <packager>rrahl0</packager>
+  <rating>moderate</rating>
+  <category>recommended</category>
+  <summary>Recommended update for yt-dlp</summary>
+  <description>This update for yt-dlp fixes the following issues:
+
+Changes in yt-dlp:
+
+- Update to release 2026.01.31
+  * yt: Add `web_embedded` fallback for `android_vr` client
+  * yt: Remove broken `ios_downgraded` and `tv_embedded` player
+    clients
+
+- added quickjs recommends as a lighter alternative to deno and nodejs
+
+- Update to release 2026.01.29
+  * Accept float values for command-line option `--sleep-subtitles`
+  * Add `--format-sort-reset` option
+  * yt: Support comment subthreads
+
+- Update to release 2025.12.08
+  * cookies: Fix --cookies-from-browser for new installs of
+    Firefox 147+
+  * floatplane: add subtitle support
+  * yt: detect AI-upscaled formats
+
+- Relax JS runtime requirement from required to recommended,
+  some formats can be downloaded without either runtime.
+- Recommend nodejs as an alternative to deno
+  (Leap 15.6 has just nodejs).
+
+- Update to release 2025.11.12
+  * An external JavaScript runtime is now used for full YouTube
+    support (e.g. deno).
+
+- Use the pythons macro to reduce the amount of suse_version usage
+
+- Update to version 2025.10.22
+  * A stopgap release with a TEMPORARY partial fix for YouTube
+    support. Some formats may still be unavailable, especially if
+    cookies are passed to yt-dlp. The NEXT release, expected very
+    soon, will require an external JS runtime (e.g. Deno) in
+    order for YouTube downloads to work properly.
+  * The minimum required Python version has been raised to 3.10
+    (Python 3.9 has reached its end-of-life as of October 2025).
+
+- Update to release 2025.10.14
+  * yt: Detect experiment binding GVS PO Token to video id
+  * yt: Fix approximate timestamp extraction for feeds
+
+- Use Python 3.13 in 15.7, due to lack of 3.12
+
+- Update to release 2025.09.26
+  * twitch: vod: Fix live_status detection
+  * yt: Fix player JS overrides
+  * yt: Improve PO token logging
+  * yt: Player client maintenance
+  * yt: Replace tv_simply with web_safari in default clients
+- Fix Leap 15.6 build
+
+- Update to release 2025.09.23
+  * youtube: Force player 0004de42
+
+- Update to version 2025.09.05
+  * Fix --id deprecation warning
+  * charlierose: Fix extractor
+  * googledrive: Fix subtitles extraction
+  * itvbtcc: Fix extractor
+  * kick: vod: Support ongoing livestream VODs
+  * lrt: Fix extractors
+  * tver: Extract more metadata
+  * vevo: Restore extractors
+  * build: Overhaul Linux builds and refactor release workflow
+
+- Update to release 2025.08.27
+  * Add tcc player JS variant
+  * Deprioritize web_safari m3u8 formats
+  * Use alternative tv user-agent when authenticated
+
+- Update to release 2025.08.22
+  * cookies: Fix --cookies-from-browser with Firefox 142+
+
+- Update to release 2025.08.20
+  * Warn against use of `-f mp4`
+  * yt: Add es5 and es6 player JS variants
+  * yt: Default to main player JS variant
+  * yt: Extract title and description from initial data
+  * yt: Handle required preroll waiting period
+
+- Update to release 2025.08.11
+  * yt: Add player params to mweb client
+  * dash: Re-extract if using --load-info-json with
+    --live-from-start
+
+- Update to release 2025.07.21
+  * Default behaviour changed from --mtime to --no-mtime
+  * yt: Do not require PO Token for premium accounts
+  * yt: Extract global nsig helper functions
+  * yt: tab: Fix subscriptions feed extraction
+
+- Update to release 2025.06.30
+  * youtube: Fix premium formats extraction
+
+- Update to release 2025.06.25
+  * yt: Check any ios m3u8 formats prior to download
+  * yt: Improve player context payloads
+
+- Update to release 2025.06.09
+  * adobepass: add Fubo MSO, fix Philo MSO authentication
+  * yt: Add tv_simply player client
+  * yt: Extract srt subtitles
+  * yt: Rework nsig function name extraction
+
+- Update to release 2025.05.22
+  * yt: Add PO token support for subtitles
+  * yt: Add web_embedded client for age-restricted videos
+  * yt: Add a PO Token Provider Framework
+  * yt: Extract media_type for all videos
+  * yt: Fix --live-from-start support for premieres
+  * yt: Fix geo-restriction error handling
+
+- Update to release 2025.04.30 [boo#1242186]
+  * New option --preset-alias/-t has been added
+
+- Update to release 2025.03.31
+  * yt: add player_js_variant extractor-arg
+  * yt/tab: Fix playlist continuation extraction
+
+- Update to release 2025.03.27
+  * youtube: Make signature and nsig extraction more robust
+
+- Update to release 2025.03.26
+  * youtube: fix signature and nsig extraction for player 4fcd6e4a
+
+- Update to release 2025.03.21
+  * Fix external downloader availability when using
+    ``--ffmpeg-location``
+  * youtube: fix nsig and signature extraction for player 643afba4.
