Update patchinfo incident numbers [skip actions]

PR: products/PackageHub!338

.gitmodules

@@ -290,6 +290,10 @@
 	path = PrusaSlicer
 	url = ../../pool/PrusaSlicer
 	branch = leap-16.0
+[submodule "dehydrated"]
+	path = dehydrated
+	url = ../../pool/dehydrated
+	branch = leap-16.0
 [submodule "QR-Code-generator"]
 	path = QR-Code-generator
 	url = ../../pool/QR-Code-generator
@@ -17350,6 +17354,10 @@
 	path = rasqal
 	url = ../../pool/rasqal
 	branch = leap-16.0
+[submodule "rawtherapee"]
+	path = rawtherapee
+	url = ../../pool/rawtherapee
+	branch = leap-16.0
 [submodule "raw-thumbnailer"]
 	path = raw-thumbnailer
 	url = ../../pool/raw-thumbnailer
@@ -17562,10 +17570,6 @@
 	path = rlwrap
 	url = ../../pool/rlwrap
 	branch = leap-16.0
-[submodule "rmt-server"]
-	path = rmt-server
-	url = ../../pool/rmt-server
-	branch = leap-16.0
 [submodule "rmw"]
 	path = rmw
 	url = ../../pool/rmw
@@ -26134,3 +26138,107 @@
 	path = python-pyRFC3339
 	url = ../../pool/python-pyRFC3339
 	branch = leap-16.0
+[submodule "certbot-systemd-timer"]
+	path = certbot-systemd-timer
+	url = ../../pool/certbot-systemd-timer
+	branch = leap-16.0
+[submodule "python-augeas"]
+	path = python-augeas
+	url = ../../pool/python-augeas
+	branch = leap-16.0
+[submodule "python-bson"]
+	path = python-bson
+	url = ../../pool/python-bson
+	branch = leap-16.0
+[submodule "python-certbot-apache"]
+	path = python-certbot-apache
+	url = ../../pool/python-certbot-apache
+	branch = leap-16.0
+[submodule "python-certbot-dns-cloudflare"]
+	path = python-certbot-dns-cloudflare
+	url = ../../pool/python-certbot-dns-cloudflare
+	branch = leap-16.0
+[submodule "python-certbot-dns-digitalocean"]
+	path = python-certbot-dns-digitalocean
+	url = ../../pool/python-certbot-dns-digitalocean
+	branch = leap-16.0
+[submodule "python-certbot-dns-dnsimple"]
+	path = python-certbot-dns-dnsimple
+	url = ../../pool/python-certbot-dns-dnsimple
+	branch = leap-16.0
+[submodule "python-certbot-dns-dnsmadeeasy"]
+	path = python-certbot-dns-dnsmadeeasy
+	url = ../../pool/python-certbot-dns-dnsmadeeasy
+	branch = leap-16.0
+[submodule "python-certbot-dns-linode"]
+	path = python-certbot-dns-linode
+	url = ../../pool/python-certbot-dns-linode
+	branch = leap-16.0
+[submodule "python-certbot-dns-luadns"]
+	path = python-certbot-dns-luadns
+	url = ../../pool/python-certbot-dns-luadns
+	branch = leap-16.0
+[submodule "python-certbot-dns-nsone"]
+	path = python-certbot-dns-nsone
+	url = ../../pool/python-certbot-dns-nsone
+	branch = leap-16.0
+[submodule "python-certbot-dns-ovh"]
+	path = python-certbot-dns-ovh
+	url = ../../pool/python-certbot-dns-ovh
+	branch = leap-16.0
+[submodule "python-certbot-dns-rfc2136"]
+	path = python-certbot-dns-rfc2136
+	url = ../../pool/python-certbot-dns-rfc2136
+	branch = leap-16.0
+[submodule "python-certbot-dns-route53"]
+	path = python-certbot-dns-route53
+	url = ../../pool/python-certbot-dns-route53
+	branch = leap-16.0
+[submodule "python-cloudflare"]
+	path = python-cloudflare
+	url = ../../pool/python-cloudflare
+	branch = leap-16.0
+[submodule "python-digitalocean"]
+	path = python-digitalocean
+	url = ../../pool/python-digitalocean
+	branch = leap-16.0
+[submodule "python-dns-lexicon"]
+	path = python-dns-lexicon
+	url = ../../pool/python-dns-lexicon
+	branch = leap-16.0
+[submodule "python-jsonlines"]
+	path = python-jsonlines
+	url = ../../pool/python-jsonlines
+	branch = leap-16.0
+[submodule "python-jsonpickle"]
+	path = python-jsonpickle
+	url = ../../pool/python-jsonpickle
+	branch = leap-16.0
+[submodule "python-localzone"]
+	path = python-localzone
+	url = ../../pool/python-localzone
+	branch = leap-16.0
+[submodule "python-pytest-httpx"]
+	path = python-pytest-httpx
+	url = ../../pool/python-pytest-httpx
+	branch = leap-16.0
+[submodule "python-requests-file"]
+	path = python-requests-file
+	url = ../../pool/python-requests-file
+	branch = leap-16.0
+[submodule "python-softlayer"]
+	path = python-softlayer
+	url = ../../pool/python-softlayer
+	branch = leap-16.0
+[submodule "python-softlayer-zeep"]
+	path = python-softlayer-zeep
+	url = ../../pool/python-softlayer-zeep
+	branch = leap-16.0
+[submodule "python-tldextract"]
+	path = python-tldextract
+	url = ../../pool/python-tldextract
+	branch = leap-16.0
+[submodule "openQA-devel-container"]
+	path = openQA-devel-container
+	url =  ../../pool/openQA-devel-container
+	branch = leap-16.0

0Backports/Backports.changes

@@ -1,3 +1,10 @@
+-------------------------------------------------------------------
+Mon Jan  5 10:38:32 UTC 2026 - Wolfgang Engel <wolfgang.engel@suse.com>
+
+- Backports.productcompose:
+  + add to backports_unneeded, remove xen related packages (bsc#1253226)
+      xen-tools-xendomains-wait-disk
+
 -------------------------------------------------------------------
 Fri Oct 10 07:19:41 UTC 2025 - Wolfgang Engel <wolfgang.engel@suse.com>
 

0Backports/Backports.productcompose

@@ -149,6 +149,8 @@ packagesets:
   - kernel-livepatch-6_12_0-160000_5-rt
   - kernel-livepatch-6_12_0-160000_6-default
   - kernel-livepatch-6_12_0-160000_6-rt
+  - kernel-livepatch-6_12_0-160000_7-default
+  - kernel-livepatch-6_12_0-160000_7-rt
   - kernel-rt-livepatch
   - kernel-rt-livepatch-devel
   - krb5-mini
@@ -279,6 +281,7 @@ packagesets:
   - xen-doc-html
   - xen-tools
   - xen-tools-domU
+  - xen-tools-xendomains-wait-disk
   - yum-utils
 
 # TODO: unneeded Leap package per architecture
@@ -699,6 +702,9 @@ packagesets:
   - cargo-packaging
   - cargo1.87
   - cargo1.88
+  - cargo1.89
+  - cargo1.90
+  - cargo1.91
   - catatonit
   - cblas-devel
   - cblas-devel-static
@@ -1406,7 +1412,6 @@ packagesets:
   - gobject-introspection-devel
   - golang-github-cpuguy83-go-md2man
   - golang-github-google-jsonnet
-  - golang-github-prometheus-prometheus
   - golang-github-prometheus-promu
   - golang-packaging
   - google-errorprone-annotation
@@ -1922,6 +1927,27 @@ packagesets:
   - java-21-openjdk-javadoc
   - java-21-openjdk-jmods
   - java-21-openjdk-src
+  - java-22-openjdk
+  - java-22-openjdk-demo
+  - java-22-openjdk-devel
+  - java-22-openjdk-headless
+  - java-22-openjdk-javadoc
+  - java-22-openjdk-jmods
+  - java-22-openjdk-src
+  - java-23-openjdk
+  - java-23-openjdk-demo
+  - java-23-openjdk-devel
+  - java-23-openjdk-headless
+  - java-23-openjdk-javadoc
+  - java-23-openjdk-jmods
+  - java-23-openjdk-src
+  - java-24-openjdk
+  - java-24-openjdk-demo
+  - java-24-openjdk-devel
+  - java-24-openjdk-headless
+  - java-24-openjdk-javadoc
+  - java-24-openjdk-jmods
+  - java-24-openjdk-src
   - java-cup
   - java-cup-manual
   - javacc
@@ -4361,6 +4387,7 @@ packagesets:
   - maven-wagon-ssh-common
   - maven-wagon-ssh-external
   - mbimcli-bash-completion
+  - mcphost
   - mcstrans
   - md_monitor
   - mdadm
@@ -5429,7 +5456,6 @@ packagesets:
   - postgresql-docs
   - postgresql-jdbc
   - postgresql-jdbc-javadoc
-  - postgresql-llvmjit
   - postgresql-plperl
   - postgresql-plpython
   - postgresql-pltcl
@@ -5439,7 +5465,6 @@ packagesets:
   - postgresql13-contrib
   - postgresql13-devel
   - postgresql13-docs
-  - postgresql13-llvmjit
   - postgresql13-pgaudit
   - postgresql13-pgvector
   - postgresql13-plperl
@@ -5451,7 +5476,6 @@ packagesets:
   - postgresql14-contrib
   - postgresql14-devel
   - postgresql14-docs
-  - postgresql14-llvmjit
   - postgresql14-pgaudit
   - postgresql14-pgvector
   - postgresql14-plperl
@@ -5463,7 +5487,6 @@ packagesets:
   - postgresql15-contrib
   - postgresql15-devel
   - postgresql15-docs
-  - postgresql15-llvmjit
   - postgresql15-pgaudit
   - postgresql15-pgvector
   - postgresql15-plperl
@@ -5475,7 +5498,6 @@ packagesets:
   - postgresql16-contrib
   - postgresql16-devel
   - postgresql16-docs
-  - postgresql16-llvmjit
   - postgresql16-pgaudit
   - postgresql16-pgvector
   - postgresql16-plperl
@@ -5487,7 +5509,6 @@ packagesets:
   - postgresql17-contrib
   - postgresql17-devel
   - postgresql17-docs
-  - postgresql17-llvmjit
   - postgresql17-pgaudit
   - postgresql17-pgvector
   - postgresql17-plperl
@@ -6778,6 +6799,9 @@ packagesets:
   - rhino-engine
   - rhino-javadoc
   - rhino-runtime
+  - rmt-server
+  - rmt-server-config
+  - rmt-server-pubcloud
   - rollback-helper
   - rootlesskit
   - rp-pppoe
@@ -6834,6 +6858,9 @@ packagesets:
   - rust-keylime
   - rust1.87
   - rust1.88
+  - rust1.89
+  - rust1.90
+  - rust1.91
   - samba
   - samba-ad-dc
   - samba-ad-dc-libs
@@ -7062,7 +7089,6 @@ packagesets:
   - system-user-news
   - system-user-nobody
   - system-user-ntp
-  - system-user-prometheus
   - system-user-pulse
   - system-user-qemu
   - system-user-root
@@ -7937,6 +7963,8 @@ packagesets:
   - kernel-kvmsmall
   - kernel-kvmsmall-devel
   - kernel-livepatch-6_12_0-160000_5-default
+  - kernel-livepatch-6_12_0-160000_6-default
+  - kernel-livepatch-6_12_0-160000_7-default
   - libLLVMSPIRVLib19
   - libatopology2
   - libdpdk-25
@@ -8048,6 +8076,8 @@ packagesets:
   - grub2-s390x-emu
   - kernel-default-livepatch
   - kernel-livepatch-6_12_0-160000_5-default
+  - kernel-livepatch-6_12_0-160000_6-default
+  - kernel-livepatch-6_12_0-160000_7-default
   - kernel-zfcpdump
   - kiwi-settings
   - libHBAAPI2
@@ -8187,6 +8217,8 @@ packagesets:
   - kernel-kvmsmall-devel
   - kernel-kvmsmall-vdso
   - kernel-livepatch-6_12_0-160000_5-default
+  - kernel-livepatch-6_12_0-160000_6-default
+  - kernel-livepatch-6_12_0-160000_7-default
   - kiwi-pxeboot
   - kubevirt-virtctl
   - libFLAC++10-x86-64-v3

_config

@@ -168,7 +168,7 @@ Macros:
 
 # Leap specific package list, the same list with excludebuild must add to Backports project
 # Most of package should be built in Backports
-%if "%_project" == "openSUSE:Backports:SLE-16.0"
+%if 0%{?_is_in_project}
 # we build ffado:ffado-mixer for openSUSE, the main one is built in SLFO
 BuildFlags: excludebuild:ffado
 # build gpgme:qt flavor for qt5 support

patchinfo.20251027101540783529.187004354831441/_patchinfo

@@ -0,0 +1,14 @@
+<patchinfo incident="packagehub-67">
+  <packager>lkocman</packager>
+  <rating>moderate</rating>
+  <category>recommended</category>
+  <summary>Recommended update for grub2-compat-ia32</summary>
+  <description>This update for grub2-compat-ia32 fixes the following issues:
+
+- Drop update-bootloader --get as it returns 0
+  even if the variable is unset
+- Add update-bootloader also into post and postun Requires 
+  </description>
+  <package>grub2-compat-ia32</package>
+  <seperate_build_arch/>
+</patchinfo>

