Update submodules from pool/helmfile#6 and create patchinfo.20260121120556714095.93181000773252/_patchinfo

PR: products/PackageHub!340

patchinfo.20260120154940279982.93181000773252/_patchinfo

@@ -0,0 +1,222 @@
+<patchinfo incident="packagehub-87">
+  <issue tracker="cve" id="2025-68156"/>
+  <issue tracker="cve" id="2025-68161"/>
+  <issue tracker="cve" id="2024-51744"/>
+  <issue tracker="bnc" id="1239728">VUL-0: CVE-2025-29786: coredns: github.com/expr-lang/expr: memory exhaustion when unbounded input string is processed by Expr expression parser</issue>
+  <issue tracker="bnc" id="1256411">VUL-0: CVE-2025-68151: coredns: coredns: lack of resource-limiting controls in multiple CoreDNS server implementations allows an unauthenticated remote attacker to exhaust memory and crash the server</issue>
+  <issue tracker="bnc" id="1239294">VUL-0: CVE-2025-22868: coredns: golang.org/x/oauth2/jws: Unexpected memory consumption during token parsing in golang.org/x/oauth2</issue>
+  <issue tracker="cve" id="2025-58063"/>
+  <issue tracker="bnc" id="1249389">VUL-0: CVE-2025-58063: coredns: CoreDNS Lease ID Confusion</issue>
+  <issue tracker="bnc" id="1255345">VUL-0: CVE-2025-68156: coredns: github.com/expr-lang/expr/builtin: uncontrolled recursion in expression evaluation can cause a denial of service</issue>
+  <packager>amanzini</packager>
+  <rating>important</rating>
+  <category>security</category>
+  <summary>Security update for coredns</summary>
+  <description>This update for coredns fixes the following issues:
+
+Changes in coredns:
+
+- fix CVE-2025-68156 bsc#1255345
+- fix CVE-2025-68161 bsc#1256411
+- Update to version 1.14.0:
+  * core: Fix gosec G115 integer overflow warnings
+  * core: Add regex length limit
+  * plugin/azure: Fix slice init length
+  * plugin/errors: Add optional show_first flag to consolidate directive
+  * plugin/file: Fix for misleading SOA parser warnings
+  * plugin/kubernetes: Rate limits to api server
+  * plugin/metrics: Implement plugin chain tracking
+  * plugin/sign: Report parser err before missing SOA
+  * build(deps): bump github.com/expr-lang/expr from 1.17.6 to 1.17.7
+
+- Update to version 1.13.2:
+  * core: Add basic support for DoH3
+  * core: Avoid proxy unnecessary alloc in Yield
+  * core: Fix usage of sync.Pool to save an alloc
+  * core: Fix data race with sync.RWMutex for uniq
+  * core: Prevent QUIC reload panic by lazily initializing the listener
+  * core: Refactor/use reflect.TypeFor
+  * plugin/auto: Limit regex length
+  * plugin/cache: Remove superfluous allocations in item.toMsg
+  * plugin/cache: Isolate metadata in prefetch goroutine
+  * plugin/cache: Correct spelling of MaximumDefaultTTL in cache and dnsutil
+    packages
+  * plugin/dnstap: Better error handling (redial &amp; logging) when Dnstap is busy
+  * plugin/file: Performance finetuning
+  * plugin/forward: Disallow NOERROR in failover
+  * plugin/forward: Added support for per-nameserver TLS SNI
+  * plugin/forward: Prevent busy loop on connection err
+  * plugin/forward: Add max connect attempts knob
+  * plugin/geoip: Add ASN schema support
+  * plugin/geoip: Add support for subdivisions
+  * plugin/kubernetes: Fix kubernetes plugin logging
+  * plugin/multisocket: Cap num sockets to prevent OOM
+  * plugin/nomad: Support service filtering
+  * plugin/rewrite: Pre-compile CNAME rewrite regexp
+  * plugin/secondary: Fix reload causing secondary plugin goroutine to leak
+
+- Update to version 1.13.1:
+  * core: Avoid string concatenation in loops
+  * core: Update golang to 1.25.2 and golang.org/x/net to v0.45.0 on CVE fixes
+  * plugin/sign: Reject invalid UTF‑8 dbfile token
+
+- Update to version 1.13.0:
+  * core: Export timeout values in dnsserver.Server
+  * core: Fix Corefile infinite loop on unclosed braces
+  * core: Fix Corefile related import cycle issue
+  * core: Normalize panics on invalid origins
+  * core: Rely on dns.Server.ShutdownContext to gracefully stop
+  * plugin/dnstap: Add bounds for plugin args
+  * plugin/file: Fix data race in tree Elem.Name
+  * plugin/forward: No failover to next upstream when receiving SERVFAIL or
+    REFUSED response codes
+  * plugin/grpc: Enforce DNS message size limits
+  * plugin/loop: Prevent panic when ListenHosts is empty
+  * plugin/loop: Avoid panic on invalid server block
+  * plugin/nomad: Add a Nomad plugin
+  * plugin/reload: Prevent SIGTERM/reload deadlock
+
+- fix CVE-2025-58063 bsc#1249389
+- Update to version 1.12.4:
+  * bump deps
+  * fix(transfer): goroutine leak on axfr err (#7516)
+  * plugin/etcd: fix import order for ttl test (#7515)
+  * fix(grpc): check proxy list length in policies (#7512)
+  * fix(https): propagate HTTP request context (#7491)
+  * fix(plugin): guard nil lookups across plugins (#7494)
+  * lint: add missing prealloc to backend lookup test (#7510)
+  * fix(grpc): span leak on error attempt (#7487)
+  * test(plugin): improve backend lookup coverage (#7496)
+  * lint: enable prealloc (#7493)
+  * lint: enable durationcheck (#7492)
+  * Add Sophotech to adopters list (#7495)
+  * plugin: Use %w to wrap user error (#7489)
+  * fix(metrics): add timeouts to metrics HTTP server (#7469)
+  * chore(ci): restrict token permissions (#7470)
+  * chore(ci): pin workflow dependencies (#7471)
+  * fix(forward): use netip package for parsing (#7472)
+  * test(plugin): improve test coverage for pprof (#7473)
+  * build(deps): bump github.com/go-viper/mapstructure/v2 (#7468)
+  * plugin/file: fix label offset problem in ClosestEncloser (#7465)
+  * feat(trace): migrate dd-trace-go v1 to v2 (#7466)
+  * test(multisocket): deflake restart by using a fresh port and coordinated cleanup (#7438)
+  * chore: update Go version to 1.24.6 (#7437)
+  * plugin/header: Remove deprecated syntax (#7436)
+  * plugin/loadbalance: support prefer option (#7433)
+  * Improve caddy.GracefulServer conformance checks (#7416)
+
+- Update to version 1.12.3:
+  * chore: Minor changes to `Dockerfile` (#7428)
+  * Properly create hostname from IPv6 (#7431)
+  * Bump deps
+  * fix: handle cached connection closure in forward plugin (#7427)
+  * plugin/test: fix TXT record comparison for multi-chunk vs multiple records
+  * plugin/file: preserve case in SRV record names and targets per RFC 6763
+  * fix(auto/file): return REFUSED when no next plugin is available (#7381)
+  * Port to AWS Go SDK v2 (#6588)
+  * fix(cache): data race when refreshing cached messages (#7398)
+  * fix(cache): data race when updating the TTL of cached messages (#7397)
+  * chore: fix docs incompatibility (#7390)
+  * plugin/rewrite: Add EDNS0 Unset Action (#7380)
+  * add args: startup_timeout for kubernetes plugin (#7068)
+  * [plugin/cache] create a copy of a response to ensure original data is never
+     modified
+  * Add support for fallthrough to the grpc plugin (#7359)
+  * view: Add IPv6 example match (#7355)
+  * chore: enable more rules from revive (#7352)
+  * chore: enable early-return and superfluous-else from revive (#7129)
+  * test(plugin): improve tests for auto (#7348)
+  * fix(proxy): flaky dial tests (#7349)
+  * test: add t.Helper() calls to test helper functions (#7351)
+  * fix(kubernetes): multicluster DNS race condition (#7350)
+  * lint: enable wastedassign linter (#7340)
+  * test(plugin): add tests for any (#7341)
+  * Actually invoke make release -f Makefile.release during test (#7338)