+
+- Require same version between yt-dlp -&gt; python-yt-dlp
+
+- Update to release 2025.02.19
+  * NSIG workaround for tce player JS
+
+- Update to release 2025.01.26
+  * bilibili: Support space video list extraction without login
+  * crunchyroll: Remove extractors
+  * youtube: Download tv client Innertube config
+  * youtube: Use different PO token for GVS and Player
+
+- Update to release 2025.01.15
+  * youtube: Do not use web_creator as a default client
+
+- Update to release 2025.01.12
+  * yt: fix DASH formats incorrectly skipped in some situations
+  * yt: refactor cookie auth
+
+- Fix 15.6 build
+
+- Update to release 2024.12.23
+  * yt: add age-gate workaround for some embeddable videos
+
+- Update to release 2024.12.13
+  * yt: fix signature function extraction for 2f1832d2
+  * yt: prioritize original language over auto-dubbed audio
+
+- Update to release 2024.12.06
+  * yt: fix ``n`` sig extraction for player 3bb1f723
+  * yt: fix signature function extraction
+  * yt: player client maintenance
+
+- Update to release 2024.12.03
+  * bilibili: Always try to extract HD formats
+  * youtube: Adjust player clients for site changes
+
+- Update to release 2024.11.18
+  * cloudflarestream: Avoid extraction via videodelivery.net
+  * youtube: remove broken OAuth support
+
+- Update to release 2024.11.04
+  * Prioritize AV1
+  * Remove Python &lt;= 3.8 support
+  * youtube: Adjust OAuth refresh token handling
+
+- Update to release 2024.10.22
+  * yt: Remove broken android_producer client
+  * yt: Remove broken age-restriction workaround
+  * yt: Support logging in with OAuth
+
+- Update to release 2024.10.07
+  * Fix cookie load error handling
+  * youtube: Change default player clients to ios,mweb
+  * patreon: Extract all m3u8 formats for locked posts
+
+- Update to release 2024.09.27
+  * Support excluding player_clients in extractor-arg
+  * clip: Prioritize https formats
+</description>
+  <package>yt-dlp</package>
+</patchinfo>

patchinfo.20260209213841964623.93181000773252/_patchinfo

@@ -0,0 +1,230 @@
+<patchinfo incident="packagehub-120">
+  <issue tracker="cve" id="2024-22391">VUL-0: CVE-2024-22391: gdcm: heap-based buffer overflow in the LookupTable:SetLUT functionality</issue>
+  <issue tracker="cve" id="2024-22373">VUL-0: CVE-2024-22373: gdcm: out-of-bounds write in the JPEG2000Codec:DecodeByStreamsCommon functionality</issue>
+  <issue tracker="cve" id="2024-25569">VUL-0: CVE-2024-25569: gdcm: out-of-bounds read in the RAWCodec:DecodeBytes functionality</issue>
+  <packager>DocB</packager>
+  <rating>important</rating>
+  <category>security</category>
+  <summary>Security update for orthanc, gdcm, orthanc-authorization, orthanc-dicomweb, orthanc-gdcm, orthanc-indexer, orthanc-mysql, orthanc-neuro, orthanc-postgresql, orthanc-python, orthanc-stl, orthanc-tcia, orthanc-wsi, python-pyorthanc</summary>
+  <description>This update for orthanc, gdcm, orthanc-authorization, orthanc-dicomweb, orthanc-gdcm, orthanc-indexer, orthanc-mysql, orthanc-neuro, orthanc-postgresql, orthanc-python, orthanc-stl, orthanc-tcia, orthanc-wsi, python-pyorthanc fixes the following issues:
+
+Changes in orthanc:
+
+- dcmtk 370 breaks TW build
+
+- switch to lua 5.4
+
+- patch out boost component system from framework
+
+- version 1.12.10
+  ' long changelog - see NEWS for details
+
+- apply boost patch to source tree
+
+- Stop trying to pull libboost_system-devel in all orthanc packages.