patchinfo.20251112155258859667.187004354831441/_patchinfo

@@ -0,0 +1,571 @@
+<patchinfo incident="packagehub-30">
+  <issue tracker="cve" id="2025-0377">VUL-0: CVE-2025-0377: TRACKERBUG: go-slug: improper validation of paths when extracting tar files containing Terraform configuration files can lead to arbitrary file writes</issue>
+  <issue tracker="cve" id="2024-45338">VUL-0: CVE-2024-45338: TRACKERBUG: golang.org/x/net/html: denial of service due to non-linear parsing of case-insensitive content</issue>
+  <packager>manfred-h</packager>
+  <rating>important</rating>
+  <category>security</category>
+  <summary>Security update for helmfile</summary>
+  <description>This update for helmfile fixes the following issues:
+
+Changes in helmfile:
+
+Update to version 1.1.9:
+
+  * feat: update strategy for reinstall by @simbou2000 in #2019
+  * build(deps): bump github.com/aws/aws-sdk-go-v2/service/s3
+    from 1.88.7 to 1.89.0 by @dependabot[bot] in #2239
+  * Fix: Handle empty helmBinary in base files with environment
+    values by @Copilot in #2237
+
+Update to version 1.1.8:
+
+  * build(deps): bump github.com/hashicorp/go-getter from 1.8.0 to
+    1.8.1 by @dependabot[bot] in #2194
+  * fix typos in both comment and error message by @d-fal in #2199
+  * cleanup disk in release ci by @yxxhero in #2203
+  * Migrate AWS SDK from v1 to v2 to resolve deprecation warnings
+    by @Copilot in #2202
+  * build(deps): bump github.com/helmfile/vals from 0.42.1 to 0.42.2
+    by @dependabot[bot] in #2200
+  * build(deps): bump github.com/aws/aws-sdk-go-v2/service/s3 from
+    1.88.2 to 1.88.3 by @dependabot[bot] in #2206
+  * Bump Alpine to 3.22 in Dockerfile by @orishamir in #2205
+  * build(deps): bump github.com/aws/aws-sdk-go-v2/config from
+    1.31.10 to 1.31.12 by @dependabot[bot] in #2207
+  * Add yq to Dockerfile by @orishamir in #2208
+  * fix: skip chartify for build command jsonPatches by @sstarcher
+    in #2212
+  * build(deps): bump github.com/hashicorp/go-getter from 1.8.1 to
+    1.8.2 by @dependabot[bot] in #2210
+  * build(deps): bump github.com/aws/aws-sdk-go-v2/service/s3 from
+    1.88.3 to 1.88.4 by @dependabot[bot] in #2213
+  * build(deps): bump golang.org/x/term from 0.35.0 to 0.36.0 by
+    @dependabot[bot] in #2214
+  * Avoid fetching same chart/version multiple times by @Copilot
+    in #2197
+  * build(deps): bump github.com/helmfile/vals from 0.42.2 to
+    0.42.4 by @dependabot[bot] in #2217
+  * docs: add zread badge to README by @yxxhero in #2219
+  * Bump helm-diff to v3.13.1 by @Copilot in #2223
+  * build(deps): bump github.com/aws/aws-sdk-go-v2/service/s3 from
+    1.88.4 to 1.88.5 by @dependabot[bot] in #2226
+  * build(deps): bump github.com/aws/aws-sdk-go-v2/config from
+    1.31.12 to 1.31.13 by @dependabot[bot] in #2225
+  * build(deps): bump github.com/aws/aws-sdk-go-v2/service/s3 from
+    1.88.5 to 1.88.6 by @dependabot[bot] in #2230
+  * build(deps): bump github.com/aws/aws-sdk-go-v2/service/s3 from
+    1.88.6 to 1.88.7 by @dependabot[bot] in #2232
+  * build(deps): bump github.com/aws/aws-sdk-go-v2/config from
+    1.31.13 to 1.31.15 by @dependabot[bot] in #2233
+  * Fix helmBinary and kustomizeBinary being ignored when using
+    bases by @Copilot in #2228
+
+Update to version 1.1.7:
+
+  What's Changed
+
+  * fix pflag error by @zhaque44 in #2164
+  * build(deps): bump actions/setup-go from 5 to 6 by
+    @dependabot[bot] in #2166
+  * build(deps): bump github.com/hashicorp/go-getter from 1.7.9 to
+    1.7.10 by @dependabot[bot] in #2165
+  * build(deps): bump github.com/spf13/pflag from 1.0.9 to 1.0.10
+    by @dependabot[bot] in #2163
+  * Add helm diff installation to README by @nwneisen in #2170
+  * build(deps): bump github.com/hashicorp/go-getter from 1.7.10
+    to 1.8.0 by @dependabot[bot] in #2175
+  * build(deps): bump golang.org/x/term from 0.34.0 to 0.35.0 by
+    @dependabot[bot] in #2174
+  * build(deps): bump github.com/zclconf/go-cty from 1.16.4 to
+    1.17.0 by @dependabot[bot] in #2173
+  * Fix panic when helm isn't installed by @nwneisen in #2169
+  * build(deps): bump golang.org/x/sync from 0.16.0 to 0.17.0 by
+    @dependabot[bot] in #2172
+  * ci: update minikube and kubernetes versions by @yxxhero in #2181
+  * build(deps): bump k8s.io/apimachinery from 0.34.0 to 0.34.1 by
+    @dependabot[bot] in #2180
+  * Remove deprecated --wait-retries flag support to fix Helm
+    compatibility error by @Copilot in #2179
+  * build(deps): bump go.yaml.in/yaml/v2 from 2.4.2 to 2.4.3 by
+    @dependabot[bot] in #2183
+  * build: update Helm to v3.19.0 across all components by @yxxhero
+    in #2187
+  * build: update helm-diff plugin to v3.13.0 by @yxxhero in #2189
+  * feat: Implement caching for pulling OCI charts by @mustdiechik
+    in #2171
+  * build(deps): bump github.com/helmfile/chartify from 0.24.7 to
+    0.25.0 by @dependabot[bot] in #2190
+
+- Update to version 1.1.6:
+  What's Changed
+  * build(deps): bump github.com/hashicorp/go-getter from 1.7.8 to
+    1.7.9 by @dependabot[bot] in #2139
+  * build(deps): bump github.com/zclconf/go-cty from 1.16.3 to
+    1.16.4 by @dependabot[bot] in #2145
+  * build: update helm to v3.18.6 by @yxxhero in #2144
+  * build(deps): bump github.com/stretchr/testify from 1.10.0 to
+    1.11.0 by @dependabot[bot] in #2150
+  * Add missing --timeout flag to helmfile sync command with
+    documentation by @Copilot in #2148
+  * Fix enableDNS flag missing in diff command and refactor
+    duplicate logic by @Copilot in #2147
+  * build(deps): bump github.com/stretchr/testify from 1.11.0 to
+    1.11.1 by @dependabot[bot] in #2151
+  * build(deps): bump github.com/ulikunitz/xz from 0.5.10 to 0.5.14
+    by @dependabot[bot] in #2154
+  * Bump github.com/ulikunitz/xz from v0.5.14 to v0.5.15 by @Copilot
+    in #2159
+  * build(deps): bump github.com/helmfile/vals from 0.42.0 to
+    0.42.1 by @dependabot[bot] in #2161
+  * build(deps): bump github.com/spf13/pflag from 1.0.7 to 1.0.9
+    by @dependabot[bot] in #2160
+  * build(deps): bump github.com/spf13/cobra from 1.9.1 to 1.10.1
+    by @dependabot[bot] in #2162
+  * Fix error propagation in helmfile diff when Kubernetes is
+    unreachable by @Copilot in #2149
+
+- Update to version 1.1.5:
+  What's Changed
+  * build(deps): bump actions/checkout from 4 to 5 by
+    @dependabot[bot] in #2128
+  * Update recommended Helm versions in init.go and run.sh by
+    @yxxhero in #2129
+  * Add comprehensive .github/copilot-instructions.md for coding
+    agents by @Copilot in #2131
+  * refactor(state): extract getMissingFileHandler method for
+    clarity by @yxxhero in #2133
+  * Fix parseHelmVersion to handle helm versions without 'v'
+    prefix by @Copilot in #2132
+  * build(deps): bump k8s.io/apimachinery from 0.33.3 to 0.33.4
+    by @dependabot[bot] in #2136
+  * build(deps): bump github.com/helmfile/chartify from 0.24.6 to
+    0.24.7 by @dependabot[bot] in #2135
+
+- Update to version 1.1.4:
+  What's Changed
+  * build(deps): bump github.com/helmfile/vals from 0.41.2 to
+    0.41.3 by @dependabot[bot] in #2100
+  * build(deps): bump k8s.io/apimachinery from 0.33.2 to 0.33.3
+    by @dependabot[bot] in #2101
+  * fix: update Helm version to v3.17.4 in CI and init.go by
+    @yxxhero in #2102
+  * build(deps): bump github.com/spf13/pflag from 1.0.6 to 1.0.7
+    by @dependabot[bot] in #2104
+  * feat(state): add missingFileHandlerConfig and related logic
+    by @yxxhero in #2105
+  * refactor(filesystem): add CopyDir method and optimize Fetch
+    function by @yxxhero in #2111
+  * Allow caching of remote files to be disabled by @jess-sol in
+    #2112
+  * refactor(yaml): switch yaml library import paths from gopkg.in
+    to go.yaml.in by @yxxhero in #2114
+  * build(deps): bump actions/download-artifact from 4 to 5 by
+    @dependabot[bot] in #2121
+  * build(deps): bump golang.org/x/term from 0.33.0 to 0.34.0 by
+    @dependabot[bot] in #2123
+
+- Update to version 1.1.3:
+  What's Changed
+  * build: update Helm to v3.18.3 and related dependencies by
+    @yxxhero in #2082
+  * Expose release version as .Release.ChartVersion for templating
+    by @Simske in #2080
+  * build(deps): bump github.com/helmfile/chartify from 0.24.3 to
+    0.24.4 by @dependabot[bot] in #2083
+  * build(deps): bump k8s.io/apimachinery from 0.33.1 to 0.33.2
+    by @dependabot[bot] in #2086
+  * build(deps): bump github.com/helmfile/chartify from 0.24.4 to
+    0.24.5 by @dependabot[bot] in #2087
+  * build(deps): bump github.com/Masterminds/semver/v3 from 3.3.1
+    to 3.4.0 by @dependabot[bot] in #2089
+  * build(deps): bump github.com/hashicorp/hcl/v2 from 2.23.0 to
+    2.24.0 by @dependabot[bot] in #2092
+  * build: update Helm and plugin versions to v3.18.4 and v3.12.3
+    by @yxxhero in #2093
+  * docs: update status section with May 2025 release information
+    by @yxxhero in #2096
+  * build(deps): bump golang.org/x/sync from 0.15.0 to 0.16.0 by
+    @dependabot[bot] in #2099
+  * build(deps): bump golang.org/x/term from 0.32.0 to 0.33.0 by
+    @dependabot[bot] in #2098
+
+- Update to version 1.1.2:
+  What's Changed
+  * build(deps): bump github.com/helmfile/chartify from 0.24.2 to
+    0.24.3 by @dependabot in #2065
+  * build: update Helm to v3.18.2 and adjust related configurations
+    by @yxxhero in #2064
+  * build(deps): bump github.com/helmfile/vals from 0.41.1 to
+    0.41.2 by @dependabot in #2067
+  * build(deps): bump golang.org/x/sync from 0.14.0 to 0.15.0
+    by @dependabot in #2068
+  * fix-insecure-flag by @anontrex in #2072
+  * build(deps): bump github.com/cloudflare/circl from 1.4.0 to
+    1.6.1 by @dependabot in #2074
+  * fix: update helm-diff to version 3.12.2 in CI and Dockerfiles
+    by @yxxhero in #2073
+  * fix: TestToYaml not working with 32-bit architectures by
+    @ProbstDJakob in #2075
+
+- Update to version 1.1.1:
+  What's Changed
+  * Update README.md by @mumoshu in #2046
+  * build(deps): bump github.com/helmfile/vals from 0.41.0 to
+    0.41.1 by @dependabot in #2048
+  * build(helm) update to v3.18.0 by @yxxhero in #2044
+  * build(deps): bump github.com/helmfile/chartify from 0.23.0 to
+    0.24.1 by @dependabot in #2049
+  * build: update Helm and plugin versions in CI and Dockerfiles
+    by @yxxhero in #2059
+
+- Update to version 1.1.0:
+  What's Changed
+  * chore: fix typo in create_test.go by @sadikkuzu in #2025
+  * build(deps): bump golangci/golangci-lint-action from 7 to 8 by
+    @dependabot in #2029
+  * build(deps): bump golang.org/x/sync from 0.13.0 to 0.14.0 by
+    @dependabot in #2028
+  * build(deps): bump github.com/helmfile/chartify from 0.22.0 to
+    0.23.0 by @dependabot in #2027
+  * chore: remove test data files by @yxxhero in #2026
+  * build(deps): bump golang.org/x/term from 0.31.0 to 0.32.0 by
+    @dependabot in #2033
+  * build(deps): bump github.com/helmfile/vals from 0.40.1 to
+    0.41.0 by @dependabot in #2032
+  * build(deps): bump dario.cat/mergo from 1.0.1 to 1.0.2 by
+    @dependabot in #2035
+  * feat(tmpl): enhance ToYaml test with multiple scenarios by
+    @yxxhero in #2031
+  * [sops, age] update to have SSH key support with sops by
+    @itscaro in #2036
+  * feat(yaml): add JSON style encoding option to NewEncoder by
+    @yxxhero in #2038
+  * refactor(yaml): upgrade from gopkg.in/yaml.v2 to v3 by @yxxhero
+    in #2039
+  * Update readme &amp; documentation with 2025 status of helmfile
+    project by @zhaque44 in #2040
+  * build(deps): bump k8s.io/apimachinery from 0.33.0 to 0.33.1 by
+    @dependabot in #2041
+  * build(deps): bump github.com/zclconf/go-cty from 1.16.2 to
+    1.16.3 by @dependabot in #2043
+
+- Update to version 1.0.0:
+  PLEASE READ
+  https://github.com/helmfile/helmfile/blob/main/docs/proposals/towards-1.0.md
+
+  What's Changed:
+  * build(deps): bump github.com/helmfile/vals from 0.39.0 to 0.39.1
+    by @dependabot in #1926
+  * Bump kubectl to current version (1.32.1) by @DerDaku in #1924
+  * build(deps): bump github.com/goccy/go-yaml from 1.15.21 to 1.15.22
+    by @dependabot in #1925
+  * build: update Helm to v3.17.1 and related dependencies by
+    @yxxhero in #1928
+  * build(deps): bump k8s.io/apimachinery from 0.32.1 to 0.32.2 by
+    @dependabot in #1931
+  * feat: inject cli state values (--state-values-set) into environment
+    templating context by @Vince-Chenal in #1917
+  * docs: add skipSchemaValidation to index.md and update related
+    structs by @yxxhero in #1935
+  * refactor(state): optimize HelmState flags handling by @yxxhero
+    in #1937
+  * Update vals package to v0.39.2 by @aditmeno in #1938
+  * build(deps): bump github.com/spf13/cobra from 1.8.1 to 1.9.1 by
+    @dependabot in #1940
+  * build(deps): bump github.com/goccy/go-yaml from 1.15.22 to 1.15.23
+    by @dependabot in #1941
+  * build(deps): bump github.com/helmfile/chartify from 0.20.8 to
+    0.20.9 by @dependabot in #1942
+  * feat: colorized DELETED by @yurrriq in #1944
+  * feat(docs): add proposal to remove charts and delete subcommands
+    by @yxxhero in #1936
+  * build(deps): bump github.com/google/go-cmp from 0.6.0 to 0.7.0
+    by @dependabot in #1945
+  * build(deps): bump github.com/go-jose/go-jose/v4 from 4.0.4 to
+    4.0.5 by @dependabot in #1946
+  * build: update golang version to 1.24 and golangci-lint to
+    v1.64.5 by @yxxhero in #1949
+  * build(deps): bump github.com/helmfile/vals from 0.39.2 to 0.39.3
+    by @dependabot in #1951
+  * build(deps): bump github.com/helmfile/chartify from 0.20.9 to
+    0.21.0 by @dependabot in #1950
+  * build(deps): bump golang.org/x/sync from 0.11.0 to 0.12.0 by
+    @dependabot in #1955
+  * build(deps): bump jinja2 from 3.1.5 to 3.1.6 in /docs by
+    @dependabot in #1956
+  * Don't warn if this and the needed release set installed: false
+    by @jayme-github in #1958
+  * build(deps): bump golang.org/x/term from 0.29.0 to 0.30.0 by
+    @dependabot in #1959
+  * Remove all v0.x references by @yxxhero in #1919
+  * build(deps): bump k8s.io/apimachinery from 0.32.2 to 0.32.3
+    by @dependabot in #1960
+  * build(deps): bump golang.org/x/net from 0.35.0 to 0.36.0 by
+    @dependabot in #1961
+  * build(deps): bump github.com/helmfile/vals from 0.39.3 to 0.39.4
+    by @dependabot in #1962
+  * build: update Helm to v3.17.2 and related dependencies by
+    @yxxhero in #1965
+  * build: update yaml.v3 dependency and remove colega/go-yaml-yaml
+    by @yxxhero in #1929
+  * build(deps): bump github.com/containerd/containerd from 1.7.24
+    to 1.7.27 by @dependabot in #1966
+  * build(deps): bump github.com/goccy/go-yaml from 1.15.23 to
+    1.16.0 by @dependabot in #1967
+  * build(deps): bump github.com/golang-jwt/jwt/v5 from 5.2.1 to
+    5.2.2 by @dependabot in #1969
+  * build(deps): bump github.com/golang-jwt/jwt/v4 from 4.5.1 to
+    4.5.2 by @dependabot in #1970
+  * build(deps): bump golangci/golangci-lint-action from 6 to 7
+    by @dependabot in #1975
+  * build(deps): bump github.com/helmfile/vals from 0.39.4 to
+    0.40.0 by @dependabot in #1978
+  * build(deps): bump github.com/helmfile/chartify from 0.21.0 to
+    0.21.1 by @dependabot in #1979
+  * docs(fix): correct typo in 'tier=fronted' to 'tier=frontend'
+    by @yxxhero in #1980
+  * feat: add labels for helm release by @yxxhero in #1046
+  * build(deps): bump github.com/helmfile/vals from 0.40.0 to
+    0.40.1 by @dependabot in #1981
+  * build(deps): bump github.com/goccy/go-yaml from 1.16.0 to 1.17.1
+    by @dependabot in #1982
+  * fix: Check needs with context and namespace by @aarnq in #1986
+  * build(deps): bump golang.org/x/sync from 0.12.0 to 0.13.0 by
+    @dependabot in #1991
+  * build(deps): bump golang.org/x/term from 0.30.0 to 0.31.0 by
+    @dependabot in #1990
+  * fix(state): enhance error message for missing .gotmpl extension
+    in helmfile v1 by @yxxhero in #1989
+  * build(deps): bump github.com/helmfile/chartify from 0.21.1 to
+    0.22.0 by @dependabot in #1996
+  * build: update Helm plugin versions in CI and Dockerfiles by
+    @yxxhero in #1995
+  * build: update Helm to v3.17.3 and update related Dockerfiles
+    by @yxxhero in #1993
+  * build(deps): bump golang.org/x/net from 0.37.0 to 0.38.0 by
+    @dependabot in #2010
+  * feat: add helmfile archive configuration in goreleaser by
+    @yxxhero in #2000
+  * docs: add more complex examples section in README by @yxxhero
+    in #2013
+  * Feat: setting reuseValues flag in release by @blaskoa in #2004
+  * build(deps): bump k8s.io/apimachinery from 0.32.3 to 0.32.4 by
+    @dependabot in #2016
+  * build(deps): bump github.com/aws/aws-sdk-go from 1.55.6 to
+    1.55.7 by @dependabot in #2015
+  * chore: support parsing any type with fromYaml by @ProbstDJakob
+    in #2017
+  * build(deps): bump k8s.io/apimachinery from 0.32.4 to 0.33.0 by
+    @dependabot in #2018
+  * feat: add --take-ownership flag to helm diff and related config
+    by @yxxhero in #1992
+
+- Update to version 0.171.0:
+  * feat: execute templates against postRendererHooks by @allanger
+    in #1839
+  * build(deps): bump github.com/spf13/pflag from 1.0.5 to 1.0.6
+    by @dependabot in #1897
+  * build(deps): bump github.com/goccy/go-yaml from 1.15.15 to
+    1.15.16 by @dependabot in #1901
+  * build(deps): bump github.com/goccy/go-yaml from 1.15.16 to
+    1.15.17 by @dependabot in #1905
+  * Use a regex to match --state-values-set-string arguments
+    by @gllb in #1902
+  * build(deps): bump golang.org/x/sync from 0.10.0 to 0.11.0
+    by @dependabot in #1911
+  * Chartify v0.20.8 update by @scodeman in #1908
+  * cleanup: remove all about v0.x by @yxxhero in #1903
+  * build(deps): bump golang.org/x/term from 0.28.0 to 0.29.0
+    by @dependabot in #1913
+  * chore: update babel to resolve CVEs by @zhaque44 in #1916
+  * remove deprecated charts.yaml by @yxxhero in #1437
+  * Revert "cleanup: remove all about v0.x" by @yxxhero in #1918
+  * build(deps): bump github.com/goccy/go-yaml from 1.15.17 to
+    1.15.19 by @dependabot in #1920
+  * build(deps): bump github.com/goccy/go-yaml from 1.15.19 to
+    1.15.20 by @dependabot in #1921
+  * feat: Add support for --wait-retries flag. by @connyay in #1922
+  * build: update go-yaml to v1.15.21 by @yxxhero in #1923
+
+- Update to version 0.170.1:
+  * build(deps): bump github.com/goccy/go-yaml from 1.15.14 to
+    1.15.15 by @dependabot in #1882
+  * build(deps): bump github.com/hashicorp/go-slug from 0.15.0 to
+    0.16.3 by @dependabot in #1886 (CVE-2025-0377)
+  * Ensure 'helm repo add' is also not pollute on helmfile template
+    by @baurmatt in #1887
+  * build(deps): bump github.com/zclconf/go-cty from 1.16.1 to
+    1.16.2 by @dependabot in #1888
+  * fix: using correct option for takeOwnership flag by @blaskoa
+    in #1892
+  * fix typo in docs by @adamab48 in #1889
+
+- Update to version 0.170.0:
+  * build(deps): bump github.com/goccy/go-yaml from 1.15.6 to 1.15.7
+    by @dependabot in #1818
+  * build(deps): bump golang.org/x/term from 0.26.0 to 0.27.0 by
+    @dependabot in #1817
+  * chore(doc): fix the indent of the selector usage sample yaml by
+    @Ladicle in #1819
+  * feat(state): add support for setString in ReleaseSpec and
+    HelmState by @yxxhero in #1821
+  * build(deps): bump github.com/goccy/go-yaml from 1.15.7 to 1.15.8
+    by @dependabot in #1822
+  * test(state): add TestHelmState_setStringFlags for setStringFlags
+    method by @yxxhero in #1823
+  * build(deps): bump k8s.io/apimachinery from 0.31.3 to 0.31.4 by
+    @dependabot in #1826
+  * build(deps): bump golang.org/x/crypto from 0.29.0 to 0.31.0 by
+    @dependabot in #1828
+  * build(deps): bump github.com/goccy/go-yaml from 1.15.8 to
+    1.15.9 by @dependabot in #1831
+  * build(deps): bump k8s.io/apimachinery from 0.31.4 to 0.32.0 by
+    @dependabot in #1830
+  * feat: updating sops version to 3.9.2 by @zhaque44 in #1834
+  * build(deps): bump github.com/goccy/go-yaml from 1.15.9 to
+    1.15.10 by @dependabot in #1835
+  * build(deps): bump helm.sh/helm/v3 from 3.16.3 to 3.16.4 by
+    @dependabot in #1836
+  * build: update Helm version to v3.16.4 in CI and Dockerfiles by
+    @yxxhero in #1837
+  * build(deps): bump github.com/goccy/go-yaml from 1.15.10 to
+    1.15.11 by @dependabot in #1838
+  * build(deps): bump filippo.io/age from 1.2.0 to 1.2.1 by
+    @dependabot in #1840
+  * build(deps): bump github.com/goccy/go-yaml from 1.15.11 to
+    1.15.12 by @dependabot in #1843
+  * build: update helm-diff to v3.9.13 in Dockerfiles and init.go
+    by @yxxhero in #1841
+  * build(deps): bump github.com/helmfile/chartify from 0.20.4 to
+    0.20.5 by @dependabot in #1845
+  * build(deps): bump github.com/goccy/go-yaml from 1.15.12 to
+    1.15.13 by @dependabot in #1844
+  * build(deps): bump jinja2 from 3.1.4 to 3.1.5 in /docs by
+    @dependabot in #1846
+  * CVE-2024-45338: updating golang.org/x/net: to version: v0.33.0
+    by @zhaque44 in #1849
+  * build(deps): bump github.com/zclconf/go-cty from 1.15.1 to
+    1.16.0 by @dependabot in #1851
+  * build(deps): bump golang.org/x/term from 0.27.0 to 0.28.0
+    by @dependabot in #1852
+  * update sops versions to 3.9.3 by @zhaque44 in #1861
+  * build(deps): bump github.com/hashicorp/go-getter from 1.7.6
+    to 1.7.7 by @dependabot in #1862
+  * feat: add --take-ownership flag to apply and sync commands by
+    @yxxhero in #1863
+  * fix: ensure plain http is supported across all helmfile
+    commands by @purpleclay in #1858
+  * fix: ensure development versions of charts can be used across
+    helmfile commands by @purpleclay in #1865
+  * build(deps): bump github.com/helmfile/chartify from 0.20.5 to
+    0.20.6 by @dependabot in #1866
+  * update kubectl version (1.30) to stay up to date with new
+    releases by @zhaque44 in #1867
+  * build(deps): bump github.com/zclconf/go-cty from 1.16.0 to
+    1.16.1 by @dependabot in #1870
+  * build(deps): bump github.com/hashicorp/go-getter from 1.7.7 to
+    1.7.8 by @dependabot in #1869
+  * feat: Add "--no-hooks" to helmfile template by @jwlai in #1813
+  * update helm and k8s versions in ci, dockerfiles, and go.mod by
+    @yxxhero in #1872
+  * build(deps): bump github.com/helmfile/vals from 0.38.0 to 0.39.0
+    by @dependabot in #1876
+  * build(deps): bump k8s.io/apimachinery from 0.32.0 to 0.32.1 by
+    @dependabot in #1873
+  * build(deps): bump github.com/goccy/go-yaml from 1.15.13 to
+    1.15.14 by @dependabot in #1874
+  * build: update helm-diff to v3.9.14 in Dockerfiles and init.go
+    by @yxxhero in #1877
+
+- Update to version 0.169.2:
+  * build(deps): bump github.com/helmfile/vals from 0.37.6 to 0.37.7
+    by @dependabot in #1747
+  * build(deps): bump k8s.io/apimachinery from 0.31.1 to 0.31.2 by
+    @dependabot in #1754
+  * Reset extra args before running 'dependency build' by @baurmatt
+    in #1751
+  * Introducing Helmfile Guru on Gurubase.io by @kursataktas in #1748
+  * feat: add skip json schema validation during the install /upgrade
+    of a Chart by @zhaque44 in #1737
+  * fix(maputil): prevent nil value overwrite by @ban11111 in #1755
+  * build(deps): bump github.com/goccy/go-yaml from 1.12.0 to
+    1.13.0 by @dependabot in #1759
+  * fix: this url doesn't work anymore by @zekena2 in #1760
+  * build(deps): bump github.com/goccy/go-yaml from 1.13.0 to
+    1.13.1 by @dependabot in #1762
+  * build(deps): bump github.com/goccy/go-yaml from 1.13.1 to
+    1.13.2 by @dependabot in #1763
+  * build(deps): bump github.com/golang-jwt/jwt/v4 from 4.5.0 to
+    4.5.1 by @dependabot in #1767
+  * build(deps): bump github.com/helmfile/vals from 0.37.7 to
+    0.37.8 by @dependabot in #1764
+  * build(deps): bump github.com/goccy/go-yaml from 1.13.2 to
+    1.13.4 by @dependabot in #1765
+  * fix(integration-tests): read correct minikube status (#1768)
+    by @ceriath in #1769
+  * build(deps): bump github.com/goccy/go-yaml from 1.13.4 to
+    1.13.5 by @dependabot in #1770
+  * Add integration tests for #1749 by @baurmatt in #1766
+  * fix: update acme chart URL in input.yaml by @yxxhero in #1773
+  * build(deps): bump github.com/goccy/go-yaml from 1.13.5 to
+    1.13.6 by @dependabot in #1771
+  * build(deps): bump golang.org/x/sync from 0.8.0 to 0.9.0 by
+    @dependabot in #1775
+  * build(deps): bump golang.org/x/term from 0.25.0 to 0.26.0
+    by @dependabot in #1774
+  * Revive dead badge links by @eggplants in #1776
+  * feat: refactor label creation in state.go by @yxxhero in #1758
+  * docs: Add Gurubase badge to README-zh_CN by @yxxhero in #1777
+  * build(deps): bump github.com/goccy/go-yaml from 1.13.6 to
+    1.13.9 by @dependabot in #1781
+  * build(deps): bump github.com/goccy/go-yaml from 1.13.9 to
+    1.14.0 by @dependabot in #1782
+  * build(deps): bump github.com/goccy/go-yaml from 1.14.0 to
+    1.14.3 by @dependabot in #1788
+  * build(deps): bump helm.sh/helm/v3 from 3.16.2 to 3.16.3 by
+    @dependabot in #1786
+  * fix: update helm-diff to version 3.9.12 in CI and Dockerfiles
+    by @yxxhero in #1792
+  * build: update Helm version to v3.16.3 in CI and Dockerfiles
+    by @yxxhero in #1791
+  * feat: add HELMFILE_INTERACTIVE env var to enable interactive
+    mode by @thevops in #1787
+  * build(deps): bump github.com/hashicorp/hcl/v2 from 2.22.0 to
+    2.23.0 by @dependabot in #1793
+  * build(deps): bump github.com/Masterminds/semver/v3 from 3.3.0
+    to 3.3.1 by @dependabot in #1795
+  * chore: update with testify/assert assertion and table driven
+    tests for fs.go by @zhaque44 in #1794
+  * build(deps): bump k8s.io/apimachinery from 0.31.2 to 0.31.3
+    by @dependabot in #1798
+  * build(deps): bump github.com/stretchr/testify from 1.9.0 to
+    1.10.0 by @dependabot in #1800
+  * build(deps): bump github.com/goccy/go-yaml from 1.14.3 to
+    1.15.0 by @dependabot in #1804
+  * build(deps): bump github.com/goccy/go-yaml from 1.15.0 to
+    1.15.1 by @dependabot in #1807
+  * build(deps): bump github.com/zclconf/go-cty from 1.15.0 to
+    1.15.1 by @dependabot in #1806
+  * update example chart URL in remote-secrets doc by @daveneeley
+    in #1809
+  * build(deps): bump github.com/goccy/go-yaml from 1.15.1 to
+    1.15.3 by @dependabot in #1811
+  * build(deps): bump github.com/goccy/go-yaml from 1.15.3 to
+    1.15.6 by @dependabot in #1812
+  * fix: inject global values in Chartify by @xabufr in #1805
+  * build(deps): bump github.com/helmfile/vals from 0.37.8 to
+    0.38.0 by @dependabot in #1814
+  * build(deps): bump github.com/helmfile/chartify from 0.20.3 to
+    0.20.4 by @dependabot in #1815
+  * build(deps): bump golang.org/x/sync from 0.9.0 to 0.10.0 by
+    @dependabot in #1816
+
+- Update to version 0.169.1:
+  * feat: update sops version to 3.9.1 by @zhaque44 in #1742
+  * chore: improve test assertions and descriptions for file
+    download test by @zhaque44 in #1745
+  * feat: add 'hide-notes' flag to helm in sync and apply commands
+    by @yxxhero in #1746
+</description>
+  <package>helmfile</package>
+</patchinfo>

patchinfo.20251117131718442159.187004354831441/_patchinfo

@@ -0,0 +1,236 @@
+<patchinfo incident="packagehub-81">
+  <issue tracker="bnc" id="1250499">VUL-0: CVE-2025-10924: gimp: GIMP FF File Parsing Integer Overflow Remote Code Execution Vulnerability</issue>
+  <issue tracker="bnc" id="1250497">VUL-0: CVE-2025-10922: gimp: GIMP DCM File Parsing Heap-based Buffer Overflow Remote Code Execution Vulnerability</issue>
+  <issue tracker="cve" id="2025-10922">VUL-0: CVE-2025-10922: gimp: GIMP DCM File Parsing Heap-based Buffer Overflow Remote Code Execution Vulnerability</issue>
+  <issue tracker="cve" id="2025-2760">VUL-0: CVE-2025-2760: gimp: integer overflow may lead to remote code execution</issue>
+  <issue tracker="bnc" id="1250501">VUL-0: CVE-2025-10925: gimp: GIMP ILBM File Parsing Stack-based Buffer Overflow Remote Code Execution Vulnerability</issue>
+  <issue tracker="bnc" id="1241690">VUL-0: CVE-2025-2760: gimp: integer overflow may lead to remote code execution</issue>
+  <issue tracker="bnc" id="1250495">VUL-0: CVE-2025-10920: gimp: GIMP ICNS File Parsing Out-Of-Bounds Write Remote Code Execution Vulnerability</issue>
+  <issue tracker="cve" id="2025-10920">VUL-0: CVE-2025-10920: gimp: GIMP ICNS File Parsing Out-Of-Bounds Write Remote Code Execution Vulnerability</issue>
+  <issue tracker="cve" id="2025-10924">VUL-0: CVE-2025-10924: gimp: GIMP FF File Parsing Integer Overflow Remote Code Execution Vulnerability</issue>
+  <issue tracker="cve" id="2025-10925">VUL-0: CVE-2025-10925: gimp: GIMP ILBM File Parsing Stack-based Buffer Overflow Remote Code Execution Vulnerability</issue>
+  <packager>mgorse</packager>
+  <rating>important</rating>
+  <category>security</category>
+  <summary>Security update for gimp</summary>
+  <description>This update for gimp fixes the following issues:
+
+Changes in gimp:
+
+Update to 3.0.6:
+
+  - Security:
+
+    - During development, we received reports from the Zero Day
+      Initiative of potential security issues with some of our file
+      import plug-ins. While these issues are very unlikely to
+      occur with real files, developers like Jacob Boerema and Alx
+      Sa proactively improved security for those imports.
+      The resolved reports are:
+      - ZDI-CAN-27793
+      - ZDI-CAN-27823
+      - ZDI-CAN-27836
+      - ZDI-CAN-27878
+      - ZDI-CAN-27863
+      - ZDI-CAN-27684
+
+  - Core:
+
+    - Many false-positive build warnings have been cleaned out (and
+      proper issues fixed).
+    - Various crashes fixed.
+    - When creating a layer mask from the layer's alpha, but the
+      layer has no alpha, simply fill the mask with complete
+      opacity instead of a completely transparent layer.
+    - Various core infrastructure code reviewed, cleaned up,
+      refactored and improved, in drawable, layer and filter
+      handling code, tree view code, and more.
+    - GIMP_ICONS_LIKE_A_BOSS environment variable is not working
+      anymore (because "gtk-menu-images" and "gtk-button-images"
+      have been deprecated in GTK3 and removed in GTK4) and was
+      therefore removed.
+    - Lock Content now shows as an undo step.
+    - Add alpha channel for certain transforms.
+    - Add alpha channel on filter merge, when necessary.
+    - Filters can now be applied non-destructively on channels.
+    - Improved Photoshop brush support.
+    - After deleting a palette entry, the next entry is
+      automatically selected. This allows easily deleting several
+      entries in a row, among other usage.
+    - Resize image to layers irrespective to selections.
+    - Improved in-GUI release notes' demo script language:
+
+      - We can now set a button value to click it: "toolbox:text,
+        tool-options:outline=1, tool-options:outline-direction"
+      - Color selector's module names can be used as identifiers:
+        "color-editor,color-editor:CMYK=1,color-editor:total-ink-coverage"
+
+    - Fixed Alpha to Selection on single layers with no
+      transparency.
+    - Various code is slowly ported to newer code, preparing for
+      GTK4 port (in an unplanned future step):
+
+      - Using g_set_str() (optionally redefining it in our core
+        code to avoid bumping the GLib minimum requirement).
+      - Start using GListModel in various pieces of code, in
+        particular getting rid of more and more usage of
+        GtkTreeView when possible (as it will be deprecated with
+        GTK4).
+      - New GimpRow class for all future row widgets.
+      - Use more of G_DECLARE_DERIVABLE_TYPE and
+        G_DECLARE_FINAL_TYPE where relevant.
+      - New GimpContainerListView using a GtkListBox.
+      - New GimpRowSeparator, GimpRowSettings, GimpRowFilter and
+        GimpRowDrawableFilter widgets.
+
+    - (Experimental) GEX Format was updated.
+    - Palette import:
+
+      - Set alpha value for image palette imports.
+      - Fix Lab &amp; CMYK ACB palette import.
+      - Add palette format filters to import dialog, making it more
+        apparent what palette formats are supported, and giving the
+        ability to hide irrelevant files.
+
+    - Improved filter actions' sensitivity to make sure they are
+      set insensitive when relevant. In particular filters which
+      cannot be run non-destructively (e.g. filters with aux
+      inputs, non-interactive filters and GEGL Graph) must be
+      insensitive when trying to run them on group layers.
+    - Fix bad axis centering on zoom out.
+    - Export better SVG when exporting paths.
+
+  - Tools:
+
+    - Text tool: make sure the default color is only changed when
+      the user confirms the color change.
+    - Foreground Selection tool: do not create a selection when no
+      strokes has been made. In particular this removes the
+      unnecessary delay which happened when switching to another
+      tool without actually stroking anything.
+    - All Transform tools: transform boundaries for preview is now
+      multi-layers aware.
+    - (Experimental) Seamless Clone tool: made to work again,
+      though it is still too slow to get out of Playground.
+
+  - Graphical User Interface:
+
+    - Various improvements to window management:
+
+      - Keep-Above windows are set with the Utility hint.
+      - Utility windows are not made transient to a parent.
+      - Transient factory dialogs follow the active display,
+        ensuring that new image windows would not hide your toolbox
+        and dock windows.
+
+    - Various CSS improvements for styling of the interface. Some
+      theme leaks were also fixed.
+    - New toggle button in Brushes and Fonts dockable, allowing
+      brush and font previews to optionally follow the color theme.
+      For instance, when using a dark theme, the brush and font
+      previews could be drawn on the theme background, using the
+      theme foreground colors. By default, these data previews are
+      still drawn as black on white.
+    - Palette grid is now drawn with the theme's background color.
+    - Consistent naming patterns on human-facing options (first
+      word only capitalized).
+    - About dialog:
+
+      - We will now display the date and time of the last check in
+        a "Up to date as of &lt;date&gt; at &lt;time&gt;" string, differing
+        from the "Last checked on &lt;date&gt; at &lt;time&gt;" string. The
+        former will be used to indicate that GIMP is indeed
+        up-to-date whereas the latter when a new version was
+        released and that you should update.
+      - We now respect the system time/date format on macOS and
+        Windows.
+
+    - The search popup won't pop up without an image.
+    - Better zoom step algorithm for data previews in container
+      popup (e.g. the brush popup in paint Tool Options).
+    - Disable animation in the Input Controller, Preferences and
+      Welcome dialogs for stack transition when animation are
+      disabled in system settings.
+    - Fixed crosshair hotspot on Windows (crosshair cursor for
+      brushes was offset with a non-100% display scale factor).
+    - Debug/CRITICAL dialog:
+
+      - Make sure it is non-modal.
+      - Follow the theme mode under Windows.
+
+    - While loading images, all widgets in the file dialog are made
+      insensitive, except for the Cancel button and the progress
+      bar.
+    - Both grid and list views can now zoom via scroll and zoom
+      gestures (it used to only work in list views).
+    - Pop an error message up on startup when GIO modules to read
+      HTTPS links are not found and that we therefore fail to load
+      the remote gimp_versions.json file. With the AppImage package
+      in particular, we depend on an environment daemon which
+      cannot be shipped in the package. So the next best thing is
+      to warn people and tell them what they should install to get
+      version checks.
+    - Welcome dialog:
+
+      - The "Community Tutorials" link is now shown after the
+        "Documentation" link.
+      - The "Learn more" link in Release Notes tab leads to the
+        actual release news for this version.
+
+  - Plug-ins:
+
+    - PDF export: do not draw disabled layer masks.
+    - Jigsaw: the plug-in can now draw on transparent layers.
+    - Various file format fixes and improvements: JPEG 2000 import,
+      TIFF import, DDS import, SVG import, PSP import, FITS export,
+      ICNS import, Dicom import, WBMP import, Farbfeld import, XWD
+      import, ILBM import.
+    - Sphere Designer: use spin scale instead of spin entries (the
+      latter is unusable with little horizontal space).
+    - Animation Play: frames are shown again in the playback
+      progress bar.
+    - Vala Goat Exercise: ignoring C warning in this Vala plug-in
+      as it is generated code and we cannot control it.
+    - file-gih: brush pipe selection modes now have nice,
+      translatable names.
+    - Metadata viewer: port from GtkTreeView to GtkListBox.
+    - File Raw Data: reduce Raw Data load dialogue height by moving
+      to a 2-column layout.
+    - SVG import: it is now possible to break aspect ratio with
+      specific width/height arguments, when calling the PDB
+      procedure non-interactively (from other plug-ins).
+    - Print: when run through a portal print dialog, the "Image
+      Settings" will be exposed as a secondary dialog, outputted
+      after the portal dialog, instead of a tab on the main print
+      dialog (because it is not possible to tweak the print dialog
+      when it is created by a portal). This will bring back usable
+      workflow of printing with GIMP when run in a sandbox (e.g.
+      Flatpak or Snap).
+    - Recompose: fixed for YCbCr decomposed images.
+    - Fixed vulnerabilities: ZDI-CAN-27684, ZDI-CAN-27863,
+      ZDI-CAN-27878, ZDI-CAN-27836, ZDI-CAN-27823, ZDI-CAN-27793.
+    - C Source and HTML export can now be run non-interactively too
+      (e.g. from other plug-ins).
+    - Map Object: fix missing spin boxes.
+    - Small Tiles: fix display lag.
+
+- CVE-2025-10925: Fix GIMP ILBM file parsing stack-based buffer overflow remote code
+  execution vulnerability. (ZDI-25-914, ZDI-CAN-27793, bsc#1250501)
+
+- CVE-2025-10922: Fix GIMP DCM file parsing heap-based buffer overflow remote code
+  execution vulnerability.  (ZDI-25-911, ZDI-CAN-27863, bsc#1250497)
+
+- CVE-2025-10920: Prevent overflow attack by checking if output &gt;= max, not just
+  output &gt; max. (ZDI-25-909, ZDI-CAN-27684, bsc#1250495)
+
+- CVE-2025-10924: Fix integer overflow while parsing FF files. (bsc#1250499)
+
+- CVE-2025-2760: A vulnerability allows remote attackers to execute arbitrary
+  code on affected installations of GIMP. The specific flaw exists
+  within parsing of XWD files. An integer overflow happens before
+  allocating a buffer. This fixed in GIMP 3.0.0.
+  https://www.gimp.org/news/2025/03/16/gimp-3-0-released
+  (bsc#1241690)
+</description>
+  <package>gimp</package>
+</patchinfo>