+  * Keep golang to 1.24.2 due to build issues in 1.24.3 (#7337)
+  * lint: enable protogetter linter (#7336)
+  * lint: enable nolintlint linter (#7332)
+  * fix: missing intrange lint fix (#7333)
+  * perf(kubernetes): optimize AutoPath slice allocation (#7323)
+  * lint: enable intrange linter (#7331)
+  * feat(plugin/file): fallthrough (#7327)
+  * lint: enable canonicalheader linter (#7330)
+  * fix(proxy): avoid Dial hang after Transport stopped (#7321)
+  * test(plugin): add tests for pkg/rand (#7320)
+  * test(dnsserver): add unit tests for gRPC and QUIC servers (#7319)
+  * fix: loop variable capture and linter (#7328)
+  * lint: enable usetesting linter (#7322)
+  * test: skip certain network-specific tests on non-Linux (#7318)
+  * test(dnsserver): improve core/dnsserver test coverage (#7317)
+  * fix(metrics): preserve request size from plugins (#7313)
+  * fix: ensure DNS query name reset in plugin.NS error path (#7142)
+  * feat: enable plugins via environment during build (#7310)
+  * fix(plugin/bind): remove zone for link-local IPv4 (#7295)
+  * test(request): improve coverage across package (#7307)
+  * test(coremain): Add unit tests (#7308)
+  * ci(test-e2e): add Go version setup to workflow (#7309)
+  * kubernetes: add multicluster support (#7266)
+  * chore: Add new maintainer thevilledev (#7298)
+  * Update golangci-lint (#7294)
+  * feat: limit concurrent DoQ streams and goroutines (#7296)
+  * docs: add man page for multisocket plugin (#7297)
+  * Prepare for the k8s api upgrade (#7293)
+  * fix(rewrite): truncated upstream response (#7277)
+  * fix(plugin/secondary): make transfer property mandatory (#7249)
+  * plugin/bind: remove macOS bug mention in docs (#7250)
+  * Remove `?bla=foo:443` for `POST` DoH (#7257)
+  * Do not interrupt querying readiness probes for plugins (#6975)
+  * Added `SetProxyOptions` function for `forward` plugin (#7229)
+
+-  Backported quic-go PR #5094: Fix parsing of ifindex from packets
+   to ensure compatibility with big-endian architectures
+   (see quic-go/quic-go#4978, coredns/coredns#6682).
+
+- Update to version 1.12.1:
+  * core: Increase CNAME lookup limit from 7 to 10 (#7153)
+  * plugin/kubernetes: Fix handling of pods having DeletionTimestamp set
+  * plugin/kubernetes: Revert "only create PTR records for endpoints with
+    hostname defined"
+  * plugin/forward: added option failfast_all_unhealthy_upstreams to return
+    servfail if all upstreams are down
+  * bump dependencies, fixing bsc#1239294 and bsc#1239728
+
+- Update to version 1.12.0:
+  * New multisocket plugin - allows CoreDNS to listen on multiple sockets
+  * bump deps
+
+- Update to version 1.11.4:
+  * forward plugin: new option next, to try alternate upstreams when receiving
+    specified response codes upstreams on (functions like the external plugin
+    alternate)
+  * dnssec plugin: new option to load keys from AWS Secrets Manager
+  * rewrite plugin: new option to revert EDNS0 option rewrites in responses
+
+- Update to version 1.11.3+git129.387f34d:
+  * fix CVE-2024-51744 (https://bugzilla.suse.com/show_bug.cgi?id=1232991)
+    build(deps): bump github.com/golang-jwt/jwt/v4 from 4.5.0 to 4.5.1 (#6955)
+  * core: set cache-control max-age as integer, not float (#6764)
+  * Issue-6671: Fixed the order of plugins. (#6729)
+  * `root`: explicit mark `dnssec` support (#6753)
+  * feat: dnssec load keys from AWS Secrets Manager (#6618)
+  * fuzzing: fix broken oss-fuzz build (#6880)
+  * Replace k8s.io/utils/strings/slices by Go stdlib slices (#6863)
+  * Update .go-version to 1.23.2 (#6920)
+  * plugin/rewrite: Add "revert" parameter for EDNS0 options (#6893)