+
+- remove libboost_system-devel for TW (removed in boost 1.89)
+
+- version 1.12.9
+  * long changelog - see NEWS for details
+
+Changes in gdcm:
+
+- apply fix for poppler 25.10 build error
+
+Changes in orthanc-authorization:
+
+- version 0.10.3
+  * New default permissions for worklists
+  * New default permissions for tools/metrics-prometheus
+  * New default permissions for tools/generate-uid
+
+- version 0.10.2
+  * New default permissions to add/delete modalities through the Rest API
+    https://discourse.orthanc-server.org/t/managing-modalities-using-the-rest-api-and-keycloak/6137
+  * New standard configuration "stl"
+
+- remove libboost_system-devel for TW (removed in boost 1.89)-
+
+- version 0.10.1
+  * Fix audit-logs export in CSV format.
+  * New configuration "ExtraPermissions" to ADD new permissions to
+    the default "Permissions" entries.
+  * Improved handling of "Anonymous" user profiles (when no auth-tokens
+    are provided):  The plugin will now request the auth-service to
+    get an anonymous user profile even if there are no auth-tokens in the
+    HTTP request.
+  * The User profile can now contain a "groups" field if the auth-service
+    provides it.
+  * The User profile can now contain an "id" field if the auth-service
+    provides it.
+  * New experimental feature: audit-logs
+    - Enabled by the "EnableAuditLogs" configuration.
+    - Audit-logs are currently handled by the PostgreSQL plugin and can be
+      browsed through the route /auth/audit-logs.
+    - New default permission "audit-logs" to grant access to the
+      "/auth/audit-logs" route.
+  * Fix: The "server-id" field is now included in all requests sent to the
+    auth-service.
+
+Changes in orthanc-dicomweb:
+
+- version 1.22
+  * framework2.diff added for compatibilty with Orthanc framework &lt;= 1.12.10
+  * Fixed a possible deadlock when using "WadoRsLoaderThreadsCount" &gt; 1 when the HTTP
+    client disconnects while downloading the response.
+  * Fixed "Success: Success" errors when trying to send resources synchronously to a remote DICOMweb
+    server while the Orthanc job engine was busy with other tasks.
+
+- remove libboost_system-devel for TW (removed in boost 1.89)
+
+- version 1.21
+  * New configuration "WadoRsLoaderThreadsCount" to configure how many threads are loading
+    files from the storage when answering to a WADO-RS query.  A value &gt; 1 is meaningful
+    only if the storage is a distributed network storage (e.g object storage plugin).
+    A value of 0 means reading and writing are performed in sequence (default behaviour).
+  * New configuration "EnablePerformanceLogs" to display performance logs.  Currently
+    only showing the time required to execute a WADO-RS query.  For example:
+    WADO-RS: elapsed: 26106623 us, rate: 14.86 instances/s, 155.23Mbps
+  * Fix false errors logs generated e.g when OHIF requests the /dicom-web/studies/../metadata route:
+    "dicom-web:/Configuration.cpp:643] Unsupported return MIME type: application/dicom+json, multipart/related; type=application/octet-stream; transfer-syntax=*, will return DICOM+JSON"
+
+Changes in orthanc-gdcm:
+
+- version 1.8
+  * Prevent transcoding of DICOM images with empty
+    SharedFunctionalGroupsSequence (5200,9229), as this might crash GDCM.
+  * The built-in Orthanc transcoder being usually more stable, the default
+    value of the "RestrictTransferSyntaxes" configuration has been updated
+    to configure the GDCM plugin for J2K transfer syntaxes only since these
+    transfer syntaxes are currently not supported by the built-in Orthanc
+    transcoder.
+    - If "RestrictTransferSyntaxes" is not specified in your configuration,
+      it is now equivalent to
+        "RestrictTransferSyntaxes" : [
+          "1.2.840.10008.1.2.4.90",   // JPEG 2000 Image Compression (Lossless Only)
+          "1.2.840.10008.1.2.4.91",   // JPEG 2000 Image Compression
+          "1.2.840.10008.1.2.4.92",   // JPEG 2000 Part 2 Multicomponent Image Compression (Lossless Only)
+          "1.2.840.10008.1.2.4.93"    // JPEG 2000 Part 2 Multicomponent Image Compression
+        ]
+      which was the recommended configuration.