patchinfo.20251117131911819330.187004354831441/_patchinfo

@@ -0,0 +1,15 @@
+<patchinfo incident="packagehub-36">
+  <issue tracker="bnc" id="1252722">Evolution crashes when opening JPEG attachments after webkit2gtk3 security update</issue>
+  <packager>mgorse</packager>
+  <rating>moderate</rating>
+  <category>recommended</category>
+  <summary>Recommended update for evolution</summary>
+  <description>This update for evolution fixes the following issues:
+
+Changes in evolution:
+
+- Fix JavaScript dictionary objects creation. Needed for WebKitGTK &gt;= 2.50
+  (bsc#1252722 glgo#GNOME/evolution#3124).
+</description>
+  <package>evolution</package>
+</patchinfo>

patchinfo.20251117132509463589.187004354831441/_patchinfo

@@ -0,0 +1,14 @@
+<patchinfo incident="packagehub-49">
+  <packager>okurz</packager>
+  <rating>moderate</rating>
+  <category>recommended</category>
+  <summary>Recommended update for perl-Mojolicious-Plugin-Webpack</summary>
+  <description>This update for perl-Mojolicious-Plugin-Webpack fixes the following issues:
+
+Changes in perl-Mojolicious-Plugin-Webpack:
+
+- See https://github.com/jhthorsen/mojolicious-plugin-webpack/pull/17
+</description>
+  <package>perl-Mojolicious-Plugin-Webpack</package>
+  
+</patchinfo>

patchinfo.20251126115242783292.93181000773252/_patchinfo

@@ -0,0 +1,54 @@
+<patchinfo incident="packagehub-35">
+  <issue tracker="cve" id="2023-43279">cve#2023-43279 not resolved: 404 Client Error: Not Found for url: https://bugzilla.suse.com/api2/issues/?references__name=CVE-2023-43279</issue>
+  <issue tracker="bnc" id="1248964">VUL-0: CVE-2025-9649: tcpreplay: division-by-zero in the `calc_sleep_time` function of file send_packets.c when processing malformed PPS parameters</issue>
+  <issue tracker="bnc" id="1243845">VUL-0: CVE-2024-22654: tcpreplay: Infinite loop in tcpreplay with malformed ipv6 headers</issue>
+  <issue tracker="cve" id="2025-9649">cve#2025-9649 not resolved: 404 Client Error: Not Found for url: https://bugzilla.suse.com/api2/issues/?references__name=CVE-2025-9649</issue>
+  <issue tracker="cve" id="2025-8746">cve#2025-8746 not resolved: 404 Client Error: Not Found for url: https://bugzilla.suse.com/api2/issues/?references__name=CVE-2025-8746</issue>
+  <issue tracker="bnc" id="1248596">VUL-0: CVE-2025-9385: A flaw has been found in appneta tcpreplay up to 4.5.1. The affected element is the function fix_ipv6_checksums of the file edit_packet.c of the component tcprewrite. This manipulation causes use after free. The attack is restri ...</issue>
+  <issue tracker="cve" id="2023-4256">cve#2023-4256 not resolved: 404 Client Error: Not Found for url: https://bugzilla.suse.com/api2/issues/?references__name=CVE-2023-4256</issue>
+  <issue tracker="bnc" id="1247919">VUL-0: CVE-2025-8746: tcpreplay: autogen: improper input validation and memory bounds checking when processing certain malformed configuration files</issue>
+  <issue tracker="cve" id="2025-9385">cve#2025-9385 not resolved: 404 Client Error: Not Found for url: https://bugzilla.suse.com/api2/issues/?references__name=CVE-2025-9385</issue>
+  <issue tracker="bnc" id="1222131">VUL-0: CVE-2024-3024: tcpreplay: heap-based buffer overflow</issue>
+  <issue tracker="cve" id="2025-9157">cve#2025-9157 not resolved: 404 Client Error: Not Found for url: https://bugzilla.suse.com/api2/issues/?references__name=CVE-2025-9157</issue>
+  <issue tracker="bnc" id="1218249">VUL-0: CVE-2023-4256: tcpreplay: tcprewrite: double free in tcpedit_dlt_cleanup() in plugins/dlt_plugins.c</issue>
+  <issue tracker="cve" id="2025-9386">cve#2025-9386 not resolved: 404 Client Error: Not Found for url: https://bugzilla.suse.com/api2/issues/?references__name=CVE-2025-9386</issue>
+  <issue tracker="bnc" id="1248595">VUL-0: CVE-2025-9384: A vulnerability was detected in appneta tcpreplay up to 4.5.1. Impacted is the function tcpedit_post_args of the file /src/tcpedit/parse_args.c. The manipulation results in null pointer dereference. The attack is only possible w ...</issue>
+  <issue tracker="cve" id="2025-9384">cve#2025-9384 not resolved: 404 Client Error: Not Found for url: https://bugzilla.suse.com/api2/issues/?references__name=CVE-2025-9384</issue>
+  <issue tracker="cve" id="2025-51006">cve#2025-51006 not resolved: 404 Client Error: Not Found for url: https://bugzilla.suse.com/api2/issues/?references__name=CVE-2025-51006</issue>
+  <issue tracker="bnc" id="1248597">VUL-0: CVE-2025-9386: A vulnerability has been found in appneta tcpreplay up to 4.5.1. The impacted element is the function get_l2len_protocol of the file get.c of the component tcprewrite. Such manipulation leads to use after free. The attack must b ...</issue>
+  <issue tracker="cve" id="2024-22654">cve#2024-22654 not resolved: 404 Client Error: Not Found for url: https://bugzilla.suse.com/api2/issues/?references__name=CVE-2024-22654</issue>
+  <issue tracker="bnc" id="1221324">VUL-0: CVE-2023-43279: tcpreplay: null pointer dereference in mask_cidr6 component at cidr.c</issue>
+  <issue tracker="bnc" id="1248322">VUL-0: CVE-2025-9157: tcpreplay: The impacted element is the function untrunc_packet of the file src/tcpedit/edit_packet.c of the component tcprewrite.</issue>
+  <issue tracker="bnc" id="1250356">VUL-0: CVE-2025-51006: tcpreplay: double free in tcprewrite via a crafted pcap file</issue>
+  <issue tracker="cve" id="2024-3024">cve#2024-3024 not resolved: 404 Client Error: Not Found for url: https://bugzilla.suse.com/api2/issues/?references__name=CVE-2024-3024</issue>
+  <packager>mkubecek</packager>
+  <rating>important</rating>
+  <category>security</category>
+  <summary>Security update for tcpreplay</summary>
+  <description>This update for tcpreplay fixes the following issues:
+
+- update to 4.5.2:
+  * features added since 4.4.4
+    - fix/recalculate header checksum for ipv6-frag
+    - IPv6 frag checksum support
+    - AF_XDP socket support
+    - tcpreplay -w (write into a pcap file)
+    - tcpreplay --fixhdrlen
+    - --include and --exclude options
+    - SLL2 support
+    - Haiku support
+  * security fixes reported for 4.4.4 fixed in 4.5.2
+    - CVE-2023-4256  / bsc#1218249
+    - CVE-2023-43279 / bsc#1221324
+    - CVE-2024-3024  / bsc#1222131 (likely)
+    - CVE-2024-22654 / bsc#1243845
+    - CVE-2025-9157  / bsc#1248322
+    - CVE-2025-9384  / bsc#1248595
+    - CVE-2025-9385  / bsc#1248596
+    - CVE-2025-9386  / bsc#1248597
+    - CVE-2025-9649  / bsc#1248964
+    - CVE-2025-51006 / bsc#1250356
+</description>
+  <package>tcpreplay</package>
+  <seperate_build_arch/>
+</patchinfo>

patchinfo.20251126115642933537.93181000773252/_patchinfo

@@ -0,0 +1,86 @@
+<patchinfo incident="packagehub-34">
+  <issue tracker="bnc" id="1251471">VUL-0: CVE-2025-47911: gitea-tea: golang.org/x/net/html: various algorithms with quadratic complexity when parsing HTML documents</issue>
+  <issue tracker="bnc" id="1251663">VUL-0: CVE-2025-58190: gitea-tea: golang.org/x/net/html: excessive memory consumption by `html.ParseFragment` when processing specially crafted input</issue>
+  <issue tracker="cve" id="2025-58190">cve#2025-58190 not resolved: 404 Client Error: Not Found for url: https://bugzilla.suse.com/api2/issues/?references__name=CVE-2025-58190</issue>
+  <issue tracker="cve" id="2025-47911">cve#2025-47911 not resolved: 404 Client Error: Not Found for url: https://bugzilla.suse.com/api2/issues/?references__name=CVE-2025-47911</issue>
+  <packager>olh</packager>
+  <rating>moderate</rating>
+  <category>security</category>
+  <summary>Security update for gitea-tea</summary>
+  <description>This update for gitea-tea fixes the following issues:
+
+Changes in gitea-tea:
+
+- update to 0.11.1:
+  * 61d4e57 Fix Pr Create crash (#823)
+  * 4f33146 add test for matching logins (#820)
+  * 08b8398 Update README.md (#819)
+
+- CVE-2025-58190: golang.org/x/net/html: excessive memory consumption by `html.ParseFragment` when processing specially crafted input (boo#1251663)
+- CVE-2025-47911: golang.org/x/net/html: various algorithms with quadratic complexity when parsing HTML documents (boo#1251471)
+
+- update to 0.11.0:
+  * Fix yaml output single quote (#814)
+  * generate man page (#811)
+  * feat: add validation for object-format flag in repo create
+    command (#741)
+  * Fix release version (#815)
+  * update gitea sdk to v0.22 (#813)
+  * don't fallback login directly (#806)
+  * Check duplicated login name in interact mode when creating new
+    login (#803)
+  * Fix bug when output json with special chars (#801)
+  * add debug mode and update readme (#805)
+  * update go.mod to retract the wrong tag v1.3.3 (#802)
+  * revert completion scripts removal (#808)
+  * Remove pagination from context (#807)
+  * Continue auth when failed to open browser (#794)
+  * Fix bug (#793)
+  * Fix tea login add with ssh public key bug (#789)
+  * Add temporary authentication via environment variables (#639)
+  * Fix attachment size (#787)
+  * deploy image when tagging (#792)
+  * Add Zip URL for release list (#788)
+  * Use bubbletea instead of survey for interacting with TUI (#786)
+  * capitalize a few items
+  * rm out of date comparison file
+  * README: Document logging in to gitea (#790)
+  * remove autocomplete command (#782)
+  * chore(deps): update ghcr.io/devcontainers/features/git-lfs
+    docker tag to v1.2.5 (#773)
+  * replace arch package url (#783)
+  * fix: Reenable -p and --limit switches (#778)
+
+- Update to 0.10.1+git.1757695903.cc20b52:
+  - feat: add validation for object-format flag in repo create
+    command (see gh#openSUSE/openSUSE-git#60)
+  - Fix release version
+  - update gitea sdk to v0.22
+  - don't fallback login directly
+  - Check duplicated login name in interact mode when creating
+    new login
+  - Fix bug when output json with special chars
+  - add debug mode and update readme
+  - update go.mod to retract the wrong tag v1.3.3
+  - revert completion scripts removal
+  - Remove pagination from context
+  - Continue auth when failed to open browser
+  - Fix bug
+  - Fix tea login add with ssh public key bug
+  - Add temporary authentication via environment variables
+  - Fix attachment size
+  - deploy image when tagging
+  - Add Zip URL for release list
+  - Use bubbletea instead of survey for interacting with TUI
+  - capitalize a few items
+  - rm out of date comparison file
+  - README: Document logging in to gitea
+  - remove autocomplete command
+  - chore(deps): update ghcr.io/devcontainers/features/git-lfs
+    docker tag to v1.2.5
+  - replace arch package url
+  - fix: Reenable `-p` and `--limit` switches
+</description>
+  <package>gitea-tea</package>
+  <seperate_build_arch/>
+</patchinfo>

patchinfo.20251126120323268597.93181000773252/_patchinfo

@@ -1,4 +1,4 @@
-<patchinfo>
+<patchinfo incident="packagehub-37">
   <issue tracker="cve" id="2025-46817">cve#2025-46817 not resolved: 404 Client Error: Not Found for url: https://bugzilla.suse.com/api2/issues/?references__name=CVE-2025-46817</issue>
   <issue tracker="cve" id="2025-62507">cve#2025-62507 not resolved: 404 Client Error: Not Found for url: https://bugzilla.suse.com/api2/issues/?references__name=CVE-2025-62507</issue>
   <issue tracker="cve" id="2025-49844">cve#2025-49844 not resolved: 404 Client Error: Not Found for url: https://bugzilla.suse.com/api2/issues/?references__name=CVE-2025-49844</issue>
@@ -59,4 +59,4 @@
     * #Q6621 Fix regression in INFO (MOD-10779)
 </description>
   <package>redis</package>
-</patchinfo>
+</patchinfo>