+  * Added OpenSSF Scorecard Badge (#6738)
+  * fix(cwd): Restored backwards compatibility of Current Workdir (#6731)
+  * fix: plugin/auto: call OnShutdown() for each zone at its own OnShutdown() (#6705)
+  * feature: log queue and buffer memory size configuration (#6591)
+  * plugin/bind: add zone for link-local IPv6 instead of skipping (#6547)
+  * only create PTR records for endpoints with hostname defined (#6898)
+  * fix: reverter should execute the reversion in reversed order (#6872)
+  * plugin/etcd: fix etcd connection leakage when reload (#6646)
+  * kubernetes: Add useragent (#6484)
+  * Update build (#6836)
+  * Update grpc library use (#6826)
+  * Bump go version from 1.21.11 to 1.21.12 (#6800)
+  * Upgrade antonmedv/expr to expr-lang/expr (#6814)
+  * hosts: add hostsfile as label for coredns_hosts_entries (#6801)
+  * fix TestCorefile1 panic for nil handling (#6802)
+</description>
+  <package>coredns</package>
+</patchinfo>

patchinfo.20260121120556714095.93181000773252/_patchinfo

@@ -0,0 +1,132 @@
+<patchinfo>
+  <packager>manfred-h</packager>
+  <rating>moderate</rating>
+  <category>recommended</category>
+  <summary>Recommended update for helmfile</summary>
+  <description>This update for helmfile fixes the following issues:
+
+Changes in helmfile:
+
+- Update to version 1.2.3:
+  * build(deps): bump github.com/aws/aws-sdk-go-v2/config from
+    1.32.2 to 1.32.3 by @dependabot[bot] in #2308
+  * build(deps): bump github.com/spf13/cobra from 1.10.1 to 1.10.2
+    by @dependabot[bot] in #2310
+  * build(deps): bump github.com/aws/aws-sdk-go-v2/service/s3 from
+    1.92.1 to 1.93.0 by @dependabot[bot] in #2307
+  * Add parameter to render helmfile as go template without .gotmpl
+    extension by @ronaldour in #2312
+  * build(deps): bump golang.org/x/sync from 0.18.0 to 0.19.0 by
+    @dependabot[bot] in #2315
+  * build(deps): bump github.com/aws/aws-sdk-go-v2/service/s3 from
+    1.93.0 to 1.93.2 by @dependabot[bot] in #2323
+  * build(deps): bump k8s.io/apimachinery from 0.34.2 to 0.34.3
+    by @dependabot[bot] in #2322
+  * build(deps): bump golang.org/x/term from 0.37.0 to 0.38.0 by
+    @dependabot[bot] in #2317
+  * build(deps): bump k8s.io/client-go from 0.34.2 to 0.34.3 by
+    @dependabot[bot] in #2321
+  * build(deps): bump github.com/aws/aws-sdk-go-v2/config from
+    1.32.3 to 1.32.5 by @dependabot[bot] in #2320
+  * build(deps): bump helm.sh/helm/v3 from 3.19.2 to 3.19.3 by
+    @dependabot[bot] in #2325
+  * build(deps): bump helm.sh/helm/v4 from 4.0.1 to 4.0.2 by
+    @dependabot[bot] in #2326
+  * build(deps): bump actions/upload-artifact from 5 to 6 by
+    @dependabot[bot] in #2331
+  * build(deps): bump helm.sh/helm/v3 from 3.19.3 to 3.19.4 by
+    @dependabot[bot] in #2328
+  * build(deps): bump actions/download-artifact from 6 to 7 by
+    @dependabot[bot] in #2332
+  * build(deps): bump dessant/lock-threads from 5 to 6 by
+    @dependabot[bot] in #2330
+  * build(deps): bump helm.sh/helm/v4 from 4.0.3 to 4.0.4 by
+    @dependabot[bot] in #2329
+  * build(deps): bump github.com/aws/aws-sdk-go-v2/service/s3
+    from 1.93.2 to 1.94.0 by @dependabot[bot] in #2333
+  * bump helm version to 4.0.4 by @yxxhero in #2335
+  * build(deps): bump github.com/aws/aws-sdk-go-v2/config from
+    1.32.5 to 1.32.6 by @dependabot[bot] in #2336
+  * build(deps): bump github.com/zclconf/go-cty-yaml from 1.1.0
+    to 1.2.0 by @dependabot[bot] in #2340
+  * build(deps): bump k8s.io/client-go from 0.34.3 to 0.35.0 by
+    @dependabot[bot] in #2338
+  * fix: rewrite relative file:// chart dependencies to absolute
+    paths by @sstarcher in #2334
+
+- Update to version 1.2.2:
+  * Fix AWS SDK debug logging by making it configurable (issue