+    - If "RestrictTransferSyntaxes" is defined but empty, the GDCM plugin will
+      now be used to transcode ALL transfer syntaxes (this was the default
+      behaviour up to version 1.7)
+
+- remove libboost_system-devel for TW (removed in boost 1.89)
+
+- version 1.7
+  * Upgrade to GDCM 3.0.24 for static builds. Fixes:
+    - CVE-2024-22373: https://nvd.nist.gov/vuln/detail/CVE-2024-22373
+    - CVE-2024-22391: https://nvd.nist.gov/vuln/detail/CVE-2024-22391
+    - CVE-2024-25569: https://nvd.nist.gov/vuln/detail/CVE-2024-25569
+
+Changes in orthanc-indexer:
+
+- remove libboost_system-devel for TW (removed in boost 1.89)
+
+Changes in orthanc-mysql:
+
+- remove libboost_system-devel for TW (removed in boost 1.89)
+
+Changes in orthanc-neuro:
+
+- remove libboost_system-devel for TW (removed in boost 1.89)
+
+Changes in orthanc-postgresql:
+
+- version 10.0
+  * update mainly providing new Reserve and Acknowledge primitives
+    for Queues in plugins
+
+- remove libboost_system-devel for TW (removed in boost 1.89)
+
+- version 9.0
+  * DB-scheme rev. 6 - check Orthanc book
+
+- version 8.0
+  * no changelog provided
+  * New DB scheme
+
+Changes in orthanc-python:
+
+- version 7.0
+  * The "orthanc.pyi" stub is now excluded from the "install" step during the build
+  * Wrapped new SCP callbacks:
+    - RegisterFindCallback2()
+    - RegisterMoveCallback3()
+    - RegisterWorklistCallback2()
+    - RegisterStorageCommitmentScpCallback2()
+  * Wrapped new Queues methods:
+    - ReserveQueueValue()
+    - AcknowledgeQueueValue()
+
+- remove libboost_system-devel for TW (removed in boost 1.89)
+
+- remove /usr/orthanc.pyi - unneeded
+
+- version 6.0
+  * The auto-generation of the Python wrapper is now part of the build,
+    to exploit the ORTHANC_PLUGIN_SINCE_SDK macro. This provides backward
+    compatibility with the SDK that is actually installed on the system
+  * Added Windows builder for Python 3.13
+  * Added Docker-based builder scripts for Debian 13 (trixie)
+
+Changes in orthanc-stl:
+
+- patch out libboost-system to fix build error
+
+- remove libboost_system-devel for TW (removed in boost 1.89)
+
+Changes in orthanc-tcia:
+
+- version 1.3
+  * Replaced default base URL of TCIA REST API from
+    "https://services.cancerimagingarchive.net/services/v4/TCIA/query" to
+    "https://nbia.cancerimagingarchive.net/nbia-api/services/v4"
+  * Added configuration option "BaseUrl" to manually configure the base URL
+  * Fix for newer versions of the NBIA cart file format
+  * Upgrade to Orthanc framework 1.12.3
+
+- remove libboost_system-devel for TW (removed in boost 1.89)
+
+Changes in orthanc-wsi:
+
+- fix build error w framework 1.12.10
+
+- version 3.3
+  * OrthancWSIDicomizer:
+    - New option "--encoding" to specify the specific character set of DICOM instances
+    - Placeholder tags are now automatically inserted when the "--dataset" option
+      provides incomplete data, ensuring the generated DICOM instances remain valid
+    - The version of the DICOM-izer is available in DICOM tag "SoftwareVersions"
+    - ImagedVolumeWidth and ImagedVolumeHeight are swapped with respect to releases &lt;= 3.2:
+      https://discourse.orthanc-server.org/t/5912
+  * Viewer plugin:
+    - Added rotation button in the viewer
+    - The viewer displays a label if the "description" GET parameter is provided
+    - Upgraded to OpenLayers 10.6.1
+
+- remove libboost_system-devel for TW (removed in boost 1.89)
+
+Changes in python-pyorthanc:
+
+- version 1.22.1
+  * no changelog provided
+</description>
+  <package>orthanc</package>
+  <package>gdcm</package>
+  <package>orthanc-authorization</package>
+  <package>orthanc-dicomweb</package>
+  <package>orthanc-gdcm</package>
+  <package>orthanc-indexer</package>
+  <package>orthanc-mysql</package>
+  <package>orthanc-neuro</package>
+  <package>orthanc-postgresql</package>
+  <package>orthanc-python</package>
+  <package>orthanc-stl</package>
+  <package>orthanc-tcia</package>
+  <package>orthanc-wsi</package>
+  <package>python-pyorthanc</package>
+</patchinfo>

patchinfo.20260211132658114505.255638743075857/_patchinfo

@@ -1,11 +0,0 @@
-<patchinfo>
-  <packager>eroca</packager>
-  <rating>moderate</rating>
-  <category>recommended</category>
-  <summary>Recommended update for motif</summary>
-  <description>This update for motif fixes the following issues:
-
-Introduce motif.