patchinfo.20251126122954168954.187004354831441/_patchinfo

@@ -0,0 +1,713 @@
+<patchinfo incident="packagehub-33">
+  <issue tracker="bnc" id="1250625">VUL-0: CVE-2025-11065: trivy: github.com/go-viper/mapstructure/v2: sensitive Information leak in logs</issue>
+  <issue tracker="cve" id="2025-30204">VUL-0: CVE-2025-30204: TRACKERBUG: github.com/golang-jwt/jwt/v4,github.com/golang-jwt/jwt/v5: jwt-go allows excessive memory allocation during header parsing</issue>
+  <issue tracker="cve" id="2024-3817">VUL-0: CVE-2024-3817: TRACKERBUG: hashicorp/go-getter: argument injection when fetching remote default git branches</issue>
+  <issue tracker="bnc" id="1234512">VUL-0: CVE-2024-45337: trivy: golang.org/x/crypto/ssh: Misuse of ServerConfig.PublicKeyCallback may cause authorization bypass in golang.org/x/crypto</issue>
+  <issue tracker="cve" id="2025-46569">VUL-0: CVE-2025-46569: TRACKERBUG: github.com/open-policy-agent/opa/server: HTTP request path can be crafted to inject Rego code into a constructed query when a virtual document is requested through the Data API</issue>
+  <issue tracker="bnc" id="1240466">VUL-0: CVE-2025-30204: trivy: github.com/golang-jwt/jwt/v4,github.com/golang-jwt/jwt/v5: jwt-go allows excessive memory allocation during header parsing</issue>
+  <issue tracker="cve" id="2024-51744">VUL-0: CVE-2024-51744: TRACKERBUG: github.com/golang-jwt/jwt/v4: Bad documentation of error handling in ParseWithClaims can lead to potentially dangerous situations</issue>
+  <issue tracker="cve" id="2025-53547">VUL-0: CVE-2025-53547: TRACKERBUG: helm,helm.sh/helm/v3: Helm Chart Code Execution</issue>
+  <issue tracker="bnc" id="1232948">VUL-0: CVE-2024-51744: trivy: github.com/golang-jwt/jwt/v4: Bad documentation of error handling in ParseWithClaims can lead to potentially dangerous situations in golang-jwt</issue>
+  <issue tracker="cve" id="2025-22872">VUL-0: CVE-2025-22872: TRACKERBUG: golang.org/x/net/html: tags incorrectly interpreted by tokenizer can lead to content being placed in the wrong scope during</issue>
+  <issue tracker="cve" id="2025-27144">VUL-0: CVE-2025-27144: TRACKERBUG: gopkg.in/square/go-jose.v2,gopkg.in/go-jose/go-jose.v2,github.com/go-jose/go-jose/v4,github.com/go-jose/go-jose/v3: Go JOSE's Parsing Vulnerable to Denial of Service</issue>
+  <issue tracker="bnc" id="1239225">VUL-0: CVE-2025-22868: trivy: golang.org/x/oauth2/jws: Unexpected memory consumption during token parsing in golang.org/x/oauth2</issue>
+  <issue tracker="cve" id="2025-47291">VUL-0: CVE-2025-47291: TRACKERBUG: github.com/containerd/containerd/v2,containerd: Incorrect cgroup hierarchy assignment for containers running in usernamespaced Kubernetes pods.</issue>
+  <issue tracker="cve" id="2025-58058">VUL-0: CVE-2025-58058: TRACKERBUG: github.com/ulikunitz/xz: github.com/ulikunitz/xz leaks memory</issue>
+  <issue tracker="cve" id="2024-45338">VUL-0: CVE-2024-45338: TRACKERBUG: golang.org/x/net/html: denial of service due to non-linear parsing of case-insensitive content</issue>
+  <issue tracker="bnc" id="1243633">VUL-0: CVE-2025-47291: trivy: github.com/containerd/containerd/v2: Incorrect cgroup hierarchy assignment for containers running in usernamespaced Kubernetes pods.</issue>
+  <issue tracker="bnc" id="1235265">VUL-0: CVE-2024-45338: trivy: golang.org/x/net/html: denial of service due to non-linear parsing of case-insensitive content</issue>
+  <issue tracker="cve" id="2025-21613">VUL-0: CVE-2025-21613: TRACKERBUG: github.com/go-git/go-git/v5: argument injection via the URL field</issue>
+  <issue tracker="bnc" id="1241724">VUL-0: CVE-2025-22872: trivy: golang.org/x/net/html: incorrectly interpreted tags can cause content to be placed wrong scope during DOM construction</issue>
+  <issue tracker="cve" id="2025-22868">VUL-0: CVE-2025-22868: TRACKERBUG: golang.org/x/oauth2/jws: Unexpected memory consumption during token parsing in golang.org/x/oauth2</issue>
+  <issue tracker="bnc" id="1246151">VUL-0: CVE-2025-53547: trivy: helm.sh/helm/v3: Helm Chart Code Execution</issue>
+  <issue tracker="bnc" id="1227010">VUL-0: CVE-2024-3817: trivy: hashicorp/go-getter: argument injection when fetching remote default git branches</issue>
+  <issue tracker="bnc" id="1248897">VUL-0: CVE-2025-58058: trivy: github.com/ulikunitz/xz: github.com/ulikunitz/xz leaks memory</issue>
+  <issue tracker="cve" id="2025-11065">VUL-0: TRACKERBUG: CVE-2025-11065: github.com/go-viper/mapstructure/v2: sensitive Information leak in logs</issue>
+  <issue tracker="bnc" id="1248937">VUL-0: CVE-2025-58058: hauler: github.com/ulikunitz/xz: github.com/ulikunitz/xz leaks memory</issue>
+  <issue tracker="bnc" id="1237618">VUL-0: CVE-2025-27144: trivy: gopkg.in/go-jose/go-jose.v2: Go JOSE's Parsing Vulnerable to Denial of Service</issue>
+  <issue tracker="bnc" id="1239385">VUL-0: CVE-2025-22869: trivy: golang.org/x/crypto/ssh: Denial of Service in the Key Exchange of golang.org/x/crypto/ssh</issue>
+  <issue tracker="cve" id="2025-22869">VUL-0: CVE-2025-22869: TRACKERBUG: golang.org/x/crypto/ssh: Denial of Service in the Key Exchange of golang.org/x/crypto/ssh</issue>
+  <issue tracker="cve" id="2025-21614">CVE-2025-21614 go-git: go-git clients vulnerable to DoS via maliciously crafted Git server replies</issue>
+  <issue tracker="bnc" id="1246730">VUL-0: CVE-2025-46569: trivy: github.com/open-policy-agent/opa: HTTP request path can be crafted to inject Rego code into a constructed query when a virtual document is requested through the Data API</issue>
+  <issue tracker="cve" id="2024-45337">VUL-0: CVE-2024-45337: TRACKERBUG: golang.org/x/crypto/ssh: Misuse of ServerConfig.PublicKeyCallback may cause authorization bypass in golang.org/x/crypto</issue>
+  <packager>dirkmueller</packager>
+  <rating>important</rating>
+  <category>security</category>
+  <summary>Security update for trivy</summary>
+  <description>This update for trivy fixes the following issues:
+
+Changes in trivy:
+
+Update to version 0.67.2 (bsc#1250625, CVE-2025-11065, bsc#1248897, CVE-2025-58058):
+
+  * fix: Use `fetch-level: 1` to check out trivy-repo in the release workflow [backport: release/v0.67] (#9638)
+  * fix: restore compatibility for google.protobuf.Value [backport: release/v0.67] (#9631)
+  * fix: using SrcVersion instead of Version for echo detector [backport: release/v0.67] (#9629)
+  * fix: add `buildInfo` for `BlobInfo` in `rpc` package [backport: release/v0.67] (#9615)
+  * fix(vex): don't use reused BOM [backport: release/v0.67] (#9612)
+  * fix(vex): don't  suppress vulns for packages with infinity loop (#9465)
+  * fix(aws): use `BuildableClient` insead of `xhttp.Client` (#9436)
+  * refactor(misconf): replace github.com/liamg/memoryfs with internal mapfs and testing/fstest (#9282)
+  * docs: clarify inline ignore limitations for resource-less checks (#9537)
+  * fix(k8s): disable parallel traversal with fs cache for k8s images (#9534)
+  * fix(misconf): handle tofu files in module detection (#9486)
+  * feat(seal): add seal support (#9370)
+  * docs: fix modules path and update code example (#9539)
+  * fix: close file descriptors and pipes on error paths (#9536)
+  * feat: add documentation URL for database lock errors (#9531)
+  * fix(db): Dowload database when missing but metadata still exists (#9393)
+  * feat(cloudformation): support default values and list results in Fn::FindInMap (#9515)
+  * fix(misconf): unmark cty values before access (#9495)
+  * feat(cli): change --list-all-pkgs default to true (#9510)
+  * fix(nodejs): parse workspaces as objects for package-lock.json files (#9518)
+  * refactor(fs): use underlyingPath to determine virtual files more reliably (#9302)
+  * refactor: remove google/wire dependency and implement manual DI (#9509)
+  * chore(deps): bump the aws group with 6 updates (#9481)
+  * chore(deps): bump the common group across 1 directory with 24 updates (#9507)
+  * fix(misconf): wrap legacy ENV values in quotes to preserve spaces (#9497)
+  * docs: move info about `detection priority` into coverage section (#9469)
+  * feat(sbom): added support for CoreOS (#9448)
+  * fix(misconf): strip build metadata suffixes from image history (#9498)
+  * feat(cyclonedx): preserve SBOM structure when scanning SBOM files with vulnerability updates (#9439)
+  * docs: Fix typo in terraform docs (#9492)
+  * feat(redhat): add os-release detection for RHEL-based images (#9458)
+  * ci(deps): add 3-day cooldown period for Dependabot updates (#9475)
+  * refactor: migrate from go-json-experiment to encoding/json/v2 (#9422)
+  * fix(vuln): compare `nuget` package names in lower case (#9456)
+  * chore: Update release flow to include chocolatey (#9460)
+  * docs: document eol supportability (#9434)
+  * docs(report): add nuanses about secret/license scanner in summary table (#9442)
+  * ci: use environment variables in GitHub Actions for improved security (#9433)
+  * chore: bump Go to 1.24.7 (#9435)
+  * fix(nodejs): use snapshot string as `Package.ID` for pnpm packages (#9330)
+  * ci(helm): bump Trivy version to 0.66.0 for Trivy Helm Chart 0.18.0 (#9425)
+
+Update to version 0.66.0 (bsc#1248937, CVE-2025-58058):
+
+  * chore(deps): bump the aws group with 7 updates (#9419)
+  * refactor(secret): clarify secret scanner messages (#9409)
+  * fix(cyclonedx): handle multiple license types (#9378)
+  * fix(repo): sanitize git repo URL before inserting into report metadata (#9391)
+  * test: add HTTP basic authentication to git test server (#9407)
+  * fix(sbom): add support for `file` component type of `CycloneDX` (#9372)
+  * fix(misconf): ensure module source is known (#9404)
+  * ci: migrate GitHub Actions from version tags to SHA pinning (#9405)
+  * fix: create temp file under composite fs dir (#9387)
+  * chore(deps): bump github.com/ulikunitz/xz from 0.5.12 to 0.5.14 (#9403)
+  * refactor: switch to stable azcontainerregistry SDK package (#9319)
+  * chore(deps): bump the common group with 7 updates (#9382)
+  * refactor(misconf): migrate from custom Azure JSON parser (#9222)
+  * fix(repo): preserve RepoMetadata on FS cache hit (#9389)
+  * refactor(misconf): use atomic.Int32 (#9385)
+  * chore(deps): bump the aws group with 6 updates (#9383)
+  * docs: Fix broken link to "Built-in Checks" (#9375)
+  * fix(plugin): don't remove plugins when updating index.yaml file (#9358)
+  * fix: persistent flag option typo (#9374)
+  * chore(deps): bump the common group across 1 directory with 26 updates (#9347)
+  * fix(image): use standardized HTTP client for ECR authentication (#9322)
+  * refactor: export `systemFileFiltering` Post Handler (#9359)
+  * docs: update links to Semaphore pages (#9352)
+  * fix(conda): memory leak by adding closure method for `package.json` file (#9349)
+  * feat: add timeout handling for cache database operations (#9307)
+  * fix(misconf): use correct field log_bucket instead of target_bucket in gcp bucket (#9296)
+  * fix(misconf): ensure ignore rules respect subdirectory chart paths (#9324)
+  * chore(deps): bump alpine from 3.21.4 to 3.22.1 (#9301)
+  * feat(terraform): use .terraform cache for remote modules in plan scanning (#9277)
+  * chore: fix some function names in comment (#9314)
+  * chore(deps): bump the aws group with 7 updates (#9311)
+  * docs: add explanation for how to use non-system certificates (#9081)
+  * chore(deps): bump the github-actions group across 1 directory with 2 updates (#8962)
+  * fix(misconf): preserve original paths of remote submodules from .terraform (#9294)
+  * refactor(terraform): make Scan method of Terraform plan scanner private (#9272)
+  * fix: suppress debug log for context cancellation errors (#9298)
+  * feat(secret): implement streaming secret scanner with byte offset tracking (#9264)
+  * fix(python): impove package name normalization  (#9290)
+  * feat(misconf): added audit config attribute (#9249)
+  * refactor(misconf): decouple input fs and track extracted files with fs references (#9281)
+  * test(misconf): remove BenchmarkCalculate using outdated check metadata (#9291)
+  * refactor: simplify Detect function signature (#9280)
+  * ci(helm): bump Trivy version to 0.65.0 for Trivy Helm Chart 0.17.0 (#9288)
+  * fix(fs): avoid shadowing errors in file.glob (#9286)
+  * test(misconf): move terraform scan tests to integration tests (#9271)
+  * test(misconf): drop gcp iam test covered by another case (#9285)
+  * chore(deps): bump to alpine from `3.21.3` to `3.21.4` (#9283)
+
+Update to version 0.65.0:
+
+  * fix(cli): ensure correct command is picked by telemetry (#9260)
+  * feat(flag): add schema validation for `--server` flag (#9270)
+  * chore(deps): bump github.com/docker/docker from 28.3.2+incompatible to 28.3.3+incompatible (#9274)
+  * ci: skip undefined labels in discussion triage action (#9175)
+  * feat(repo): add git repository metadata to reports (#9252)
+  * fix(license): handle WITH operator for `LaxSplitLicenses` (#9232)
+  * chore: add modernize tool integration for code modernization (#9251)
+  * fix(secret): add UTF-8 validation in secret scanner to prevent protobuf marshalling errors (#9253)
+  * chore: implement process-safe temp file cleanup (#9241)
+  * fix: prevent graceful shutdown message on normal exit (#9244)
+  * fix(misconf): correctly parse empty port ranges in google_compute_firewall (#9237)
+  * feat: add graceful shutdown with signal handling (#9242)
+  * chore: update template URL for brew formula (#9221)
+  * test: add end-to-end testing framework with image scan and proxy tests (#9231)
+  * refactor(db): use `Getter` interface with `GetParams` for trivy-db sources (#9239)
+  * ci: specify repository for `gh cache delete` in canary worklfow (#9240)
+  * ci: remove invalid `--confirm` flag from `gh cache delete` command in canary builds (#9236)
+  * fix(misconf): fix log bucket in schema (#9235)
+  * chore(deps): bump the common group across 1 directory with 24 updates (#9228)
+  * ci: move runner.os context from job-level env to step-level in canary workflow (#9233)
+  * chore(deps): bump up Trivy-kubernetes to v0.9.1 (#9214)
+  * feat(misconf): added logging and versioning to the gcp storage bucket (#9226)
+  * fix(server): add HTTP transport setup to server mode (#9217)
+  * chore: update the rpm download Update (#9202)
+  * feat(alma): add AlmaLinux 10 support (#9207)
+  * fix(nodejs): don't use prerelease logic for compare npm constraints  (#9208)
+  * fix(rootio): fix severity selection (#9181)
+  * fix(sbom): merge in-graph and out-of-graph OS packages in scan results (#9194)
+  * fix(cli): panic: attempt to get os.Args[1] when len(os.Args) &lt; 2 (#9206)
+  * fix(misconf): correctly adapt azure storage account (#9138)
+  * feat(misconf): add private ip google access attribute to subnetwork (#9199)
+  * feat(report): add CVSS vectors in sarif report (#9157)
+  * fix(terraform): `for_each` on a map returns a resource for every key (#9156)
+  * fix: supporting .egg-info/METADATA in python.Packaging analyzer (#9151)
+  * chore: migrate protoc setup from Docker to buf CLI (#9184)
+  * ci: delete cache after artifacts upload in canary workflow (#9177)
+  * refactor: remove aws flag helper message (#9080)
+  * ci: use gh pr view to get PR number for forked repositories in auto-ready workflow (#9183)
+  * ci: add auto-ready-for-review workflow (#9179)
+  * feat(image): add Docker context resolution (#9166)
+  * ci: optimize golangci-lint performance with cache-based strategy (#9173)
+  * feat: add HTTP request/response tracing support (#9125)
+  * fix(aws): update amazon linux 2 EOL date (#9176)
+  * chore: Update release workflow to trigger version updates (#9162)
+  * chore(deps): bump helm.sh/helm/v3 from 3.18.3 to 3.18.4 (#9164)
+  * fix: also check `filepath` when removing duplicate packages (#9142)
+  * chore: add debug log to show image source location (#9163)
+  * docs: add section on customizing default check data (#9114)
+  * chore(deps): bump the common group across 1 directory with 9 updates (#9153)
+  * docs: partners page content updates (#9149)
+  * chore(license): add missed spdx exceptions: (#9147)
+  * docs: trivy partners page updates (#9133)
+  * fix: migrate from `*.list` to `*.md5sums` files for `dpkg` (#9131)
+  * ci(helm): bump Trivy version to 0.64.1 for Trivy Helm Chart 0.16.1 (#9135)
+  * feat(sbom): add SHA-512 hash support for CycloneDX SBOM (#9126)
+  * fix(misconf): skip rewriting expr if attr is nil (#9113)
+  * fix(license): add missed `GFDL-NIV-1.1` and `GFDL-NIV-1.2` into Trivy mapping (#9116)
+  * fix(cli): Add more non-sensitive flags to telemetry (#9110)
+  * fix(alma): parse epochs from rpmqa file (#9101)
+  * fix(rootio): check full version to detect `root.io` packages (#9117)
+  * chore: drop FreeBSD 32-bit support (#9102)
+  * fix(sbom): use correct field for licenses in CycloneDX reports (#9057)
+  * fix(secret): fix line numbers for multiple-line secrets (#9104)
+  * feat(license): observe pkg types option in license scanner (#9091)
+  * ci(helm): bump Trivy version to 0.64.0 for Trivy Helm Chart 0.16.0 (#9107)
+- (CVE-2025-53547, bsc#1246151)
+
+- Update to version 0.64.1 (bsc#1243633, CVE-2025-47291,
+                           (bsc#1246730, CVE-2025-46569):
+
+  * fix(misconf): skip rewriting expr if attr is nil [backport: release/v0.64] (#9127)
+  * fix(cli): Add more non-sensitive flags to telemetry [backport: release/v0.64] (#9124)
+  * fix(rootio): check full version to detect `root.io` packages [backport: release/v0.64] (#9120)
+  * fix(alma): parse epochs from rpmqa file [backport: release/v0.64] (#9119)
+  * docs(python): fix type with METADATA file name (#9090)
+  * feat: reject unsupported artifact types in remote image retrieval (#9052)
+  * chore(deps): bump github.com/go-viper/mapstructure/v2 from 2.2.1 to 2.3.0 (#9088)
+  * refactor(misconf): rewrite Rego module filtering using functional filters (#9061)
+  * feat(terraform): add partial evaluation for policy templates (#8967)
+  * feat(vuln): add Root.io support for container image scanning (#9073)
+  * feat(sbom): add manufacturer field to CycloneDX tools metadata (#9019)
+  * fix(cli): add some values to the telemetry call (#9056)
+  * feat(ubuntu): add end of life date for Ubuntu 25.04 (#9077)
+  * refactor: centralize HTTP transport configuration (#9058)
+  * test: include integration tests in linting and fix all issues (#9060)
+  * chore(deps): bump the common group across 1 directory with 26 updates (#9063)
+  * feat(java): dereference all maven settings.xml env placeholders (#9024)
+  * fix(misconf): reduce log noise on incompatible check (#9029)
+  * fix(misconf): .Config.User always takes precedence over USER in .History (#9050)
+  * chore(deps): update Docker to v28.2.2 and fix compatibility issues (#9037)
+  * docs(misconf): simplify misconfiguration docs (#9030)
+  * fix(misconf): move disabled checks filtering after analyzer scan (#9002)
+  * docs: add PR review policy for maintainers (#9032)
+  * fix(sbom): remove unnecessary OS detection check in SBOM decoding (#9034)
+  * test: improve and extend tests for iac/adapters/arm (#9028)
+  * chore: bump up Go version to 1.24.4 (#9031)
+  * feat(cli): add version constraints to annoucements (#9023)
+  * fix(misconf): correct Azure value-to-time conversion in AsTimeValue (#9015)
+  * feat(ubuntu): add eol date for 20.04-ESM (#8981)
+  * fix(report): don't panic when report contains vulns, but doesn't contain packages for `table` format (#8549)
+  * fix(nodejs): correctly parse `packages` array of `bun.lock` file (#8998)
+  * refactor: use strings.SplitSeq instead of strings.Split in for-loop (#8983)
+  * docs: change --disable-metrics to --disable-telemetry in example (#8999) (#9003)
+  * feat(misconf): add OpenTofu file extension support (#8747)
+  * refactor(misconf): set Trivy version by default in Rego scanner (#9001)
+  * docs: fix assets with versioning (#8996)
+  * docs: add partners page (#8988)
+  * chore(alpine): add EOL date for Alpine 3.22 (#8992)
+  * fix: don't show corrupted trivy-db warning for first run (#8991)
+  * Update installation.md (#8979)
+  * feat(misconf): normalize CreatedBy for buildah and legacy docker builder (#8953)
+  * chore(k8s): update comments with deprecated command format (#8964)
+  * chore: fix errors and typos in docs (#8963)
+  * fix: Add missing version check flags (#8951)
+  * feat(redhat): Add EOL date for RHEL 10. (#8910)
+  * fix: Correctly check for semver versions for trivy version check (#8948)
+  * refactor(server): change custom advisory and vulnerability data types fr… (#8923)
+  * ci(helm): bump Trivy version to 0.63.0 for Trivy Helm Chart 0.15.0 (#8946)
+  * fix(misconf): use argument value in WithIncludeDeprecatedChecks (#8942)
+  * chore(deps): Bump trivy-checks (#8934)
+  * fix(julia): add `Relationship` field support (#8939)
+  * feat(minimos): Add support for MinimOS (#8792)
+  * feat(alpine): add maintainer field extraction for APK packages (#8930)
+  * feat(echo): Add Echo Support (#8833)
+  * fix(redhat): Also try to find buildinfo in root layer (layer 0) (#8924)
+  * fix(wolfi): support new APK database location (#8937)
+  * feat(k8s): get components from namespaced resources (#8918)
+  * refactor(cloudformation): remove unused ScanFile method from Scanner (#8927)
+  * refactor(terraform): remove result sorting from scanner (#8928)
+  * feat(misconf): Add support for `Minimum Trivy Version` (#8880)
+  * docs: improve skipping files documentation (#8749)
+  * feat(cli): Add available version checking (#8553)
+  * feat(nodejs): add a bun.lock analyzer (#8897)
+  * feat: terraform parser option to set current working directory (#8909)
+  * perf(secret): only match secrets of meaningful length, allow example strings to not be matched (#8602)
+  * feat(misconf): export raw Terraform data to Rego (#8741)
+  * refactor(terraform): simplify AllReferences method signature in Attribute (#8906)
+  * fix: check post-analyzers for StaticPaths (#8904)
+  * feat: add Bottlerocket OS package analyzer (#8653)
+  * feat(license): improve work text licenses with custom classification (#8888)
+  * chore(deps): bump github.com/containerd/containerd/v2 from 2.1.0 to 2.1.1 (#8901)
+  * chore(deps): bump the common group across 1 directory with 9 updates (#8887)
+  * refactor(license): simplify compound license scanning (#8896)
+  * feat(license): Support compound licenses (licenses using SPDX operators) (#8816)
+  * fix(k8s): use in-memory cache backend during misconfig scanning (#8873)
+  * feat(nodejs): add bun.lock parser (#8851)
+  * feat(license): improve work with custom classification of licenses from config file (#8861)
+  * fix(cli): disable `--skip-dir` and `--skip-files` flags for `sbom` command (#8886)
+  * fix: julia parser panicing (#8883)
+  * refactor(db): change logic to detect wrong DB (#8864)
+  * fix(cli): don't use allow values for `--compliance` flag (#8881)
+  * docs(misconf): Reorganize misconfiguration scan pages (#8206)
+  * fix(server): add missed Relationship field for `rpc` (#8872)
+  * feat: add JSONC support for comments and trailing commas (#8862)
+  * fix(vex): use `lo.IsNil` to check `VEX` from OCI artifact (#8858)
+  * feat(go): support license scanning in both GOPATH and vendor (#8843)
+  * fix(redhat): save contentSets for OS packages in fs/vm modes (#8820)
+  * fix: filter all files when processing files installed from package managers (#8842)
+  * feat(misconf): add misconfiguration location to junit template (#8793)
+  * docs(vuln): remove OSV for Python from data sources (#8841)
+  * chore: add an issue template for maintainers (#8838)
+  * chore: enable staticcheck (#8815)
+  * ci(helm): bump Trivy version to 0.62.1 for Trivy Helm Chart 0.14.1 (#8836)
+  * feat(license): scan vendor directory for license for go.mod files (#8689)
+  * docs(java):  Update info about dev deps in gradle lock (#8830)
+  * chore(deps): bump golang.org/x/sync from 0.13.0 to 0.14.0 in the common group (#8822)
+  * fix(java): exclude dev dependencies in gradle lockfile (#8803)
+  * fix: octalLiteral from go-critic (#8811)
+  * fix(redhat): trim invalid suffix from content_sets in manifest parsing (#8818)
+  * chore(deps): bump the common group across 1 directory with 10 updates (#8817)
+  * fix: use-any from revive (#8810)
+  * fix: more revive rules (#8814)
+  * docs: change in java.md: fix the Trity -to-&gt; Trivy typo (#8813)
+  * fix(misconf): check if for-each is known when expanding dyn block (#8808)
+  * ci(helm): bump Trivy version to 0.62.0 for Trivy Helm Chart 0.14.0 (#8802)
+
+- Update to version 0.62.1 (bsc#1239225, CVE-2025-22868,
+                            bsc#1241724, CVE-2025-22872):
+
+  * chore(deps): bump the common group across 1 directory with 10 updates [backport: release/v0.62] (#8831)
+  * fix(misconf): check if for-each is known when expanding dyn block [backport: release/v0.62] (#8826)
+  * fix(redhat): trim invalid suffix from content_sets in manifest parsing [backport: release/v0.62] (#8824)
+  * feat(nodejs): add root and workspace for `yarn` packages (#8535)
+  * fix: unused-parameter rule from revive (#8794)
+  * chore(deps): Update trivy-checks (#8798)
+  * fix: early-return, indent-error-flow and superfluous-else rules from revive  (#8796)
+  * fix(k8s): remove using `last-applied-configuration` (#8791)
+  * refactor(misconf): remove unused methods from providers (#8781)
+  * refactor(misconf): remove unused methods from iac types (#8782)
+  * fix(misconf): filter null nodes when parsing json manifest (#8785)
+  * fix: testifylint last issues (#8768)
+  * fix(misconf): perform operations on attribute safely (#8774)
+  * refactor(ubuntu): update time handling for fixing time (#8780)
+  * chore(deps): bump golangci-lint to v2.1.2 (#8766)
+  * feat(image): save layers metadata into report (#8394)
+  * feat(misconf): convert AWS managed policy to document (#8757)
+  * chore(deps): bump the docker group across 1 directory with 3 updates (#8762)
+  * ci(helm): bump Trivy version to 0.61.1 for Trivy Helm Chart 0.13.1 (#8753)
+  * ci(helm): create a helm branch for patches from main (#8673)
+  * fix(terraform): hcl object expressions to return references (#8271)
+  * chore(terraform): option to pass in instanced logger  (#8738)
+  * ci: use `Skitionek/notify-microsoft-teams` instead of `aquasecurity` fork (#8740)
+  * chore(terraform): remove os.OpenPath call from terraform file functions (#8737)
+  * chore(deps): bump the common group across 1 directory with 23 updates (#8733)
+  * feat(rust): add root and workspace relationships/package for `cargo` lock files (#8676)
+  * refactor(misconf): remove module outputs from parser.EvaluateAll (#8587)
+  * fix(misconf): populate context correctly for module instances (#8656)
+  * fix(misconf): check if metadata is not nil (#8647)
+  * refactor(misconf): switch to x/json  (#8719)
+  * fix(report): clean buffer after flushing (#8725)
+  * ci: improve PR title validation workflow (#8720)
+  * refactor(flag): improve flag system architecture and extensibility (#8718)
+  * fix(terraform): `evaluateStep` to correctly set `EvalContext` for multiple instances of blocks (#8555)
+  * refactor: migrate from `github.com/aquasecurity/jfather` to `github.com/go-json-experiment/json` (#8591)
+  * feat(misconf): support auto_provisioning_defaults in google_container_cluster (#8705)
+  * ci: use `github.event.pull_request.user.login` for release PR check workflow (#8702)
+  * refactor: add hook interface for extended functionality (#8585)
+  * fix(misconf): add missing variable as unknown (#8683)
+  * docs: Update maintainer docs (#8674)
+  * ci(vuln): reduce github action script injection attack risk (#8610)
+  * fix(secret): ignore .dist-info directories during secret scanning (#8646)
+  * fix(server): fix redis key when trying to delete blob (#8649)
+  * chore(deps): bump the testcontainers group with 2 updates (#8650)
+  * test: use `aquasecurity` repository for test images (#8677)
+  * chore(deps): bump the aws group across 1 directory with 5 updates (#8652)
+  * fix(k8s): skip passed misconfigs for the summary report (#8684)
+  * fix(k8s): correct compare artifact versions (#8682)
+  * chore: update Docker lib (#8681)
+  * refactor(misconf): remove unused terraform attribute methods (#8657)
+  * feat(misconf): add option to pass Rego scanner to IaC scanner (#8369)
+  * chore: typo fix to replace `rego` with `repo` on the RepoFlagGroup options error output (#8643)
+  * docs: Add info about helm charts release (#8640)
+  * ci(helm): bump Trivy version to 0.61.0 for Trivy Helm Chart 0.13.0 (#8638)
+
+Update to version 0.61.1 (bsc#1239385, CVE-2025-22869, bsc#1240466, CVE-2025-30204):
+
+  * fix(k8s): skip passed misconfigs for the summary report [backport: release/v0.61] (#8748)
+  * fix(k8s): correct compare artifact versions [backport: release/v0.61] (#8699)
+  * test: use `aquasecurity` repository for test images [backport: release/v0.61] (#8698)
+  * fix(misconf): Improve logging for unsupported checks (#8634)
+  * feat(k8s): add support for controllers (#8614)
+  * fix(debian): don't include empty licenses for `dpkgs` (#8623)
+  * fix(misconf): Check values wholly prior to evalution (#8604)
+  * chore(deps): Bump trivy-checks (#8619)
+  * fix(k8s): show report for `--report all` (#8613)
+  * chore(deps): bump github.com/golang-jwt/jwt/v4 from 4.5.1 to 4.5.2 (#8597)
+  * refactor: rename scanner to service (#8584)
+  * fix(misconf): do not skip loading documents from subdirectories (#8526)
+  * refactor(misconf): get a block or attribute without calling HasChild (#8586)
+  * fix(misconf): identify the chart file exactly by name (#8590)
+  * test: use table-driven tests in Helm scanner tests (#8592)
+  * refactor(misconf): Simplify misconfig checks bundle parsing (#8533)
+  * chore(deps): bump the common group across 1 directory with 10 updates (#8566)
+  * fix(misconf): do not use cty.NilVal for non-nil values (#8567)
+  * docs(cli): improve flag value display format (#8560)
+  * fix(misconf): set default values for AWS::EKS::Cluster.ResourcesVpcConfig (#8548)
+  * docs: remove slack (#8565)
+  * fix: use `--file-patterns` flag for all post analyzers (#7365)
+  * docs(python): Mention pip-compile (#8484)
+  * feat(misconf): adapt aws_opensearch_domain (#8550)
+  * feat(misconf): adapt AWS::EC2::VPC (#8534)
+  * docs: fix a broken link (#8546)
+  * fix(fs): check postAnalyzers for StaticPaths (#8543)
+  * refactor(misconf): remove unused methods for ec2.Instance (#8536)
+  * feat(misconf): adapt aws_default_security_group (#8538)
+  * feat(fs): optimize scanning performance by direct file access for known paths (#8525)
+  * feat(misconf): adapt AWS::DynamoDB::Table (#8529)
+  * style: Fix MD syntax in self-hosting.md (#8523)
+  * perf(misconf): retrieve check metadata from annotations once (#8478)
+  * feat(misconf): Add support for aws_ami (#8499)
+  * fix(misconf): skip Azure CreateUiDefinition (#8503)
+  * refactor(misconf): use OPA v1 (#8518)
+  * fix(misconf): add ephemeral block type to config schema (#8513)
+  * perf(misconf): parse input for Rego once (#8483)
+  * feat: replace TinyGo with standard Go for WebAssembly modules (#8496)
+  * chore: replace deprecated tenv linter with usetesting (#8504)
+  * fix(spdx): save text licenses into `otherLicenses` without normalize (#8502)
+  * chore(deps): bump the common group across 1 directory with 13 updates (#8491)
+  * chore: use go.mod for managing Go tools (#8493)
+  * ci(helm): bump Trivy version to 0.60.0 for Trivy Helm Chart 0.12.0 (#8494)
+  * fix(sbom): improve logic for binding direct dependency to parent component (#8489)
+  * chore(deps): remove missed replace of `trivy-db` (#8492)
+  * chore(deps): bump alpine from 3.21.0 to 3.21.3 in the docker group across 1 directory (#8490)
+  * chore(deps): update Go to 1.24 and switch to go-version-file (#8388)
+  * docs: add abbreviation list (#8453)
+  * chore(terraform): assign *terraform.Module 'parent' field (#8444)
+  * feat: add report summary table (#8177)
+  * chore(deps): bump the github-actions group with 3 updates (#8473)
+  * refactor(vex): improve SBOM reference handling with project standards (#8457)
+  * ci: update GitHub Actions cache to v4 (#8475)
+  * feat: add `--vuln-severity-source` flag (#8269)
+  * fix(os): add mapping OS aliases (#8466)
+  * chore(deps): bump the aws group across 1 directory with 7 updates (#8468)
+  * chore(deps): Bump trivy-checks to v1.7.1 (#8467)
+  * refactor(report): write tables after rendering all results (#8357)
+  * docs: update VEX documentation index page (#8458)
+  * fix(db): fix case when 2 trivy-db were copied at the same time (#8452)
+  * feat(misconf): render causes for Terraform (#8360)
+  * fix(misconf): fix incorrect k8s locations due to JSON to YAML conversion (#8073)
+  * feat(cyclonedx): Add initial support for loading external VEX files from SBOM references (#8254)
+  * chore(deps): update go-rustaudit location (#8450)
+  * fix: update all documentation links (#8045)
+  * chore(deps): bump github.com/go-jose/go-jose/v4 from 4.0.4 to 4.0.5 (#8443)
+  * chore(deps): bump the common group with 6 updates (#8411)
+  * fix(k8s): add missed option `PkgRelationships` (#8442)
+  * fix(sbom): add SBOM file's filePath as Application FilePath if we can't detect its path (#8346)
+  * feat(go): fix parsing main module version for go &gt;= 1.24 (#8433)
+  * refactor(misconf): make Rego scanner independent of config type (#7517)
+  * fix(image): disable AVD-DS-0007 for history scanning (#8366)
+  * fix(server): secrets inspectation for the config analyzer in client server mode (#8418)
+  * chore: remove mockery (#8417)
+  * test(server): replace mock driver with memory cache in server tests (#8416)
+  * test: replace mock with memory cache and fix non-deterministic tests (#8410)
+  * test: replace mock with memory cache in scanner tests (#8413)
+  * test: use memory cache (#8403)
+  * fix(spdx): init `pkgFilePaths` map for all formats (#8380)
+  * chore(deps): bump the common group across 1 directory with 11 updates (#8381)
+  * docs: correct Ruby documentation (#8402)
+  * chore: bump `mockery` to update v2.52.2 version and rebuild mock files (#8390)
+  * fix: don't use `scope` for `trivy registry login` command (#8393)
+  * fix(go): merge nested flags into string for ldflags for Go binaries (#8368)
+  * chore(terraform): export module path on terraform modules (#8374)
+  * fix(terraform): apply parser options to submodule parsing (#8377)
+  * docs: Fix typos in documentation (#8361)
+  * docs: fix navigate links (#8336)
+  * ci(helm): bump Trivy version to 0.59.1 for Trivy Helm Chart 0.11.1 (#8354)
+  * ci(spdx): add `aqua-installer` step to fix `mage` error (#8353)
+  * chore: remove debug prints (#8347)
+  * fix(misconf): do not log scanners when misconfig scanning is disabled (#8345)
+  * fix(report): remove html escaping for `shortDescription` and `fullDescription` fields for sarif reports (#8344)
+  * chore(deps): bump Go to `v1.23.5` (#8341)
+  * fix(python): add `poetry` v2 support (#8323)
+  * chore(deps): bump the github-actions group across 1 directory with 4 updates (#8331)
+  * fix(misconf): ecs include enhanced for container insights (#8326)
+  * fix(sbom): preserve OS packages from multiple SBOMs (#8325)
+  * ci(helm): bump Trivy version to 0.59.0 for Trivy Helm Chart 0.11.0 (#8311)
+  *  (bsc#1237618, CVE-2025-27144)
+
+Update to version 0.59.1:
+
+  * fix(misconf): do not log scanners when misconfig scanning is disabled [backport: release/v0.59] (#8349)
+  * chore(deps): bump Go to `v1.23.5` [backport: release/v0.59] (#8343)
+  * fix(python): add `poetry` v2 support [backport: release/v0.59] (#8335)
+  * fix(sbom): preserve OS packages from multiple SBOMs [backport: release/v0.59] (#8333)
+
+Update to version 0.59.0:
+
+  * feat(image): return error early if total size of layers exceeds limit (#8294)
+  * chore(deps): Bump trivy-checks (#8310)
+  * chore(terraform): add accessors to underlying raw hcl values (#8306)
+  * fix: improve conversion of image config to Dockerfile (#8308)
+  * docs: replace short codes with Unicode emojis (#8296)
+  * feat(k8s): improve artifact selections for specific namespaces (#8248)
+  * chore: update code owners (#8303)
+  * fix(misconf): handle heredocs in dockerfile instructions (#8284)
+  * fix: de-duplicate same `dpkg` packages with different filePaths from different layers (#8298)
+  * chore(deps): bump the aws group with 7 updates (#8299)
+  * chore(deps): bump the common group with 12 updates (#8301)
+  * chore: enable int-conversion from perfsprint (#8194)
+  * feat(fs): use git commit hash as cache key for clean repositories (#8278)
+  * fix(spdx): use the `hasExtractedLicensingInfos` field for licenses that are not listed in the SPDX (#8077)
+  * chore: use require.ErrorContains when possible (#8291)
+  * feat(image): prevent scanning oversized container images (#8178)
+  * chore(deps): use aqua forks for `github.com/liamg/jfather` and `github.com/liamg/iamgo` (#8289)
+  * fix(fs): fix cache key generation to use UUID (#8275)
+  * fix(misconf): correctly handle all YAML tags in K8S templates (#8259)
+  * feat: add support for registry mirrors (#8244)
+  * chore(deps): bump the common group across 1 directory with 29 updates (#8261)
+  * refactor(license): improve license expression normalization (#8257)
+  * feat(misconf): support for ignoring by inline comments for Dockerfile (#8115)
+  * feat: add a examples field to check metadata (#8068)
+  * chore(deps): bump alpine from 3.20.0 to 3.21.0 in the docker group across 1 directory (#8196)
+  * ci: add workflow to restrict direct PRs to release branches (#8240)
+  * fix(suse): SUSE - update OSType constants and references for compatility (#8236)
+  * ci: fix path to main dir for canary builds (#8231)
+  * chore(secret): add reported issues related to secrets in junit template (#8193)
+  * refactor: use trivy-checks/pkg/specs package (#8226)
+  * ci(helm): bump Trivy version to 0.58.1 for Trivy Helm Chart 0.10.0 (#8170)
+  * fix(misconf): allow null values only for tf variables (#8112)
+  * feat(misconf): support for ignoring by inline comments for Helm (#8138)
+  * fix(redhat): check `usr/share/buildinfo/` dir to detect content sets (#8222)
+  * chore(alpine): add EOL date for Alpine 3.21 (#8221)
+  * fix: CVE-2025-21613 and CVE-2025-21614 : go-git: argument injection via the URL field (#8207)
+  * fix(misconf): disable git terminal prompt on tf module load (#8026)
+  * chore: remove aws iam related scripts (#8179)
+  * docs: Updated JSON schema version 2 in the trivy documentation (#8188)
+  * refactor(python): use once + debug for `License acquired from METADATA...` logs (#8175)
+  * refactor: use slices package instead of custom function (#8172)
+  * chore(deps): bump the common group with 6 updates (#8162)
+  * feat(python): add support for uv dev and optional dependencies (#8134)
+  * feat(python): add support for poetry dev dependencies (#8152)
+  * fix(sbom): attach nested packages to Application (#8144)
+  * docs(vex): use debian minor version in examples (#8166)
+  * refactor: add generic Set implementation (#8149)
+  * chore(deps): bump the aws group across 1 directory with 6 updates (#8163)
+  * fix(python): skip dev group's deps for poetry (#8106)
+  * fix(sbom): use root package for `unknown` dependencies (if exists) (#8104)
+  * chore(deps): bump `golang.org/x/net` from `v0.32.0` to `v0.33.0` (#8140)
+  * chore(vex): suppress CVE-2024-45338 (#8137)
+  * feat(python): add support for uv (#8080)
+  * chore(deps): bump the docker group across 1 directory with 3 updates (#8127)
+  * chore(deps): bump the common group across 1 directory with 14 updates (#8126)
+  * chore: bump go to 1.23.4 (#8123)
+  * test: set dummy value for NUGET_PACKAGES (#8107)
+  * chore(deps): bump `github.com/CycloneDX/cyclonedx-go` from `v0.9.1` to `v0.9.2` (#8105)
+  * chore(deps): bump golang.org/x/crypto from 0.30.0 to 0.31.0 (#8103)
+  * fix: wasm module test (#8099)
+  * fix: CVE-2024-45337: Misuse of ServerConfig.PublicKeyCallback may cause authorization bypass (#8088)
+  * chore(vex): suppress CVE-2024-45337 (#8101)
+  * fix(license): always trim leading and trailing spaces for licenses (#8095)
+  * fix(sbom): scan results of SBOMs generated from container images are missing layers (#7635)
+  * fix(redhat): correct rewriting of recommendations for the same vulnerability (#8063)
+  * fix: enable err-error and errorf rules from perfsprint linter (#7859)
+  * chore(deps): bump the aws group across 1 directory with 6 updates (#8074)
+  * perf: avoid heap allocation in applier findPackage (#7883)
+  * fix: Updated twitter icon (#7772)
+  * docs(k8s): add a note about multi-container pods (#7815)
+  * feat: add `--distro` flag to manually specify OS distribution for vulnerability scanning (#8070)
+  * fix(oracle): add architectures support for advisories (#4809)
+  * fix: handle `BLOW_UNKNOWN` error to download DBs (#8060)
+  * feat(misconf): generate placeholders for random provider resources (#8051)
+  * fix(sbom): fix wrong overwriting of applications obtained from different sbom files but having same app type (#8052)
+  * fix(flag): skip hidden flags for `--generate-default-config` command (#8046)
+  * fix(java): correctly overwrite version from depManagement if dependency uses `project.*` props (#8050)
+  * feat(nodejs): respect peer dependencies for dependency tree (#7989)
+  * ci(helm): bump Trivy version to 0.58.0 for Trivy Helm Chart 0.10.0 (#8038)
+  * fix: respect GITHUB_TOKEN to download artifacts from GHCR (#7580)
+  * chore(deps): bump github.com/moby/buildkit from 0.17.2 to 0.18.0 in the docker group (#8029)
+  * fix(misconf): use log instead of fmt for logging (#8033)
+  * docs: add commercial content (#8030)
+
+- Update to version 0.58.2 (
+      bsc#1234512, CVE-2024-45337,
+      bsc#1235265, CVE-2024-45338,
+      bsc#1232948, CVE-2024-51744):
+
+  * fix(misconf): allow null values only for tf variables [backport: release/v0.58] (#8238)
+  * fix(suse): SUSE - update OSType constants and references for compatility [backport: release/v0.58] (#8237)
+  * fix: CVE-2025-21613 and CVE-2025-21614 : go-git: argument injection via the URL field [backport: release/v0.58] (#8215)
+  * fix(sbom): attach nested packages to Application [backport: release/v0.58] (#8168)
+  * fix(python): skip dev group's deps for poetry [backport: release/v0.58] (#8158)
+  * fix(sbom): use root package for `unknown` dependencies (if exists) [backport: release/v0.58] (#8156)
+  * chore(deps): bump `golang.org/x/net` from `v0.32.0` to `v0.33.0` [backport: release/v0.58] (#8142)
+  * chore(deps): bump `github.com/CycloneDX/cyclonedx-go` from `v0.9.1` to `v0.9.2` [backport: release/v0.58] (#8136)
+  * fix(redhat): correct rewriting of recommendations for the same vulnerability [backport: release/v0.58] (#8135)
+  * fix(oracle): add architectures support for advisories [backport: release/v0.58] (#8125)
+  * fix(sbom): fix wrong overwriting of applications obtained from different sbom files but having same app type [backport: release/v0.58] (#8124)
+  * chore(deps): bump golang.org/x/crypto from 0.30.0 to 0.31.0 [backport: release/v0.58] (#8122)
+  * fix: handle `BLOW_UNKNOWN` error to download DBs [backport: release/v0.58] (#8121)
+  * fix(java): correctly overwrite version from depManagement if dependency uses `project.*` props [backport: release/v0.58] (#8119)
+  * fix(misconf): wrap AWS EnvVar to iac types (#7407)
+  * chore(deps): Upgrade trivy-checks (#8018)
+  * refactor(misconf): Remove unused options (#7896)
+  * docs: add terminology page to explain Trivy concepts (#7996)
+  * feat: add `workspaceRelationship` (#7889)
+  * refactor(sbom): simplify relationship generation (#7985)
+  * chore: remove Go checks (#7907)
+  * docs: improve databases documentation (#7732)
+  * refactor: remove support for custom Terraform checks (#7901)
+  * docs: fix dead links (#7998)
+  * docs: drop AWS account scanning (#7997)
+  * fix(aws): change CPU and Memory type of ContainerDefinition to a string (#7995)
+  * fix(cli): Handle empty ignore files more gracefully (#7962)
+  * fix(misconf): load full Terraform module (#7925)
+  * fix(misconf): properly resolve local Terraform cache (#7983)
+  * refactor(k8s): add v prefix for Go packages (#7839)
+  * test: replace Go checks with Rego (#7867)
+  * feat(misconf): log causes of HCL file parsing errors (#7634)
+  * chore(deps): bump the aws group across 1 directory with 7 updates (#7991)
+  * chore(deps): bump github.com/moby/buildkit from 0.17.0 to 0.17.2 in the docker group across 1 directory (#7990)
+  * chore(deps): update csaf module dependency from csaf-poc to gocsaf (#7992)
+  * chore: downgrade the failed block expand message to debug (#7964)
+  * fix(misconf): do not erase variable type for child modules (#7941)
+  * feat(go): construct dependencies of `go.mod` main module in the parser (#7977)
+  * feat(go): construct dependencies in the parser (#7973)
+  * feat: add cvss v4 score and vector in scan response (#7968)
+  * docs: add `overview` page for `others` (#7972)
+  * fix(sbom): Fixes for Programming Language Vulnerabilities and SBOM Package Maintainer Details (#7871)
+  * feat(suse): Align SUSE/OpenSUSE OS Identifiers (#7965)
+  * chore(deps): bump the common group with 4 updates (#7949)
+  * feat(oracle): add `flavors` support (#7858)
+  * fix(misconf): Update trivy-checks default repo to `mirror.gcr.io` (#7953)
+  * chore(deps): Bump up trivy-checks to v1.3.0 (#7959)
+  * fix(k8s): check all results for vulnerabilities (#7946)
+  * ci(helm): bump Trivy version to 0.57.1 for Trivy Helm Chart 0.9.0 (#7945)
+  * feat(secret): Add built-in secrets rules for Private Packagist (#7826)
+  * docs: Fix broken links (#7900)
+  * docs: fix mistakes/typos (#7942)
+  * feat: Update registry fallbacks (#7679)
+  * fix(alpine): add `UID` for removed packages (#7887)
+  * chore(deps): bump the aws group with 6 updates (#7902)
+  * chore(deps): bump the common group with 6 updates (#7904)
+  * fix(debian): infinite loop (#7928)
+  * fix(redhat): don't return error if `root/buildinfo/content_manifests/` contains files that are not `contentSets` files (#7912)
+  * docs: add note about temporary podman socket (#7921)
+  * docs: combine trivy.dev into trivy docs (#7884)
+  * test: change branch in spdx schema link to check in integration tests (#7935)
+  * docs: add Headlamp to the Trivy Ecosystem page (#7916)
+  * fix(report): handle `git@github.com` schema for misconfigs in `sarif` report (#7898)
+  * chore(k8s): enhance k8s scan log (#6997)
+  * fix(terraform): set null value as fallback for missing variables (#7669)
+  * fix(misconf): handle null properties in CloudFormation templates (#7813)
+  * fix(fs): add missing defered Cleanup() call to post analyzer fs (#7882)
+  * chore(deps): bump the common group across 1 directory with 20 updates (#7876)
+  * chore: bump containerd to v2.0.0 (#7875)
+  * fix: Improve version comparisons when build identifiers are present (#7873)
+  * feat(k8s): add default commands for unknown platform (#7863)
+  * chore(deps): bump github.com/golang-jwt/jwt/v4 from 4.5.0 to 4.5.1 (#7868)
+  * refactor(secret): optimize performance by moving ToLower operation outside loop (#7862)
+  * test: save `containerd` image into archive and use in tests (#7816)
+  * chore(deps): bump the github-actions group across 1 directory with 2 updates (#7854)
+  * chore: bump golangci-lint to v1.61.0 (#7853)
+
+Update to version 0.57.1:
+
+  * feat: Update registry fallbacks [backport: release/v0.57] (#7944)
+  * fix(redhat): don't return error if `root/buildinfo/content_manifests/` contains files that are not `contentSets` files [backport: release/v0.57] (#7939)
+  * test: change branch in spdx schema link to check in integration tests [backport: release/v0.57] (#7940)
+  * release: v0.57.0 [main] (#7710)
+  * chore: lint `errors.Join` (#7845)
+  * feat(db): append errors (#7843)
+  * docs(java): add info about supported scopes (#7842)
+  * docs: add example of creating whitelist of checks (#7821)
+  * chore(deps): Bump trivy-checks (#7819)
+  * fix(go): Do not trim v prefix from versions in Go Mod Analyzer (#7733)
+  * fix(k8s): skip resources without misconfigs (#7797)
+  * fix(sbom):  use `Annotation` instead of `AttributionTexts` for `SPDX` formats (#7811)
+  * fix(cli): add config name to skip-policy-update alias (#7820)
+  * fix(helm): properly handle multiple archived dependencies (#7782)
+  * refactor(misconf): Deprecate `EXCEPTIONS` for misconfiguration scanning (#7776)
+  * fix(k8s)!: support k8s multi container (#7444)
+  * fix(k8s): support kubernetes v1.31 (#7810)
+  * docs: add Windows install instructions (#7800)
+  * ci(helm): auto public Helm chart after PR merged (#7526)
+  * feat: add end of life date for Ubuntu 24.10 (#7787)
+  * feat(report): update gitlab template to populate operating_system value (#7735)
+  * feat(misconf): Show misconfig ID in output (#7762)
+  * feat(misconf): export unresolvable field of IaC types to Rego (#7765)
+  * refactor(k8s): scan config files as a folder (#7690)
+  * fix(license): fix license normalization for Universal Permissive License (#7766)
+  * fix: enable usestdlibvars linter (#7770)
+  * fix(misconf): properly expand dynamic blocks (#7612)
+  * feat(cyclonedx): add file checksums to `CycloneDX` reports (#7507)
+  * fix(misconf): fix for Azure Storage Account network acls adaptation (#7602)
+  * refactor(misconf): simplify k8s scanner (#7717)
+  * feat(parser): ignore white space in pom.xml files (#7747)
+  * test: use forked images (#7755)
+  * fix(java): correctly inherit `version` and `scope` from upper/root `depManagement` and `dependencies` into parents (#7541)
+  * fix(misconf): check if property is not nil before conversion (#7578)
+  * fix(misconf): change default ACL of digitalocean_spaces_bucket to private (#7577)
+  * feat(misconf): ssl_mode support for GCP SQL DB instance (#7564)
+  * test: define constants for test images (#7739)
+  * docs: add note about disabled DS016 check (#7724)
+  * feat(misconf): public network support for Azure Storage Account (#7601)
+  * feat(cli): rename `trivy auth` to `trivy registry` (#7727)
+  * docs: apt-transport-https is a transitional package (#7678)
+  * refactor(misconf): introduce generic scanner (#7515)
+  * fix(cli): `clean --all` deletes only relevant dirs (#7704)
+  * feat(cli): add `trivy auth` (#7664)
+  * fix(sbom): add options for DBs in private registries (#7660)
+  * docs(report): fix reporting doc format (#7671)
+  * fix(repo): `git clone` output to Stderr (#7561)
+  * fix(redhat): include arch in PURL qualifiers (#7654)
+  * fix(report): Fix invalid URI in SARIF report (#7645)
+  * docs(report): Improve SARIF reporting doc (#7655)
+  * fix(db): fix javadb downloading error handling (#7642)
+  * feat(cli): error out when ignore file cannot be found (#7624)
+
+Update to version 0.56.2:
+
+  * fix(redhat): include arch in PURL qualifiers [backport: release/v0.56] (#7702)
+  * fix(sbom): add options for DBs in private registries [backport: release/v0.56] (#7691)
+
+- Update to version 0.51.1 (bsc#1227010, CVE-2024-3817):
+</description>
+  <package>trivy</package>
+</patchinfo>