+    #2270) by @aditmeno in #2290
+  * test: add integration test for issue #2291 (CRD preservation
+    with strategicMergePatches) by @aditmeno in #2292
+  * build(deps): bump github.com/aws/aws-sdk-go-v2/config from
+    1.32.1 to 1.32.2 by @dependabot[bot] in #2300
+  * build(deps): bump github.com/aws/aws-sdk-go-v2/service/s3
+    from 1.92.0 to 1.92.1 by @dependabot[bot] in #2299
+  * fix: resolve issues #2295, #2296, and #2297 by @aditmeno
+    in #2298
+  * build(deps): update Helm v4 to 4.0.1 and helm-secrets to
+    4.7.4 by @aditmeno in #2304
+  * feat: add print-env command by @dschmidt in #2279
+
+- Update to version 1.2.1:
+  * build(deps): bump azure/setup-helm from 4.3.0 to 4.3.1 by
+    @dependabot[bot] in #2274
+  * build(deps): bump github.com/helmfile/vals from 0.42.4 to
+    0.42.5 by @dependabot[bot] in #2272
+  * build(deps): bump golang.org/x/crypto from 0.43.0 to 0.45.0
+    by @dependabot[bot] in #2277
+  * build(deps): bump github.com/aws/aws-sdk-go-v2/service/s3 from
+    1.90.2 to 1.91.1 by @dependabot[bot] in #2284
+  * Fix four critical issues: environment merging, kubeVersion
+    detection, lookup() with kustomize, and Helm 4 color flags by
+    @aditmeno in #2276
+  * build(deps): bump go.uber.org/zap from 1.27.0 to 1.27.1 by
+    @dependabot[bot] in #2283
+  * build(deps): bump github.com/aws/aws-sdk-go-v2/config from
+    1.31.20 to 1.32.0 by @dependabot[bot] in #2282
+  * build(deps): bump actions/checkout from 5 to 6 by
+    @dependabot[bot] in #2287
+  * build(deps): bump k8s.io/client-go from 0.34.1 to 0.34.2 by
+    @dependabot[bot] in #2285
+  * Fix four critical bugs: array merging (#2281), AWS SDK logging
+    (#2270), helmDefaults skip flags (#2269), and OCI chart versions
+    (#2247) by @aditmeno in #2288
+  * build(deps): bump github.com/aws/aws-sdk-go-v2/service/s3 from
+    1.91.1 to 1.92.0 by @dependabot[bot] in #2286
+
+- Update to version 1.2.0:
+  * build(deps): bump github.com/aws/aws-sdk-go-v2/config from
+    1.31.15 to 1.31.16 by @dependabot[bot] in #2242
+  * build(deps): bump github.com/hashicorp/go-getter from 1.8.2
+    to 1.8.3 by @dependabot[bot] in #2241
+  * build(deps): bump github.com/aws/aws-sdk-go-v2/service/s3 from
+    1.89.0 to 1.89.1 by @dependabot[bot] in #2240
+  * build(deps): bump github.com/containerd/containerd from 1.7.28
+    to 1.7.29 by @dependabot[bot] in #2249
+  * build(deps): bump github.com/aws/aws-sdk-go-v2/service/s3 from
+    1.89.1 to 1.90.0 by @dependabot[bot] in #2248
+  * build(deps): bump github.com/aws/aws-sdk-go-v2/config from
+    1.31.16 to 1.31.17 by @dependabot[bot] in #2245
+  * build(deps): bump golang.org/x/sync from 0.17.0 to 0.18.0 by
+    @dependabot[bot] in #2251
+  * build(deps): bump golangci/golangci-lint-action from 8 to 9 by
+    @dependabot[bot] in #2250
+  * build(deps): bump github.com/aws/aws-sdk-go-v2/config from
+    1.31.17 to 1.31.18 by @dependabot[bot] in #2253
+  * build(deps): bump golang.org/x/term from 0.36.0 to 0.37.0 by
+    @dependabot[bot] in #2256
+  * build(deps): bump github.com/aws/aws-sdk-go-v2/config from
+    1.31.18 to 1.31.20 by @dependabot[bot] in #2259
+  * perf(app): Parallelize helmfile.d rendering and eliminate chdir
+    race conditions by @aditmeno in #2261
+  * build(deps): bump k8s.io/apimachinery from 0.34.1 to 0.34.2 by
+    @dependabot[bot] in #2264
+  * Issue-1883 fix by @zhaque44 in #2058
+  * feat: add Helm 4 support while maintaining Helm 3 compatibility
+    by @aditmeno in #2262
+  * build(deps): bump github.com/aws/aws-sdk-go-v2/service/s3 from
+    1.90.0 to 1.90.2 by @dependabot[bot] in #2258
+</description>
+  <package>helmfile</package>
+</patchinfo>