-</description>
-  <package>motif</package>
-</patchinfo>

patchinfo.20260211134802096631.255638743075857/_patchinfo

@@ -0,0 +1,71 @@
+<patchinfo>
+  <packager>oertel</packager>
+  <rating>moderate</rating>
+  <category>recommended</category>
+  <summary>Recommended update for gn</summary>
+  <description>This update for gn fixes the following issues:
+
+Changes in gn:
+
+- Update to version 0.20251217:
+  * Fix sha2 on big endian
+  * [Windows] Reduce the number of worker threads on many-core machines
+  * Add a sha256 hash implementation and use it for string_hash
+  * Opt-in to the Windows SegmentHeap
+  * Add a `module_name` flag to source_set.
+  * Refactor module name to be dynamic.
+  * Optimize vector creation in compile_commands_writer.cc.
+  * Run 'tools/run_formatter.sh'
+  * Implement `string_hash` function.
+  * Support weak_libraries
+  * Do not add .inputdeps paths to --ninja-outputs-file
+  * Make clang modules output -fmodule-file=foo=&lt;pcm&gt;.
+  * infra: Revert CIPD autoconf
+  * infra: Include autoconf bin directory to PATH
+  * infra: Fix autoconf executable path
+  * infra: Use CIPD autoconf
+  * Allow led access in GN via http://go/ciba
+  * Revert "Build non-linkable deps async with Ninja's validaitons"
+  * Upgrade linux bots from ubuntu 22.04 to ubuntu 24.04
+  * Use unordered_map instead of map in HeaderChecker
+  * Add --file_relation to gn refs command
+  * Optimize vector initialization and preallocation in desc_builder.cc.
+  * Add `reserve` statement when vector size is known beforehand.
+  * Refactor container update by preferring the range insert.
+  * Handle symlinked directories correctly during gn clean on Windows.
+  * Fix relative imports from args.gn.
+
+- Update to version 0.20250918:
+  * update reference.md
+  * Include -fmodule-file flags in compile_commands.json
+  * Refactor C++ module dependency logic into a new utility
+  * Gitiles navigation bar
+  * Adds a len() function
+  * Avoid clashes of include_dir in rust-project.json.
+  * Check all targets to find duplicated outputs.
+  * infra/config: Remove luci.recipes.use_python3 experiment
+  * Handle empty outputs in WriteInputDepsStampOrPhonyAndGetDep
+  * build: Propagate module dependencies through group targets
+  * Deduplicate item in 'deps', 'sources' and related lists
+  * infra: Update comment for macOS version used in CQ/CI
+  * [Apple] Allow passing a manifest to the post-processing script
+  * Update link to buganizer in README.md
+  * [Apple] Fix `gn gen` when using swift and no_stamp_files
+  * [Apple] Remove deprecated aliases for `post_processing_$var`
+  * Revert "Allow newline in string literal"
+  * Use std::ranges::all_of in parse_tree_unittest
+  * infra: Correctly use macOS 13 instead of 11
+  * Update Xcode and macOS version in bots
+  * infra: Add shadow buckets to trigger led job
+  * Allow newline in string literal
+  * Revert "Update macOS version to 13 used in CQ/CI"
+  * Update macOS version to 13 used in CQ/CI
+  * Refactor command_format.cc
+  * Shorten targets from //path/to/foo:foo to //path/to/foo
+  * Modernize and improve parse_tree.cc
+  * Auto-format the codebase
+  * Remove hardcoded -fmodules-embed-all-files flag
+  * Reland "Use JSON escaping for JSON string output"
+</description>
+  <package>gn</package>
+</patchinfo>