patchinfo.20251126142654688873.93181000773252/_patchinfo

@@ -0,0 +1,18 @@
+<patchinfo incident="packagehub-32">
+  <issue tracker="bnc" id="1253957">VUL-0: CVE-2025-13470,CVE-2025-13402: rnp: rnp PKESK session keys generated as all‑zero</issue>
+  <issue tracker="cve" id="2025-13470">cve#2025-13470 not resolved: 404 Client Error: Not Found for url: https://bugzilla.suse.com/api2/issues/?references__name=CVE-2025-13470</issue>
+  <issue tracker="cve" id="2025-13402">cve#2025-13402 not resolved: 404 Client Error: Not Found for url: https://bugzilla.suse.com/api2/issues/?references__name=CVE-2025-13402</issue>
+  <packager>AndreasStieger</packager>
+  <rating>moderate</rating>
+  <category>security</category>
+  <summary>Security update for rnp</summary>
+  <description>This update for rnp fixes the following issues:
+
+- update to 0.18.1:
+  * CVE-2025-13470: PKESK (public-key encrypted) session keys were
+    generated as all-zero, allowing trivial decryption of messages
+    encrypted with public keys only (boo#1253957, CVE-2025-13402)
+</description>
+  <package>rnp</package>
+  <seperate_build_arch/>
+</patchinfo>

patchinfo.20251127113212085239.93181000773252/_patchinfo

@@ -0,0 +1,13 @@
+<patchinfo incident="packagehub-40">
+  <issue tracker="cve" id="2025-61659"/>
+  <issue tracker="bnc" id="1247489">VUL-0: CVE-2025-61659: bash-git-prompt: uses predictable file in /tmp for a copy of the git index</issue>
+  <packager>michals</packager>
+  <rating>moderate</rating>
+  <category>security</category>
+  <summary>Security update for bash-git-prompt</summary>
+  <description>This update for bash-git-prompt fixes the following issues:
+
+- CVE-2025-61659: Fixed an issue where predictable files in /tmp were used for a copy of the git index (bsc#1247489)
+</description>
+  <package>bash-git-prompt</package>
+</patchinfo>

patchinfo.20251127122850445245.93181000773252/_patchinfo

@@ -0,0 +1,65 @@
+<patchinfo incident="packagehub-38">
+  <issue tracker="bnc" id="1243954">VUL-0: CVE-2025-29785: shadowsocks-v2ray-plugin: github.com/quic-go/quic-go/internal/ackhandler: loss recovery logic for path probe packets can be used by a malicious QUIC client to trigger a null pointer dereference</issue>
+  <issue tracker="cve" id="2025-47911">cve#2025-47911 not resolved: 404 Client Error: Not Found for url: https://bugzilla.suse.com/api2/issues/?references__name=CVE-2025-47911</issue>
+  <issue tracker="bnc" id="1243946">VUL-0: CVE-2025-29785: v2ray-core: github.com/quic-go/quic-go/internal/ackhandler: loss recovery logic for path probe packets can be used by a malicious QUIC client to trigger a null pointer dereference</issue>
+  <issue tracker="cve" id="2025-297850">cve#2025-297850 not resolved: 404 Client Error: Not Found for url: https://bugzilla.suse.com/api2/issues/?references__name=CVE-2025-297850</issue>
+  <issue tracker="bnc" id="1251404">VUL-0: CVE-2025-47911: v2ray-core: golang.org/x/net/html: various algorithms with quadratic complexity when parsing HTML documents</issue>
+  <issue tracker="bnc" id="1235164">VUL-0: CVE-2023-49295: v2ray-core: github.com/quic-go/quic-go: memory exhaustion attack against QUIC's path validation mechanism</issue>
+  <packager>hillwood</packager>
+  <rating>important</rating>
+  <category>security</category>
+  <summary>Security update for shadowsocks-v2ray-plugin, v2ray-core</summary>
+  <description>This update for shadowsocks-v2ray-plugin, v2ray-core fixes the following issues:
+
+Changes in shadowsocks-v2ray-plugin:
+
+- Update version to 5.25.0
+  * Update v2ray-core to v5.25.0
+- Add update-vendor.patch, update v2ray-core to v5.33.0 (boo#1243954 and CVE-2025-297850)
+
+Changes in v2ray-core:
+
+- Fix CVE-2025-47911 and boo#1251404
+  * Add fix-CVE-2025-47911.patch
+  * Update golang.org/x/net to 0.45.0 in vendor
+
+- Update version to 5.38.0
+  * TLSMirror Connection Enrollment System
+  * Add TLSMirror Sequence Watermarking
+  * LSMirror developer preview protocol is now a part of mainline V2Ray
+  * proxy dns with NOTIMP error
+  * Add TLSMirror looks like TLS censorship resistant transport protocol
+    as a developer preview transport
+  * proxy dns with NOTIMP error
+  * fix false success from SOCKS server when Dispatch() fails
+  * HTTP inbound: Directly forward plain HTTP 1xx response header
+  * add a option to override domain used to query https record
+  * Fix bugs
+  * Update vendor
+
+- Update version to 5.33.0
+  * bump github.com/quic-go/quic-go from 0.51.0 to 0.52.0(boo#1243946 and CVE-2025-297850)
+  * Update other vendor source
+
+- Update version to 5.31.0
+  * Add Dns Proxy Response TTL Control
+  * Fix call newError Base with a nil value error
+  * Update vendor (boo#1235164)
+
+- Update version to 5.29.3
+  * Enable restricted mode load for http protocol client
+  * Correctly implement QUIC sniffer when handling multiple initial packets
+  * Fix unreleased cache buffer in QUIC sniffing
+  * A temporary testing fix for the buffer corruption issue
+  * QUIC Sniffer Restructure
+
+- Update version to 5.22.0
+  * Add packetEncoding for Hysteria
+  * Add ECH Client Support
+  * Add support for parsing some shadowsocks links
+  * Add Mekya Transport
+  * Fix bugs
+</description>
+  <package>shadowsocks-v2ray-plugin</package>
+  <package>v2ray-core</package>
+</patchinfo>

patchinfo.20251127153254678434.93181000773252/_patchinfo

@@ -0,0 +1,90 @@
+<patchinfo incident="packagehub-39">
+  <packager>os-autoinst-obs-workflow</packager>
+  <rating>moderate</rating>
+  <category>recommended</category>
+  <summary>Recommended update for openQA, os-autoinst, openQA-devel-container</summary>
+  <description>This update for openQA, os-autoinst, openQA-devel-container fixes the following issues:
+
+Changes in openQA:
+
+- Update to version 5.1763743683.1da97aa2:
+  * Optimize Job Group dropdown database query
+  * Split dependency handling out of create_from_settings
+  * Give jobs with high MAX_JOB_TIME a priority malus
+  * Make the number of builds per group on the front page configurable
+  * docs: Feature auto-generated deepwiki less prominently
+  * apparmor: Additional perms for tests in osado to run
+
+- Update to version 5.1763153079.b36ac754:
+  * Skip a build if there are no jobs
+  * Remove unused variable
+
+- Update to version 5.1762879267.52145e9a:
+  * Avoid installing unwanted package versions
+  * Fix check in git_clone for dirty git dir
+  * Prevent `t/24-worker-webui-connection.t` from running into timeout
+  * Be explicit about certain aspects of archiving in the documentation
+  * Fix sporadic failures in `t/ui/10-tests_overview.t`
+  * Adapt os-autoinst-scripts reference after rename
+  * Properly conclude scheduling if there are no jobs
+
+- Update to version 5.1762193001.2f6e71ca:
+  * Potentially improve stability of `t/ui/16-tests_job_next_previous.t`
+  * Avoid failing check in `t/16-utils-runcmd.t`
+  * README: Add deepwiki badge
+  * Dependency cron 2025-10-27
+  * Retry image optimizations
+
+Changes in os-autoinst:
+
+- Update to version 5.1763561851.03e049d:
+  * Avoid `Can't exec "ffmpeg"` if ffmpeg isn't present
+  * Fix syntax errors in nft due to multiple interfaces in $ethernet
+  * README: Feature auto-generated deepwiki less prominently
+  * Install NetworkManager-ovs in os-autoinst-setup-multi-machine
+  * Add disconnect_usb (qemu only, for now)
+
+- Update to version 5.1763048144.30f43a0:
+  * Configure ftables in os-autoinst-setup-multi-machine
+  * Makefile: Fix reruns on incomplete build dir generations
+  * Propagate C++ exceptions to Perl in image write function
+  * Add support NICPCIADDR variable to QEMU backend
+  * Remove test which causes unhandled output
+  * Improve includes in tinycv library
+  * Handle OpenCV exceptions when writing an image
+  * Avoid ignoring errors silently when writing images
+  * Avoid saving test results referring to non-existent screenshots
+
+- Update to version 5.1762250353.5150272:
+  * Makefile: Fix reruns on incomplete build dir generations
+  * Propagate C++ exceptions to Perl in image write function
+  * Add support NICPCIADDR variable to QEMU backend
+  * Remove test which causes unhandled output
+  * Allow array keys like `ISSUES[]` as introduced in openQA commit a53b19b
+  * Improve includes in tinycv library
+
+- Update to version 5.1761723693.2b88807:
+  * Propagate C++ exceptions to Perl in image write function
+  * Add support NICPCIADDR variable to QEMU backend
+  * Remove test which causes unhandled output
+  * Allow array keys like `ISSUES[]` as introduced in openQA commit a53b19b
+  * Improve includes in tinycv library
+  * Handle OpenCV exceptions when writing an image
+  * Avoid ignoring errors silently when writing images
+
+Changes in openQA-devel-container:
+
+- Update to version 5.1763743683.1da97aa28:
+  * Update to latest openQA version
+</description>
+  <package>openQA</package>
+  <package>openQA:openQA-devel-test</package>
+  <package>openQA:openQA-test</package>
+  <package>openQA:openQA-worker-test</package>
+  <package>openQA:openQA-client-test</package>
+  <package>os-autoinst</package>
+  <package>os-autoinst:os-autoinst-test</package>
+  <package>os-autoinst:os-autoinst-devel-test</package>
+  <package>os-autoinst:os-autoinst-openvswitch-test</package>
+  <package>openQA-devel-container</package>
+</patchinfo>

patchinfo.20251201094854511762.93181000773252/_patchinfo

@@ -0,0 +1,15 @@
+<patchinfo incident="packagehub-41">
+  <issue tracker="bnc" id="1253608">VUL-0: CVE-2025-47913: act: golang.org/x/crypto/ssh/agent: client process termination when receiving an unexpected message type in response to a key listing or signing request</issue>
+  <issue tracker="cve" id="2025-47913">cve#2025-47913 not resolved: 404 Client Error: Not Found for url: https://bugzilla.suse.com/api2/issues/?references__name=CVE-2025-47913</issue>
+  <packager>elimat</packager>
+  <rating>important</rating>
+  <category>security</category>
+  <summary>Security update for act</summary>
+  <description>This update for act fixes the following issues:
+
+- CVE-2025-47913: Prevent panic in embedded golang.org/x/crypto/ssh/agent client when
+  receiving unexpected message types for key listing or signing requests (boo#1253608)
+</description>
+  <package>act</package>
+  <seperate_build_arch/>
+</patchinfo>

patchinfo.20251201094954024941.93181000773252/_patchinfo

@@ -0,0 +1,209 @@
+<patchinfo incident="packagehub-54">
+  <issue tracker="bnc" id="1251651">VUL-0: CVE-2025-58190: hauler: golang.org/x/net/html: excessive memory consumption by `html.ParseFragment` when processing specially crafted input</issue>
+  <issue tracker="cve" id="2025-22872">cve#2025-22872 not resolved: 404 Client Error: Not Found for url: https://bugzilla.suse.com/api2/issues/?references__name=CVE-2025-22872</issue>
+  <issue tracker="cve" id="2025-58058">cve#2025-58058 not resolved: 404 Client Error: Not Found for url: https://bugzilla.suse.com/api2/issues/?references__name=CVE-2025-58058</issue>
+  <issue tracker="cve" id="2024-45338">cve#2024-45338 not resolved: 404 Client Error: Not Found for url: https://bugzilla.suse.com/api2/issues/?references__name=CVE-2024-45338</issue>
+  <issue tracker="bnc" id="1241184">VUL-0: CVE-2024-0406: hauler: mholt/archiver: access to restricted files or directories when unpacking specially crafted tar file</issue>
+  <issue tracker="bnc" id="1235332">VUL-0: CVE-2024-45338: hauler: golang.org/x/net/html: denial of service due to non-linear parsing of case-insensitive content</issue>
+  <issue tracker="cve" id="2025-11579">cve#2025-11579 not resolved: 404 Client Error: Not Found for url: https://bugzilla.suse.com/api2/issues/?references__name=CVE-2025-11579</issue>
+  <issue tracker="cve" id="2024-0406">cve#2024-0406 not resolved: 404 Client Error: Not Found for url: https://bugzilla.suse.com/api2/issues/?references__name=CVE-2024-0406</issue>
+  <issue tracker="cve" id="2025-47911">cve#2025-47911 not resolved: 404 Client Error: Not Found for url: https://bugzilla.suse.com/api2/issues/?references__name=CVE-2025-47911</issue>
+  <issue tracker="cve" id="2025-46569">cve#2025-46569 not resolved: 404 Client Error: Not Found for url: https://bugzilla.suse.com/api2/issues/?references__name=CVE-2025-46569</issue>
+  <issue tracker="bnc" id="1246722">VUL-0: CVE-2025-46569: hauler: github.com/open-policy-agent/opa: HTTP request path can be crafted to inject Rego code into a constructed query when a virtual document is requested through the Data API</issue>
+  <issue tracker="bnc" id="1248937">VUL-0: CVE-2025-58058: hauler: github.com/ulikunitz/xz: github.com/ulikunitz/xz leaks memory</issue>
+  <issue tracker="bnc" id="1241804">VUL-0: CVE-2025-22872: hauler: golang.org/x/net/html: incorrectly interpreted tags can cause content to be placed wrong scope during DOM construction</issue>
+  <issue tracker="bnc" id="1251516">VUL-0: CVE-2025-47911: hauler: golang.org/x/net/html: various algorithms with quadratic complexity when parsing HTML documents</issue>
+  <issue tracker="cve" id="2025-58190">cve#2025-58190 not resolved: 404 Client Error: Not Found for url: https://bugzilla.suse.com/api2/issues/?references__name=CVE-2025-58190</issue>
+  <issue tracker="bnc" id="1251891">VUL-0: CVE-2025-11579: hauler: github.com/nwaples/rardecode: failure to restrict the dictionary size when processing RAR files allows for excessive memory consumpti</issue>
+  <packager>dirkmueller</packager>
+  <rating>important</rating>
+  <category>security</category>
+  <summary>Security update for hauler</summary>
+  <description>This update for hauler fixes the following issues:
+
+- Update to version 1.3.1 (bsc#1251516, CVE-2025-47911,
+  bsc#1251891, CVE-2025-11579, bsc#1251651, CVE-2025-58190,
+  bsc#1248937, CVE-2025-58058):
+  * bump github.com/containerd/containerd (#474)
+  * another fix to tests for new tests (#472)
+  * fixed typo in testdata (#471)
+  * fixed/cleaned new tests (#470)
+  * trying a new way for hauler testing (#467)
+  * update for cosign v3 verify (#469)
+  * added digests view to info (#465)
+  * bump github.com/nwaples/rardecode/v2 from 2.1.1 to 2.2.0 in the go_modules group across 1 directory (#457)
+  * update oras-go to v1.2.7 for security patches (#464)
+  * update cosign to v3.0.2+hauler.1 (#463)
+  * fixed homebrew directory deprecation (#462)
+  * add registry logout command (#460)
+
+- Update to version 1.3.0:
+  * bump the go_modules group across 1 directory with 2 updates (#455)
+  * upgraded versions/dependencies/deprecations (#454)
+  * allow loading of docker tarballs (#452)
+  * bump the go_modules group across 1 directory with 2 updates (#449)
+
+- update to 1.2.5 (bsc#1246722, CVE-2025-46569):
+  * Bump github.com/open-policy-agent/opa from 1.1.0 to 1.4.0 in
+    the go_modules group across 1 directory (CVE-2025-46569)
+  * deprecate auth from hauler store copy
+  * Bump github.com/cloudflare/circl from 1.3.7 to 1.6.1 in the
+    go_modules group across 1 directory
+  * Bump github.com/go-viper/mapstructure/v2 from 2.2.1 to 2.3.0
+    in the go_modules group across 1 directory
+  * upgraded go and dependencies versions
+
+- Update to version 1.2.5:
+  * upgraded go and dependencies versions (#444)
+  * Bump github.com/go-viper/mapstructure/v2 (#442)
+  * bump github.com/cloudflare/circl (#441)
+  * deprecate auth from hauler store copy (#440)
+  * Bump github.com/open-policy-agent/opa (#438)
+
+- update to 1.2.4 (CVE-2025-22872, bsc#1241804):
+  * Bump golang.org/x/net from 0.37.0 to 0.38.0 in the go_modules
+    group across 1 directory
+  * minor tests updates
+
+- Update to version 1.2.3:
+  * formatting and flag text updates
+  * add keyless signature verification (#434)
+  * bump helm.sh/helm/v3 in the go_modules group across 1 directory (#430)
+  * add --only flag to hauler store copy (for images) (#429)
+  * fix tlog verification error/warning output (#428)
+
+- Update to version 1.2.2 (bsc#1241184, CVE-2024-0406):
+  * cleanup new tlog flag typos and add shorthand (#426)
+  * default public transparency log verification to false to be airgap friendly but allow override (#425)
+  * bump github.com/golang-jwt/jwt/v4 (#423)
+  * bump the go_modules group across 1 directory with 2 updates (#422)
+  * bump github.com/go-jose/go-jose/v3 (#417)
+  * bump github.com/go-jose/go-jose/v4 (#415)
+  * clear default manifest name if product flag used with sync (#412)
+  * updates for v1.2.0 (#408)
+  * fixed remote code (#407)
+  * added remote file fetch to load (#406)
+  * added remote and multiple file fetch to sync (#405)
+  * updated save flag and related logs (#404)
+  * updated load flag and related logs [breaking change] (#403)
+  * updated sync flag and related logs [breaking change] (#402)
+  * upgraded api update to v1/updated dependencies (#400)
+  * fixed consts for oci declarations (#398)
+  * fix for correctly grabbing platform post cosign 2.4 updates (#393)
+  * use cosign v2.4.1+carbide.2 to address containerd annotation in index.json (#390)
+  * Bump the go_modules group across 1 directory with 2 updates (#385)
+  * replace mholt/archiver with mholt/archives (#384)
+  * forked cosign bump to 2.4.1 and use as a library vs embedded binary (#383)
+  * cleaned up registry and improved logging (#378)
+  * Bump golang.org/x/crypto in the go_modules group across 1 directory (#377)
+- bump net/html dependencies (bsc#1235332, CVE-2024-45338)
+
+- Update to version 1.1.1:
+  * fixed cli desc for store env var (#374)
+  * updated versions for go/k8s/helm (#373)
+  * updated version flag to internal/flags (#369)
+  * renamed incorrectly named consts (#371)
+  * added store env var (#370)
+  * adding ignore errors and retries for continue on error/fail on error (#368)
+  * updated/fixed hauler directory (#354)
+  * standardize consts (#353)
+  * removed cachedir code (#355)
+  * removed k3s code (#352)
+  * updated dependencies for go, helm, and k8s (#351)
+  * [feature] build with boring crypto where available (#344)
+  * updated workflow to goreleaser builds (#341)
+  * added timeout to goreleaser workflow (#340)
+  * trying new workflow build processes (#337)
+  * improved workflow performance (#336)
+  * have extract use proper ref (#335)
+  * yet another workflow goreleaser fix (#334)
+  * even more workflow fixes (#333)
+  * added more fixes to github workflow (#332)
+  * fixed typo in hauler store save (#331)
+  * updates to fix build processes (#330)
+  * added integration tests for non hauler tarballs (#325)
+  * bump: golang &gt;= 1.23.1 (#328)
+  * add platform flag to store save (#329)
+  * Update feature_request.md
+  * updated/standardize command descriptions (#313)
+  * use new annotation for 'store save' manifest.json (#324)
+  * enable docker load for hauler tarballs (#320)
+  * bump to cosign v2.2.3-carbide.3 for new annotation (#322)
+  * continue on error when adding images to store (#317)
+  * Update README.md (#318)
+  * fixed completion commands (#312)
+  * github.com/rancherfederal/hauler =&gt; hauler.dev/go/hauler (#311)
+  * pages: enable go install hauler.dev/go/hauler (#310)
+  * Create CNAME
+  * pages: initial workflow (#309)
+  * testing and linting updates (#305)
+  * feat-273: TLS Flags (#303)
+  * added list-repos flag (#298)
+  * fixed hauler login typo (#299)
+  * updated cobra function for shell completion (#304)
+  * updated install.sh to remove github api (#293)
+  * fix image ref keys getting squashed when containing sigs/atts (#291)
+  * fix missing versin info in release build (#283)
+  * bump github.com/docker/docker in the go_modules group across 1 directory (#281)
+  * updated install script (`install.sh`) (#280)
+  * fix digest images being lost on load of hauls (Signed). (#259)
+  * feat: add readonly flag (#277)
+  * fixed makefile for goreleaser v2 changes (#278)
+  * updated goreleaser versioning defaults (#279)
+  * update feature_request.md (#274)
+  * updated old references
+  * updated actions workflow user
+  * added dockerhub to github actions workflow
+  * removed helm chart
+  * added debug container and workflow
+  * updated products flag description
+  * updated chart for release
+  * fixed workflow errors/warnings
+  * fixed permissions on testdata
+  * updated chart versions (will need to update again)
+  * last bit of fixes to workflow
+  * updated unit test workflow
+  * updated goreleaser deprecations
+  * added helm chart release job
+  * updated github template names
+  * updated imports (and go fmt)
+  * formatted gitignore to match dockerignore
+  * formatted all code (go fmt)
+  * updated chart tests for new features
+  * Adding the timeout flag for fileserver command
+  * Configure chart commands to use helm clients for OCI and private registry support
+  * Added some documentation text to sync command
+  * Bump golang.org/x/net from 0.17.0 to 0.23.0
+  * fix for dup digest smashing in cosign
+  * removed vagrant scripts
+  * last bit of updates and formatting of chart
+  * updated hauler testdata
+  * adding functionality and cleaning up
+  * added initial helm chart
+  * removed tag in release workflow
+  * updated/fixed image ref in release workflow
+  * updated/fixed platforms in release workflow
+  * updated/cleaned github actions (#222)
+  * Make Product Registry configurable (#194)
+  * updated fileserver directory name (#219)
+  * fix logging for files
+  * add extra info for the tempdir override flag
+  * tempdir override flag for load
+  * deprecate the cache flag instead of remove
+  * switch to using bci-golang as builder image
+  * fix: ensure /tmp for hauler store load
+  * added the copy back for now
+  * remove copy at the image sync not needed with cosign update
+  * removed misleading cache flag
+  * better logging when adding to store
+  * update to v2.2.3 of our cosign fork
+  * add: dockerignore
+  * add: Dockerfile
+  * Bump google.golang.org/protobuf from 1.31.0 to 1.33.0
+  * Bump github.com/docker/docker
+  * updated and added new logos
+  * updated github files
+</description>
+  <package>hauler</package>
+  <seperate_build_arch/>
+</patchinfo>

patchinfo.20251201095419906173.93181000773252/_patchinfo

@@ -0,0 +1,56 @@
+<patchinfo incident="packagehub-42">
+  <packager>os-autoinst-obs-workflow</packager>
+  <rating>moderate</rating>
+  <category>recommended</category>
+  <summary>Recommended update for openQA, os-autoinst, openQA-devel-container</summary>
+  <description>This update for openQA, os-autoinst, openQA-devel-container fixes the following issues:
+
+Changes in openQA:
+
+- Update to version 5.1764349525.ffb59486:
+  * Also use TIMEOUT_SCALE for priority malus calculation
+  * docs: Fix wrapping and typo
+  * Document multi machine ovs flow setup and IPv6 usage
+  * Avoid computing time constraint for scheduled product cleanup in Perl
+  * rpm: Move `…-enqueue-needle-ref-cleanup` to other `…-enqueue-…` scripts
+  * Add task to limit scheduled products similar to audit events
+  * Extract generic parts from audit event cleanup task into generic task
+  * parser: ktap: Show full output by default if no line was parsed
+  * Ignore npm scripts also via `.npmrc` to make bare npm calls more secure
+  * Avoid repeating `MAIN_SETTINGS` in various places
+  * Fix possibly excessive memory use when computer test result overview
+  * Fix typo in `_prepare_complex_query_search_args`
+  * Fix indentation in `overview.html.ep`
+  * Prevent logging AMQP credentials in debug output
+  * Make restart_openqa_job emit proper event payload
+  * Enable gru tasks to emit AMQP messages
+  * Remove explicit loading AMQP plugin in Gru plugin
+  * Emit restart events when job restarted automatically
+  * Add debug message about priority malus
+  * Fix ordering of job groups after 2ad929ceca43d
+
+Changes in os-autoinst:
+
+- Update to version 5.1764330105.c5cfd48:
+  * Add port forwarding example for NICTYPE_USER_OPTIONS
+  * Fix regression from abcaa66b by disabling virtio-keyboard by default
+  * Add IPv6 support for multi machine tests
+  * distribution: Add "disable_key_repeat"
+  * Use 'virtio-keyboard' by default to allow fixing key repetition errors
+
+Changes in openQA-devel-container:
+
+- Update to version 5.1764349525.ffb594867:
+</description>
+  <package>openQA</package>
+  <package>openQA:openQA-devel-test</package>
+  <package>openQA:openQA-test</package>
+  <package>openQA:openQA-worker-test</package>
+  <package>openQA:openQA-client-test</package>
+  <package>os-autoinst</package>
+  <package>os-autoinst:os-autoinst-test</package>
+  <package>os-autoinst:os-autoinst-devel-test</package>
+  <package>os-autoinst:os-autoinst-openvswitch-test</package>
+  <package>openQA-devel-container</package>
+  <seperate_build_arch/>
+</patchinfo>

patchinfo.20251203090122170457.187004354831441/_patchinfo

@@ -0,0 +1,43 @@
+<patchinfo incident="packagehub-43">
+  <issue tracker="bnc" id="1254429">VUL-0: chromium: release 143.0.7499.40):</issue>
+  <issue tracker="cve" id="2025-13632">VUL-0: chromium: release 143.0.7499.40):</issue>
+  <issue tracker="cve" id="2025-13636">VUL-0: chromium: release 143.0.7499.40):</issue>
+  <issue tracker="cve" id="2025-13720">VUL-0: chromium: release 143.0.7499.40):</issue>
+  <issue tracker="cve" id="2025-13721">VUL-0: chromium: release 143.0.7499.40):</issue>
+  <issue tracker="cve" id="2025-13637">VUL-0: chromium: release 143.0.7499.40):</issue>
+  <issue tracker="cve" id="2025-13639">VUL-0: chromium: release 143.0.7499.40):</issue>
+  <issue tracker="cve" id="2025-13640">VUL-0: chromium: release 143.0.7499.40):</issue>
+  <issue tracker="cve" id="2025-13635">VUL-0: chromium: release 143.0.7499.40):</issue>
+  <issue tracker="cve" id="2025-13633">VUL-0: chromium: release 143.0.7499.40):</issue>
+  <issue tracker="cve" id="2025-13638">VUL-0: chromium: release 143.0.7499.40):</issue>
+  <issue tracker="cve" id="2025-13630">VUL-0: chromium: release 143.0.7499.40):</issue>
+  <issue tracker="cve" id="2025-13634">VUL-0: chromium: release 143.0.7499.40):</issue>
+  <issue tracker="cve" id="2025-13631">VUL-0: chromium: release 143.0.7499.40):</issue>
+  <packager>AndreasStieger</packager>
+  <rating>important</rating>
+  <category>security</category>
+  <summary>Security update for chromium</summary>
+  <description>This update for chromium fixes the following issues:
+
+Changes in chromium:
+
+Chromium 143.0.7499.40 (boo#1254429):
+
+  * CVE-2025-13630: Type Confusion in V8
+  * CVE-2025-13631: Inappropriate implementation in Google Updater
+  * CVE-2025-13632: Inappropriate implementation in DevTools
+  * CVE-2025-13633: Use after free in Digital Credentials
+  * CVE-2025-13634: Inappropriate implementation in Downloads
+  * CVE-2025-13720: Bad cast in Loader
+  * CVE-2025-13721: Race in v8
+  * CVE-2025-13635: Inappropriate implementation in Downloads
+  * CVE-2025-13636: Inappropriate implementation in Split View
+  * CVE-2025-13637: Inappropriate implementation in Downloads
+  * CVE-2025-13638: Use after free in Media Stream
+  * CVE-2025-13639: Inappropriate implementation in WebRTC
+  * CVE-2025-13640: Inappropriate implementation in Passwords
+
+</description>
+  <package>chromium</package>
+  <seperate_build_arch/>
+</patchinfo>

patchinfo.20251203090149653113.187004354831441/_patchinfo

@@ -0,0 +1,43 @@
+<patchinfo incident="packagehub-44">
+  <packager>michals</packager>
+  <rating>moderate</rating>
+  <category>recommended</category>
+  <summary>Recommended update for virtme</summary>
+  <description>This update for virtme fixes the following issues:
+
+Changes in virtme:
+
+Update to 1.39:
+
+  * The most noticeable change in this release is the new Model Context
+    Protocol (MCP) server. This feature lets you connect with AI
+    assistants such as Claude, Cursor, etc., and use natural human
+    language to automate kernel development tasks.
+    In this way, AI agents can automatically configure kernels, apply
+    patches from lore.kernel.org, and run commands within recompiled
+    kernels. You can even have the AI agent perform bug bisection for
+    you and run specific commands/scripts inside each recompiled
+    version to determine whether the kernel is good or bad.
+  * An additional feature is vCPU pinning (using the --pin CPU_LIST option),
+    which enables binding virtual CPUs to particular physical host CPUs.
+    This ensures more consistent performance testing within the vng guest
+    environment.
+  * The release also adds support for memoryless NUMA nodes,
+    enablingusers to specify size=0 with the --numa argument to create
+    NUMA nodes without memory. This capability can be useful for simulating
+    heterogeneous architectures, where devices like GPUs are represented
+    as memoryless NUMA nodes to model their CPU locality relationships.
+  * Last, but not least, there's a new --shell BINARY option which lets
+    users choose a different shell to use within the vng session, rather
+    than using their system's default shell and a new --empty-password
+    option that creates empty passwords in the vng guest, instead of
+    blocking login for other users, enabling easier debugging and SSH
+    access during testing.
+  * Updated Python versions in CI (dropped EOL 3.8 and 3.9)
+  * Various bug fixes in virtme-init
+  * Enhanced documentation and README updates
+  * Improved error handling and validation
+</description>
+  <package>virtme</package>
+  <seperate_build_arch/>
+</patchinfo>

patchinfo.20251203090209179395.187004354831441/_patchinfo

@@ -0,0 +1,14 @@
+<patchinfo incident="packagehub-45">
+  <packager>michals</packager>
+  <rating>moderate</rating>
+  <category>recommended</category>
+  <summary>Recommended update for gitea-tea</summary>
+  <description>This update for gitea-tea fixes the following issues:
+
+Changes in gitea-tea:
+
+- Do not make config file group-readable.
+</description>
+  <package>gitea-tea</package>
+  <seperate_build_arch/>
+</patchinfo>

patchinfo.20251203090227587250.187004354831441/_patchinfo

@@ -0,0 +1,106 @@
+<patchinfo incident="packagehub-46">
+  <issue tracker="bnc" id="1253506">VUL-0: CVE-2025-47913: TRACKERBUG: golang.org/x/crypto/ssh/agent: client process termination when receiving an unexpected message type in response to a key listing or</issue>
+  <issue tracker="cve" id="2025-47913">VUL-0: CVE-2025-47913: TRACKERBUG: golang.org/x/crypto/ssh/agent: client process termination when receiving an unexpected message type in response to a key listing or</issue>
+  <issue tracker="bnc" id="1251463">VUL-0: CVE-2025-47911: git-bug: golang.org/x/net/html: various algorithms with quadratic complexity when parsing HTML documents</issue>
+  <issue tracker="bnc" id="1254084">VUL-0: CVE-2025-47914: git-bug: golang.org/x/crypto/ssh/agent: non validated message size can cause a panic due to an out of bounds read</issue>
+  <issue tracker="cve" id="2025-58190"/>
+  <issue tracker="cve" id="2025-22869">VUL-0: CVE-2025-22869: TRACKERBUG: golang.org/x/crypto/ssh: Denial of Service in the Key Exchange of golang.org/x/crypto/ssh</issue>
+  <issue tracker="bnc" id="1234565">VUL-0: CVE-2024-45337: git-bug: golang.org/x/crypto/ssh: Misuse of ServerConfig.PublicKeyCallback may cause authorization bypass in golang.org/x/crypto</issue>
+  <issue tracker="cve" id="2025-47914">VUL-0: CVE-2025-47914: TRACKERBUG: golang.org/x/crypto/ssh/agent: non validated message size can cause a panic due to an out of bounds read</issue>
+  <issue tracker="bnc" id="1251664">VUL-0: CVE-2025-58190: git-bug: golang.org/x/net/html: excessive memory consumption by `html.ParseFragment` when processing specially crafted input</issue>
+  <issue tracker="bnc" id="1239494">VUL-0: CVE-2025-22869: git-bug: golang.org/x/crypto/ssh: Denial of Service in the Key Exchange of golang.org/x/crypto/ssh</issue>
+  <issue tracker="cve" id="2024-45337">VUL-0: CVE-2024-45337: TRACKERBUG: golang.org/x/crypto/ssh: Misuse of ServerConfig.PublicKeyCallback may cause authorization bypass in golang.org/x/crypto</issue>
+  <issue tracker="cve" id="2025-47911">VUL-0: CVE-2025-47911: TRACKERBUG: golang.org/x/net/html: various algorithms with quadratic complexity when parsing HTML documents</issue>
+  <issue tracker="cve" id="2025-58181">VUL-0: CVE-2025-58181: TRACKERBUG: golang.org/x/crypto/ssh: invalidated number of mechanisms can cause unbounded memory consumption</issue>
+  <issue tracker="bnc" id="1253930">VUL-0: CVE-2025-58181: git-bug: golang.org/x/crypto/ssh: invalidated number of mechanisms can cause unbounded memory consumption</issue>
+  <packager>mcepl</packager>
+  <rating>important</rating>
+  <category>security</category>
+  <summary>Security update for git-bug</summary>
+  <description>This update for git-bug fixes the following issues:
+
+Changes in git-bug:
+
+- Revendor to include fixed version of depending libraries:
+  - GO-2025-4116 (CVE-2025-47913, bsc#1253506) upgrade
+    golang.org/x/crypto to v0.43.0
+  - GO-2025-3900 (GHSA-2464-8j7c-4cjm) upgrade
+    github.com/go-viper/mapstructure/v2 to v2.4.0
+  - GO-2025-3787 (GHSA-fv92-fjc5-jj9h) included in the previous
+  - GO-2025-3754 (GHSA-2x5j-vhc8-9cwm) upgrade
+    github.com/cloudflare/circl to v1.6.1
+  - GO-2025-4134 (CVE-2025-58181, bsc#1253930) upgrade
+    golang.org/x/crypto/ssh to v0.45.0
+  - GO-2025-4135 (CVE-2025-47914, bsc#1254084) upgrade
+    golang.org/x/crypto/ssh/agent to v0.45.0
+
+- Revendor to include golang.org/x/net/html v 0.45.0 to prevent
+  possible DoS by various algorithms with quadratic complexity
+  when parsing HTML documents (bsc#1251463, CVE-2025-47911 and
+  bsc#1251664, CVE-2025-58190).
+
+Update to version 0.10.1:
+
+  - cli: ignore missing sections when removing configuration (ddb22a2f)
+
+Update to version 0.10.0:
+
+  - bridge: correct command used to create a new bridge (9942337b)
+  - web: simplify header navigation (7e95b169)
+  - webui: remark upgrade + gfm + syntax highlighting (6ee47b96)
+  - BREAKING CHANGE: dev-infra: remove gokart (89b880bd)
+
+Update to version 0.10.0:
+
+  - bridge: correct command used to create a new bridge (9942337b)
+  - web: simplify header navigation (7e95b169)
+  - web: remark upgrade + gfm + syntax highlighting (6ee47b96)
+
+Update to version 0.9.0:
+
+  - completion: remove errata from string literal (aa102c91)
+  - tui: improve readability of the help bar (23be684a)
+
+Update to version 0.8.1+git.1746484874.96c7a111:
+
+  * docs: update install, contrib, and usage documentation (#1222)
+  * fix: resolve the remote URI using url.*.insteadOf (#1394)
+  * build(deps): bump the go_modules group across 1 directory with 3 updates (#1376)
+  * chore: gofmt simplify gitlab/export_test.go (#1392)
+  * fix: checkout repo before setting up go environment (#1390)
+  * feat: bump to go v1.24.2 (#1389)
+  * chore: update golang.org/x/net (#1379)
+  * fix: use -0700 when formatting time (#1388)
+  * fix: use correct url for gitlab PATs (#1384)
+  * refactor: remove depdendency on pnpm for auto-label action (#1383)
+  * feat: add action: auto-label (#1380)
+  * feat: remove lifecycle/frozen (#1377)
+  * build(deps): bump the npm_and_yarn group across 1 directory with 12 updates (#1378)
+  * feat: support new exclusion label: lifecycle/pinned (#1375)
+  * fix: refactor how gitlab title changes are detected (#1370)
+  * revert: "Create Dependabot config file" (#1374)
+  * refactor: rename //:git-bug.go to //:main.go (#1373)
+  * build(deps): bump github.com/vektah/gqlparser/v2 from 2.5.16 to 2.5.25 (#1361)
+  * fix: set GitLastTag to an empty string when git-describe errors (#1355)
+  * chore: update go-git to v5@masterupdate_mods (#1284)
+  * refactor: Directly swap two variables to optimize code (#1272)
+  * Update README.md Matrix link to new room (#1275)
+
+- Update to version 0.8.0+git.1742269202.0ab94c9:
+  * deps(crypto): bump golang.org/x/crypto from v0.26.0 to v0.31.0 (fix for CVE-2024-45337) (#1312)
+
+- Update golang.org/x/crypto/ssh to v0.35.0 (bsc#1239494,
+  CVE-2025-22869).
+
+- Add missing Requires to completion subpackages.
+
+Update to version 0.8.0+git.1733745604.d499b6e:
+
+  * fix typos in docs (#1266)
+  * build(deps): bump github.com/go-git/go-billy/v5 from 5.5.0 to 5.6.0 (#1289)
+
+- bump golang.org/x/crypto from v0.26.0 to v0.31.0 (fix for CVE-2024-45337, bsc#1234565).
+</description>
+  <package>git-bug</package>
+  <seperate_build_arch/>
+</patchinfo>

patchinfo.20251203090353000871.187004354831441/_patchinfo

@@ -0,0 +1,23 @@
+<patchinfo incident="packagehub-47">
+  <packager>regularhunter</packager>
+  <rating>moderate</rating>
+  <category>recommended</category>
+  <summary>Recommended update for weechat</summary>
+  <description>This update for weechat fixes the following issues:
+
+Changes in weechat:
+
+Update to 4.7.2:
+
+  Fixed:
+
+  * api: fix file descriptor leak in hook_url when a timeout occurs
+    or if the hook is removed during the transfer (#2284)
+  * irc: fix colors in messages 367 (ban mask), 728 (quiet mask) and
+    MODE (#2286)
+  * irc: fix reset of color when multiple modes are set with
+    command /mode
+</description>
+  <package>weechat</package>
+  <seperate_build_arch/>
+</patchinfo>

patchinfo.20251203090415508822.187004354831441/_patchinfo

@@ -0,0 +1,15 @@
+<patchinfo incident="packagehub-48">
+  <packager>rrahl0</packager>
+  <rating>moderate</rating>
+  <category>recommended</category>
+  <summary>Recommended update for gnome-browser-connector</summary>
+  <description>This update for gnome-browser-connector fixes the following issues:
+
+Changes in gnome-browser-connector:
+
+- add unzip as a requires, otherwise the extensions can't get
+  extracted
+</description>
+  <package>gnome-browser-connector</package>
+  <seperate_build_arch/>
+</patchinfo>

patchinfo.20251205103932570835.187004354831441/_patchinfo

@@ -0,0 +1,127 @@
+<patchinfo incident="packagehub-51">
+  <packager>dirkmueller</packager>
+  <rating>moderate</rating>
+  <category>recommended</category>
+  <summary>Recommended update for trivy</summary>
+  <description>This update for trivy fixes the following issues:
+
+Changes in trivy:
+
+Update to version 0.68.1:
+
+  * fix: update cosing settings for GoReleaser after bumping cosing to v3 (#9863)
+  * chore(deps): bump the testcontainers group with 2 updates (#9506)
+  * feat(aws): Add support for dualstack ECR endpoints (#9862)
+  * fix(vex): use a separate `visited` set for each DFS path (#9760)
+  * docs: catch some missed docs -&gt; guide (#9850)
+  * refactor(misconf): parse azure_policy_enabled to addonprofile.azurepolicy.enabled (#9851)
+  * chore(cli): Remove Trivy Cloud (#9847)
+  * fix(misconf): ensure value used as ignore marker is non-null and known (#9835)
+  * fix(misconf): map healthcheck start period flag to --start-period instead of --startPeriod (#9837)
+  * chore(deps): bump the docker group with 3 updates (#9776)
+  * chore(deps): bump golang.org/x/crypto from 0.41.0 to 0.45.0 (#9827)
+  * chore(deps): bump the common group across 1 directory with 20 updates (#9840)
+  * feat(image): add Sigstore bundle SBOM support (#9516)
+  * chore(deps): bump the aws group with 7 updates (#9691)
+  * test(k8s): update k8s integrtion test (#9725)
+  * chore(deps): bump github.com/containerd/containerd from 1.7.28 to 1.7.29 (#9764)
+  * feat(sbom): add support for SPDX attestations (#9829)
+  * docs(misconf): Remove duplicate sections (#9819)
+  * feat(misconf): Update Azure network schema for new checks (#9791)
+  * feat(misconf): Update AppService schema (#9792)
+  * fix(misconf): ensure boolean metadata values are correctly interpreted (#9770)
+  * feat(misconf): support https_traffic_only_enabled in Az storage account (#9784)
+  * docs: restructure docs for new hosting (#9799)
+  * docs(server): fix info about scanning licenses on the client side. (#9805)
+  * ci: remove unused preinstalled software/images for build tests to free up disk space. (#9814)
+  * feat(report): add fingerprint generation for vulnerabilities (#9794)
+  * chore: trigger the trivy-www workflow (#9737)
+  * fix: update all documentation links (#9777)
+  * feat(suse): Add new openSUSE, Micro and SLES releases end of life dates (#9788)
+  * test(go): set `GOPATH` for tests (#9785)
+  * feat(flag): add `--cacert` flag (#9781)
+  * fix(misconf): handle unsupported experimental flags in Dockerfile (#9769)
+  * test(go): refactor mod_test.go to use txtar format (#9775)
+  * docs: Fix typos and linguistic errors in documentation / hacktoberfest (#9586)
+  * chore(deps): bump github.com/opencontainers/selinux from 1.12.0 to 1.13.0 (#9778)
+  * chore(deps): bump github.com/containerd/containerd/v2 from 2.1.4 to 2.1.5 (#9763)
+  * fix(java): use `true` as default value for Repository Release|Snapshot Enabled in pom.xml and settings.xml files (#9751)
+  * docs: add info that `SSL_CERT_FILE` works on `Unix systems other than macOS` only (#9772)
+  * docs: change SecObserve URLs in documentatio (#9771)
+  * feat(db): enable concurrent access to vulnerability database (#9750)
+  * feat(misconf): add agentpools to azure container schema (#9714)
+  * feat(report): switch ReportID from UUIDv4 to UUIDv7 (#9749)
+  * feat(misconf): Update Azure Compute schema (#9675)
+  * feat(misconf): Update azure storage schema (#9728)
+  * feat(misconf): Update SecurityCenter schema (#9674)
+  * feat(image): pass global context to docker/podman image save func (#9733)
+  * chore(deps): bump the github-actions group with 4 updates (#9739)
+  * fix(flag): remove viper.SetDefault to fix IsSet() for config-only flags (#9732)
+  * feat(license): use separate SPDX ids to ignore SPDX expressions (#9087)
+  * feat(dotnet): add dependency graph support for .deps.json files (#9726)
+  * feat(misconf): Add support for configurable Rego error limit (#9657)
+  * feat(misconf): Add RoleAssignments attribute (#9396)
+  * feat(report): add image reference to report metadata (#9729)
+  * fix(os): Add photon 5.0 in supported OS (#9724)
+  * fix(license): handle SPDX WITH exceptions as single license in category detection (#9380)
+  * refactor: add case-insensitive string set implementation (#9720)
+  * feat: include registry and repository in artifact ID calculation (#9689)
+  * feat(java): add support remote repositories from settings.xml files (#9708)
+  * fix(sbom): don’t panic on SBOM format if scanned CycloneDX file has empty metadata (#9562)
+  * docs: update vulnerability reporting guidelines in SECURITY.md (#9395)
+  * docs: add info about `java-db` subdir (#9706)
+  * fix(report): correct field order in SARIF license results (#9712)
+  * test: improve golden file management in integration tests (#9699)
+  * ci: get base_sha using base.ref (#9704)
+  * refactor(misconf): mark AVDID fields as deprecated and use ID internally (#9576)
+  * fix(nodejs): fix npmjs parser.pkgNameFromPath() panic issue (#9688)
+  * fix: close all opened resources if an error occurs (#9665)
+  * refactor(misconf): type-safe parser results in generic scanner (#9685)
+  * feat(image): add RepoTags support for Docker archives (#9690)
+  * chore(deps): bump github.com/quic-go/quic-go from 0.52.0 to 0.54.1 (#9694)
+  * feat(misconf): Update Azure Container Schema (#9673)
+  * ci: use merge commit for apidiff to avoid false positives (#9622)
+  * feat(misconf): include map key in manifest snippet for diagnostics (#9681)
+  * refactor(misconf): add ManifestFromYAML for unified manifest parsing (#9680)
+  * test: update golden files for TestRepository* integration tests (#9684)
+  * refactor(cli): Update the cloud config command (#9676)
+  * fix(sbom): add `buildInfo` info as properties (#9683)
+  * feat: add ReportID field to scan reports (#9670)
+  * docs: add vulnerability database contribution guide (#9667)
+  * feat(cli): Add trivy cloud suppport (#9637)
+  * feat: add ArtifactID field to uniquely identify scan targets (#9663)
+  * fix(nodejs): use the default ID format to match licenses in pnpm packages. (#9661)
+  * feat(sbom): use SPDX license IDs list to validate SPDX IDs  (#9569)
+  * fix: use context for analyzers (#9538)
+  * chore(deps): bump the docker group with 3 updates (#9545)
+  * chore(deps): bump the aws group with 6 updates (#9547)
+  * ci(helm): bump Trivy version to 0.67.2 for Trivy Helm Chart 0.19.1 (#9641)
+  * test(helm): bump up Yamale dependency for Helm chart-testing-action (#9653)
+  * fix: Trim the end-of-range suffix (#9618)
+  * test(k8s): use a specific bundle for k8s misconfig scan (#9633)
+  * fix: Use `fetch-level: 1` to check out trivy-repo in the release workflow (#9636)
+  * refactor: move the aws config (#9617)
+  * fix(license): don't normalize `unlicensed` licenses into `unlicense` (#9611)
+  * fix: using SrcVersion instead of Version for echo detector (#9552)
+  * feat(fs): change artifact type to repository when git info is detected (#9613)
+  * fix: add `buildInfo` for `BlobInfo` in `rpc` package (#9608)
+  * fix(vex): don't use reused BOM (#9604)
+  * ci: use pull_request_target for apidiff workflow to support fork PRs (#9605)
+  * fix: restore compatibility for google.protobuf.Value (#9559)
+  * ci: add API diff workflow (#9600)
+  * chore(deps): update to module-compatible docker-credential-gcr/v2 (#9591)
+  * docs: improve documentation for scanning raw IaC configurations (#9571)
+  * feat: allow ignoring findings by type in Rego (#9578)
+  * docs: bump pygments from 2.18.0 to 2.19.2 (#9596)
+  * refactor(misconf): add ID to scan.Rule (#9573)
+  * fix(java): update order for resolving package fields from multiple demManagement (#9575)
+  * chore(deps): bump the github-actions group across 1 directory with 9 updates (#9563)
+  * chore(deps): bump the common group across 1 directory with 7 updates (#9590)
+  * chore(deps): Switch to go-viper/mapstructure (#9579)
+  * chore: add context to the cache interface (#9565)
+  * ci(helm): bump Trivy version to 0.67.0 for Trivy Helm Chart 0.19.0 (#9554)
+  * fix: validate backport branch name (#9548)
+</description>
+  <package>trivy</package>
+  <seperate_build_arch/>
+</patchinfo>

patchinfo.20251208125318499450.93181000773252/_patchinfo

@@ -0,0 +1,18 @@
+<patchinfo incident="packagehub-50">
+  <issue tracker="bnc" id="1254437">VUL-0: CVE-2025-64460,CVE-2025-13372: python-Django: Algorithmic complexity in `django.core.serializers.xml_serializer.getInnerText()` allows a remote attacker to cause a potential denial-of-service attack triggering CPU and memory exhaustion</issue>
+  <issue tracker="bnc" id="1252926">VUL-0: CVE-2025-64459: python-Django,python-Django4: Potential SQL injection via `_connector` keyword argument in `QuerySet` and `Q` objects</issue>
+  <issue tracker="cve" id="2025-13372">cve#2025-13372 not resolved: 404 Client Error: Not Found for url: https://bugzilla.suse.com/api2/issues/?references__name=CVE-2025-13372</issue>
+  <issue tracker="cve" id="2025-64460">cve#2025-64460 not resolved: 404 Client Error: Not Found for url: https://bugzilla.suse.com/api2/issues/?references__name=CVE-2025-64460</issue>
+  <issue tracker="cve" id="2025-64459">cve#2025-64459 not resolved: 404 Client Error: Not Found for url: https://bugzilla.suse.com/api2/issues/?references__name=CVE-2025-64459</issue>
+  <packager>mcalabkova</packager>
+  <rating>important</rating>
+  <category>security</category>
+  <summary>Security update for python-Django</summary>
+  <description>This update for python-Django fixes the following issues:
+
+- CVE-2025-64459: Fixed a potential SQL injection via `_connector` keyword argument in `QuerySet` and `Q` objects (bsc#1252926)
+- CVE-2025-13372,CVE-2025-64460: Fixed Denial of Service in 'django.core.serializers.xml_serializer.getInnerText()' (bsc#1254437)
+</description>
+  <package>python-Django</package>
+  <seperate_build_arch/>
+</patchinfo>

patchinfo.20251208143300643166.187004354831441/_patchinfo

@@ -0,0 +1,63 @@
+<patchinfo incident="packagehub-61">
+  <packager>bigironman</packager>
+  <rating>moderate</rating>
+  <category>recommended</category>
+  <summary>Recommended update for icinga-php-thirdparty, icinga-php-library, icingaweb2</summary>
+  <description>This update for icinga-php-thirdparty, icinga-php-library, icingaweb2 fixes the following issues:
+
+Changes in icinga-php-thirdparty:
+
+- Update to 0.13.1
+
+  - No changelog from upstream.
+
+- Update to 0.12.1
+
+  - No changelog from upstream.
+
+Changes in icinga-php-library:
+
+- Update to 1.17.0
+
+  - No changelog from upstream.
+
+Changes in icingaweb2:
+
+- Update to 2.12.6
+
+  - Search box shows many magnifying glasses for some community themes #5395
+  - Authentication hooks are not called with external backends #5415
+  - Improve Minimal layout #5386
+
+- Update to 2.12.5
+
+  * PHP 8.4 Support
+    We're again a little behind schedule, but now we support PHP 8.4!
+    This means that installations on Ubuntu 25.04 and Fedora 42+ can
+    now install Icinga Web without worrying about PHP related
+    incompatibilities. Icinga packages will be available in the
+    next few days.
+  * Good Things Take Time
+    There's only a single (notable) recent issue that is fixed
+    with this release. All the others are a bit older.
+    - External URLs set up as dashlets are not embedded the same
+      as navigation items #5346
+  * But the team sat together a few weeks ago and fixed a bug here
+    and there. And of course, also in Icinga Web!
+    - Users who are not allowed to change the theme, cannot change
+      the theme mode either #5385
+    - Improved compatibility with several SSO authentication
+      providers #5000, #5227
+    - Filtering for older-than events with relative time does not
+      work #5263
+    - Empty values are NULL in CSV exports #5350
+  * Breaking, Somewhat
+    This is mainly for developers.
+    With the support of PHP 8.4, we introduced a new environment
+    variable, ICINGAWEB_ENVIRONMENT. Unless set to dev, Icinga Web
+    will not show nor log deprecation notices anymore.
+</description>
+  <package>icinga-php-thirdparty</package>
+  <package>icinga-php-library</package>
+  <package>icingaweb2</package>
+</patchinfo>

patchinfo.20251209165835367165.93181000773252/_patchinfo

@@ -0,0 +1,13 @@
+<patchinfo incident="packagehub-52">
+  <issue tracker="cve" id="2025-53881">cve#2025-53881 not resolved: 404 Client Error: Not Found for url: https://bugzilla.suse.com/api2/issues/?references__name=CVE-2025-53881</issue>
+  <issue tracker="bnc" id="1246457">VUL-0: CVE-2025-53881: exim: SUSE-specific logrotate configuration allows escalation from mail user/group to root</issue>
+  <packager>bigironman</packager>
+  <rating>moderate</rating>
+  <category>security</category>
+  <summary>Security update for exim</summary>
+  <description>This update for exim fixes the following issues:
+
+- CVE-2025-53881: Fixed a potential security issue with logfile rotation (bsc#1246457)
+</description>
+  <package>exim</package>
+</patchinfo>

patchinfo.20251210101443200408.93181000773252/_patchinfo

@@ -0,0 +1,18 @@
+<patchinfo incident="packagehub-53">
+  <packager>michals</packager>
+  <rating>moderate</rating>
+  <category>recommended</category>
+  <summary>Recommended update for virtme</summary>
+  <description>This update for virtme fixes the following issues:
+
+- Update to 1.40:
+  * No significant change, this is just a very small hotfix release
+    to solve a packaging problem introduced by a conflict with the
+    new vng-mcp tool.
+  * While at it, there're also some small improved hints in the MCP
+    server, so that AI agents can better understand how to build
+    the kernel using vng --build.
+</description>
+  <package>virtme</package>
+  <seperate_build_arch/>
+</patchinfo>

patchinfo.20251210102155991569.93181000773252/_patchinfo

@@ -0,0 +1,20 @@
+<patchinfo incident="packagehub-57">
+  <issue tracker="bnc" id="1254531">cmake-extras: Could not locate qmlplugindump</issue>
+  <issue tracker="bnc" id="1239788">cmake4: build failure tracker bug.</issue>
+  <packager>hillwood</packager>
+  <rating>moderate</rating>
+  <category>recommended</category>
+  <summary>Recommended update for cmake-extras</summary>
+  <description>This update for cmake-extras fixes the following issues:
+
+- Support both qmlplugindump-qt5 and qmlplugindump-qt6 (boo#1254531)
+- Fix filename and path of qmlplugindump-qt5 for openSUSE
+- Update to 1.9
+  * add support for CMake 4.0
+- Update to 1.8
+  * GMock: wire dependencies between GMock step and library files
+  * QmlPlugins: Crude support for qt6
+</description>
+  <package>cmake-extras</package>
+  <seperate_build_arch/>
+</patchinfo>

patchinfo.20251210175743200408.93181000773252/_patchinfo

@@ -0,0 +1,11 @@
+<patchinfo incident="packagehub-58">
+  <packager>pgajdos</packager>
+  <rating>moderate</rating>
+  <category>optional</category>
+  <summary>Optional update for rawtherapee</summary>
+  <description>This update for rawtherapee fixes the following issues:
+
+Ship rawtherapee image editor.
+</description>
+  <package>rawtherapee</package>
+</patchinfo>

patchinfo.20251211092111744764.93181000773252/_patchinfo

@@ -0,0 +1,17 @@
+<patchinfo incident="packagehub-55">
+  <issue tracker="cve" id="2025-14372">cve#2025-14372 not resolved: 404 Client Error: Not Found for url: https://bugzilla.suse.com/api2/issues/?references__name=CVE-2025-14372</issue>
+  <issue tracker="bnc" id="1254776">VUL-0: chromium: release 143.0.7499.109</issue>
+  <issue tracker="cve" id="2025-14373">cve#2025-14373 not resolved: 404 Client Error: Not Found for url: https://bugzilla.suse.com/api2/issues/?references__name=CVE-2025-14373</issue>
+  <packager>AndreasStieger</packager>
+  <rating>important</rating>
+  <category>security</category>
+  <summary>Security update for chromium</summary>
+  <description>This update for chromium fixes the following issues:
+
+- Chromium 143.0.7499.109 (boo#1254776):
+  * CVE-2025-14372: Use after free in Password Manager
+  * CVE-2025-14373: Inappropriate implementation in Toolbar
+  * third issue with an exploit is known to exist in the wild
+</description>
+  <package>chromium</package>
+</patchinfo>

patchinfo.20251214181248399975.93181000773252/_patchinfo

@@ -0,0 +1,15 @@
+<patchinfo incident="packagehub-56">
+  <issue tracker="bnc" id="1254386">labwc crashes when turning display off with wlr-randr (fixed in upstream and Factory)</issue>
+  <packager>lucsansag</packager>
+  <rating>moderate</rating>
+  <category>recommended</category>
+  <summary>Recommended update for labwc</summary>
+  <description>This update for labwc fixes the following issues:
+
+Changes in labwc:
+
+- Fixed layershell unmap segfault when no outputs left (boo#1254386)
+</description>
+  <package>labwc</package>
+  <seperate_build_arch/>
+</patchinfo>

patchinfo.20251217091639760898.93181000773252/_patchinfo

@@ -0,0 +1,65 @@
+<patchinfo incident="packagehub-59">
+  <issue tracker="cve" id="2025-21614">CVE-2025-21614 go-git: go-git clients vulnerable to DoS via maliciously crafted Git server replies</issue>
+  <issue tracker="bnc" id="1247629">VUL-0: CVE-2025-21613: cheat: github.com/go-git/go-git/v5: argument injection via the URL field</issue>
+  <issue tracker="cve" id="2025-58181">VUL-0: CVE-2025-58181: TRACKERBUG: golang.org/x/crypto/ssh: invalidated number of mechanisms can cause unbounded memory consumption</issue>
+  <issue tracker="cve" id="2025-21613">VUL-0: CVE-2025-21613: TRACKERBUG: github.com/go-git/go-git/v5: argument injection via the URL field</issue>
+  <issue tracker="cve" id="2025-47913">VUL-0: CVE-2025-47913: TRACKERBUG: golang.org/x/crypto/ssh/agent: client process termination when receiving an unexpected message type in response to a key listing or</issue>
+  <issue tracker="bnc" id="1253922">VUL-0: CVE-2025-58181: cheat: golang.org/x/crypto/ssh: invalidated number of mechanisms can cause unbounded memory consumption</issue>
+  <issue tracker="cve" id="2025-47914">VUL-0: CVE-2025-47914: TRACKERBUG: golang.org/x/crypto/ssh/agent: non validated message size can cause a panic due to an out of bounds read</issue>
+  <issue tracker="cve" id="2025-22870">VUL-0: CVE-2025-22870: TRACKERBUG: golang.org/net/http, golang.org/x/net/proxy, golang.org/x/net/http/httpproxy: proxy bypass using IPv6 zone IDs</issue>
+  <issue tracker="cve" id="2023-48795">VUL-0: CVE-2023-48795: openssh: prefix truncation breaking ssh channel integrity aka Terrapin Attack</issue>
+  <issue tracker="bnc" id="1254051">VUL-0: CVE-2025-47914: cheat: golang.org/x/crypto/ssh/agent: non validated message size can cause a panic due to an out of bounds read</issue>
+  <issue tracker="bnc" id="1253593">VUL-0: CVE-2025-47913: cheat: golang.org/x/crypto/ssh/agent: client process termination when receiving an unexpected message type in response to a key listing or signing request</issue>
+  <issue tracker="cve" id="2025-22869">VUL-0: CVE-2025-22869: TRACKERBUG: golang.org/x/crypto/ssh: Denial of Service in the Key Exchange of golang.org/x/crypto/ssh</issue>
+  <packager>witekbedyk</packager>
+  <rating>important</rating>
+  <category>security</category>
+  <summary>Security update for cheat</summary>
+  <description>This update for cheat fixes the following issues:
+
+- Security:
+  * CVE-2025-47913: Fix client process termination (bsc#1253593)
+  * CVE-2025-58181: Fix potential unbounded memory consumption (bsc#1253922)
+  * CVE-2025-47914: Fix panic due to an out of bounds read (bsc#1254051)
+  * Replace golang.org/x/crypto=golang.org/x/crypto@v0.45.0
+  * Replace golang.org/x/net=golang.org/x/net@v0.47.0
+  * Replace golang.org/x/sys=golang.org/x/sys@v0.38.0
+
+- Packaging improvements:
+  * Drop Requires: golang-packaging. The recommended Go toolchain
+    dependency expression is BuildRequires: golang(API) &gt;= 1.x or
+    optionally the metapackage BuildRequires: go
+  * Use BuildRequires: golang(API) &gt;= 1.19 matching go.mod
+  * Build PIE with pattern that may become recommended procedure:
+    %%ifnarch ppc64 GOFLAGS="-buildmode=pie" %%endif go build
+    A go toolchain buildmode default config would be preferable
+    but none exist at this time.
+  * Drop mod=vendor, go1.14+ will detect vendor dir and auto-enable
+  * Remove go build -o output binary location and name. Default
+    binary has the same name as package of func main() and is
+    placed in the top level of the build directory.
+  * Add basic %check to execute binary --help
+
+- Packaging improvements:
+  * Service go_modules replace dependencies with CVEs
+  * Replace github.com/cloudflare/circl=github.com/cloudflare/circl@v1.6.1
+    Fix GO-2025-3754 GHSA-2x5j-vhc8-9cwm
+  * Replace golang.org/x/net=golang.org/x/net@v0.36.0
+    Fixes GO-2025-3503 CVE-2025-22870
+  * Replace golang.org/x/crypto=golang.org/x/crypto@v0.35.0
+    Fixes GO-2023-2402 CVE-2023-48795 GHSA-45x7-px36-x8w8
+    Fixes GO-2025-3487 CVE-2025-22869
+  * Replace github.com/go-git/go-git/v5=github.com/go-git/go-git/v5@v5.13.0
+    Fixes GO-2025-3367 CVE-2025-21614 GHSA-r9px-m959-cxf4
+    Fixes GO-2025-3368 CVE-2025-21613 GHSA-v725-9546-7q7m
+  * Service tar_scm set mode manual from disabled
+  * Service tar_scm create archive from git so we can exclude
+    vendor directory upstream committed to git. Committed vendor
+    directory contents have build issues even after go mod tidy.
+  * Service tar_scm exclude dir vendor
+  * Service set_version set mode manual from disabled
+  * Service set_version remove param basename not needed
+</description>
+  <package>cheat</package>
+  <seperate_build_arch/>
+</patchinfo>

patchinfo.20251218074156387460.187004354831441/_patchinfo

@@ -0,0 +1,21 @@
+<patchinfo incident="packagehub-60">
+  <issue tracker="cve" id="2025-14766">VUL-0: chromium: release 143.0.7499.146</issue>
+  <issue tracker="cve" id="2025-14174">Google Chrome: chromium: Out of bounds memory access via crafted HTML page</issue>
+  <issue tracker="bnc" id="1255115">VUL-0: chromium: release 143.0.7499.146</issue>
+  <issue tracker="cve" id="2025-14765">VUL-0: chromium: release 143.0.7499.146</issue>
+  <packager>oertel</packager>
+  <rating>important</rating>
+  <category>security</category>
+  <summary>Security update for chromium</summary>
+  <description>This update for chromium fixes the following issues:
+
+Changes in chromium:
+
+Chromium 143.0.7499.146 (boo#1255115):
+
+  * CVE-2025-14765: Use after free in WebGPU
+  * CVE-2025-14766: Out of bounds read and write in V8
+  * CVE-2025-14174: Out of bounds memory access in ANGLE
+</description>
+  <package>chromium</package>
+</patchinfo>

patchinfo.20251218142204589141.93181000773252/_patchinfo

@@ -0,0 +1,123 @@
+<patchinfo incident="packagehub-62">
+  <packager>os-autoinst-obs-workflow</packager>
+  <rating>moderate</rating>
+  <category>recommended</category>
+  <summary>Recommended update for openQA, os-autoinst, openQA-devel-container</summary>
+  <description>This update for openQA, os-autoinst, openQA-devel-container fixes the following issues:
+
+Changes in openQA:
+
+Thu Dec 18 03:54:10 UTC 2025 - okurz@suse.com
+
+- Update to version 5.1766014013.377e64fe:
+  * feat(Needle::Save): Adapt to new error handling
+  * feat(OpenQA::Git): Make error handling more flexible with exceptions
+
+- Update to version 5.1765887110.8fc02990:
+  * Avoid partial deletion of a screenshot if Minion job is aborted
+  * Add `SignalBlocker` to delay signal handling during critical sections
+
+- Update to version 5.1765805960.2112d43d:
+  * fix(codecov): Fix wrong casing for 'fully_covered' entries
+
+- Update to version 5.1765535865.b566a24c:
+  * fix(codecov): Be strict about coverage thresholds
+  * Show jobs that have been cloned when `t` parameter is used on overview
+
+- Update to version 5.1765469360.5c0525b5:
+  * worker: Add coverage for OVS DBus checks
+  * Fix overview when filtering by test and module result at the same time
+  * Return signal as part of run_cmd result
+  * Add scanner for untracked screenshots
+  * KTAP: Properly hide details of a skipped subtest
+  * docs: Restory logic of the sentence about NFT vs firewalld
+  * docs: Clarify DHCP/RA availability on MM networks
+  * feat: Allow to configure key+secret with env variables
+
+- Update to version 5.1765286149.3debb8ea:
+  * KTAP: Don't increment parsed_lines_count in "SKIP" lines
+  * KTAP: Define unparsed_lines and parsed_lines_count
+
+- Update to version 5.1765217707.d6e697fd:
+  * Test commenting on overview page together with TODO filter
+  * Fix job IDs that are considered for mass-commenting on overview page
+
+- Update to version 5.1765009312.be30f6e0:
+  * README: Remove left-over empty badge reference
+
+Changes in os-autoinst:
+
+- Update to version 5.1767623406.688dd0e:
+  * os-autoinst-generate-needle-preview: Embed PNG
+  * Tweak curl call not to hang
+  * Fix opencv dependency due to upstream changes
+  * Restore package  builds on older openSUSE versions
+  * Remove `ShellCheck` from devel dependencies on s390x
+
+- Update to version 5.1766037062.44c7d2a:
+  * Tweak curl call not to hang
+  * Fix opencv dependency due to upstream changes
+  * Restore package  builds on older openSUSE versions
+  * Remove `ShellCheck` from devel dependencies on s390x
+  * Remove obsolete 'bin/' folder
+
+- Update to version 5.1765976654.0026f92:
+  * Fix opencv dependency due to upstream changes
+  * Restore package  builds on older openSUSE versions
+  * Remove `ShellCheck` from devel dependencies on s390x
+  * Remove obsolete 'bin/' folder
+  * Improve documentation strings for get/check_var
+
+- Update to version 5.1765808557.b89e9b4:
+  * Restore package  builds on older openSUSE versions
+  * Remove `ShellCheck` from devel dependencies on s390x
+  * Remove obsolete 'bin/' folder
+  * Simplify the code to increment the counter
+  * audio: Allow for multiple audio recordings per test
+
+- Update to version 5.1765804109.1e7c99a:
+  * Remove `ShellCheck` from devel dependencies on s390x
+  * Remove obsolete 'bin/' folder
+  * Simplify the code to increment the counter
+  * audio: Allow for multiple audio recordings per test
+  * Improve documentation strings for get/check_var
+
+- Update to version 5.1765533145.a82864c:
+  * Remove obsolete 'bin/' folder
+  * Simplify the code to increment the counter
+  * audio: Allow for multiple audio recordings per test
+  * Improve documentation strings for get/check_var
+  * Add port forwarding example for NICTYPE_USER_OPTIONS
+
+- Update to version 5.1765450253.f16e6ac:
+  * Simplify the code to increment the counter
+  * audio: Allow for multiple audio recordings per test
+  * Improve documentation strings for get/check_var
+  * Add port forwarding example for NICTYPE_USER_OPTIONS
+  * Fix regression from abcaa66b by disabling virtio-keyboard by default
+  * distribution: Add "disable_key_repeat"
+  * Use 'virtio-keyboard' by default to allow fixing key repetition errors
+
+- Update to version 5.1765311639.7e3a762:
+  * Simplify the code to increment the counter
+  * audio: Allow for multiple audio recordings per test
+  * Add port forwarding example for NICTYPE_USER_OPTIONS
+  * Fix regression from abcaa66b by disabling virtio-keyboard by default
+  * Add IPv6 support for multi machine tests
+
+Changes in openQA-devel-container:
+
+- Update to version 5.1766014013.377e64fe9:
+  * Update to latest openQA version
+</description>
+  <package>openQA</package>
+  <package>openQA:openQA-devel-test</package>
+  <package>openQA:openQA-test</package>
+  <package>openQA:openQA-worker-test</package>
+  <package>openQA:openQA-client-test</package>
+  <package>os-autoinst</package>
+  <package>os-autoinst:os-autoinst-test</package>
+  <package>os-autoinst:os-autoinst-devel-test</package>
+  <package>os-autoinst:os-autoinst-openvswitch-test</package>
+  <package>openQA-devel-container</package>
+</patchinfo>

patchinfo.20251227105430923343.187004354831441/_patchinfo

@@ -0,0 +1,33 @@
+<patchinfo incident="packagehub-73">
+  <packager>pgajdos</packager>
+  <rating>moderate</rating>
+  <category>recommended</category>
+  <summary>Recommended update for apache2-mod_wsgi</summary>
+  <description>This update for apache2-mod_wsgi fixes the following issues:
+
+Changes in apache2-mod_wsgi:
+
+- Don't enable the module by default. Instead, include instructions in the
+  description, consistent with other comparable modules, such as
+  apache2-mod_fcgid, apache2-mod_jk and apache2-mod_mono.  If a reverse
+  dependency of this module requires it, that package may execute
+  `a2enmod wsgi`.
+
+Update to 5.0.2 includes changes from 5.0.1:
+
+  * Eliminate noise in logs under Python 3.13 when Python garbage collection
+    decides to delay destruction of objects until a second phase, resulting in
+    the wsgi.errors log object being accessed after the request had been
+    completed and the log object marked as invalid. This resulted due to changes
+    in garbage collection behaviour in Python 3.13.
+  * Internally, when using Python 3.8 or newer, the PyConfig API will now be
+    used due to deprecation and future removal of older C API alternatives.
+    This was required to support Python 3.13.
+  * Fix issue which could result in process crashing when values were supplied
+    for user/password/realm of HTTP basic authentication which weren’t
+    compliant with UTF-8 encoding format.
+  * Fix memory leak in check_password() authentication hook handler.
+  * Change use of deprecated thread.setDaemon to thread.daemon.
+</description>
+  <package>apache2-mod_wsgi</package>
+</patchinfo>

patchinfo.20260106100749431638.93181000773252/_patchinfo

@@ -0,0 +1,24 @@
+<patchinfo incident="packagehub-63">
+  <issue tracker="cve" id="2025-58181"/>
+  <issue tracker="cve" id="2025-47913"/>
+  <issue tracker="cve" id="2025-58190"/>
+  <issue tracker="cve" id="2025-47914"/>
+  <issue tracker="cve" id="2025-47911"/>
+  <issue tracker="bnc" id="1253512">VUL-0: CVE-2025-47913: trivy: golang.org/x/crypto/ssh/agent: client process termination when receiving an unexpected message type in response to a key listing or signing request</issue>
+  <issue tracker="bnc" id="1253977">VUL-0: CVE-2025-47914: trivy: golang.org/x/crypto/ssh/agent: non validated message size can cause a panic due to an out of bounds read</issue>
+  <issue tracker="bnc" id="1251547">VUL-0: CVE-2025-58190: trivy: golang.org/x/net/html: excessive memory consumption by `html.ParseFragment` when processing specially crafted input</issue>
+  <issue tracker="bnc" id="1251363">VUL-0: CVE-2025-47911: trivy: golang.org/x/net/html: various algorithms with quadratic complexity when parsing HTML documents</issue>
+  <issue tracker="bnc" id="1253786">VUL-0: CVE-2025-58181: trivy: golang.org/x/crypto/ssh: invalidated number of mechanisms can cause unbounded memory consumption</issue>
+  <packager>dirkmueller</packager>
+  <rating>moderate</rating>
+  <category>recommended</category>
+  <summary>Recommended update for trivy</summary>
+  <description>This update for trivy fixes the following issues:
+
+- Update to version 0.68.2:
+  * release: v0.68.2 [release/v0.68] (#9950)
+  * fix(deps): bump alpine from `3.22.1` to `3.23.0` [backport: release/v0.68] (#9949)
+  * ci: enable `check-latest` for `setup-go` [backport: release/v0.68] (#9946)
+</description>
+  <package>trivy</package>
+</patchinfo>

patchinfo.20260106101959221503.93181000773252/_patchinfo

@@ -0,0 +1,33 @@
+<patchinfo incident="packagehub-66">
+  <issue tracker="bnc" id="1239678">VUL-0: CVE-2025-2337: matio: heap buffer overflow in function Mat_VarPrint of file src/mat.c</issue>
+  <issue tracker="cve" id="2025-2337">VUL-0: CVE-2025-2337: matio: heap buffer overflow in function Mat_VarPrint of file src/mat.c</issue>
+  <issue tracker="cve" id="2025-2338">VUL-0: CVE-2025-2338: matio: heap buffer overflow in function strdup_vprintf of file src/io.c</issue>
+  <issue tracker="bnc" id="1239677">VUL-0: CVE-2025-2338: matio: heap buffer overflow in function strdup_vprintf of file src/io.c</issue>
+  <packager>AndreasStieger</packager>
+  <rating>important</rating>
+  <category>security</category>
+  <summary>Security update for matio</summary>
+  <description>This update for matio fixes the following issues:
+
+- update to version 1.5.29:
+  * Fix printing rank-1-variable in Mat_VarPrint
+  * Fix array index out of bounds in Mat_VarPrint when printing
+    UTF-8 character data (boo#1239678, CVE-2025-2337)
+  * Fix heap-based buffer overflow in strdup_vprintf
+    (boo#1239677, CVE-2025-2338)
+  * Changed Mat_VarPrint to print all values of rank-2-variable
+  * Several other fixes, for example for access violations in
+    Mat_VarPrint
+
+- Update to version 1.5.28:
+  * Fixed bug writing MAT_T_INT8/MAT_T_UINT8 encoded character
+    array to compressed v5 MAT file (regression of v1.5.12).
+  * Fixed bug reading all-zero sparse array of v4 MAT file
+    (regression of v1.5.18).
+  * Updated C99 snprintf.c.
+  * CMake: Enabled testing.
+  * Several other fixes, for example for access violations in
+    Mat_VarPrint.
+</description>
+  <package>matio</package>
+</patchinfo>

patchinfo.20260106152652552214.93181000773252/_patchinfo

@@ -0,0 +1,12 @@
+<patchinfo incident="packagehub-71">
+  <packager>miska</packager>
+  <rating>moderate</rating>
+  <category>recommended</category>
+  <summary>Recommended update for knot</summary>
+  <description>This update for knot fixes the following issues:
+
+- update to version 3.5.2, see
+  https://www.knot-dns.cz/2025-11-28-version-352.html
+</description>
+  <package>knot</package>
+</patchinfo>

patchinfo.20260106152825813077.93181000773252/_patchinfo

@@ -0,0 +1,12 @@
+<patchinfo incident="packagehub-85">
+  <issue tracker="bnc" id="1254975">niri doesn't set the right portal notification proxy</issue>
+  <packager>mantarimay</packager>
+  <rating>moderate</rating>
+  <category>recommended</category>
+  <summary>Recommended update for niri</summary>
+  <description>This update for niri fixes the following issues:
+
+- Fixed portal notification proxy (boo#1254975)
+</description>
+  <package>niri</package>
+</patchinfo>

patchinfo.20260107170113751929.93181000773252/_patchinfo

@@ -0,0 +1,76 @@
+<patchinfo incident="packagehub-65">
+  <packager>sbradnick</packager>
+  <rating>moderate</rating>
+  <category>recommended</category>
+  <summary>Recommended update for ranger</summary>
+  <description>This update for ranger fixes the following issues:
+
+- Update to version 1.9.4+git20250910.3f7a3546:
+  * img_display: Avoid unicode escape sequences for Ueberzug input
+  * man: fix documentation of which license ranger uses exactly
+  * rifle: fixed+clarified usage string
+
+- Update to version 1.9.4+git20250604.7e38143:
+  * fixed bug with command info staying
+  * Revert "fixed open_with bugginess"
+  * fixed open_with bugginess
+  * commands: Reword comment for brevity and accuracy
+  * GHActions: Pass config_files rather than boolean to flake8
+  * commands: Disable invalid-name and too-many-lines pylints
+  * Pylint: Disable invalid-name and too-many-lines for commands.py
+  * add :unnarrow to disable :narrow mode
+  * rifle: Update version
+
+- Update to version 1.9.4+git20250305.7ad50fa:
+  * 7-zip now has an official Linux version (7zz)
+  * add: support for tilde in bookmarks
+  * img_display: address PR feedback
+  * docs: kitty image previews are supported in other terminals now
+  * img_display: auto-detect support for kitty image previews
+  * rifle(terminals): support auto-detecting ghostty terminal emulator
+  * Modified order of expantions in peview_script
+  * Add GNOME papers to document viewers
+  * Added ability to use environmental variables in preview_script option
+  * doc: Regenerate man pages to have the proper version
+  * Makefile: Update version Grep since adding logo to README
+  * ranger/__init__: Caught another unbumped version
+  * mime.types: Add .nim extension for text/plain
+  * Fixed mistooks of nim scripts as a video aNIMations in rifle.conf
+  * GHActions: Pypy don't run old Flake8/Pylint
+  * GHActions: Use Pypy 3.10
+  * actions: Use keywords for rifle.execute
+  * runner: Allow action as positional argument
+  * ui: Refresh window in initialize
+  * ui: endwin already sets cursor to normal visibility
+  * requirements: Add setuptools
+  * img_display: Silence no-member false positive
+  * core/main: Drop unused variable prefix_length
+  * core,ext: Avoid return in finally shadowing return value
+  * test_py2_compat: Prevent use of yield from
+  * core,ext: Reduce positional arguments where possible
+  * pager,history: Replace branch with min/max builtins
+  * Pylint: Update custom checker for compatibility with 3.3.1
+  * GHActions: Bump action versions
+  * README: Use forge-agnostic URL
+  * README: Capitalize ranger
+  * README: Bump version
+  * README: Replace Travis with GHActions badge
+  * README: Center header
+  * make logo in readme wider
+  * move the ranger logo to the very top
+  * Add option confirm_on_trash
+  * Fix typos
+  * Add IINA to rifle.conf
+  * browsercolumn: ANSI escape codes support
+  * #1182: Fix signals for OS X
+
+- Update to version 1.9.3+git20240801.bd9b37f:
+  * properly decode file:// urls given to ranger as argument (fixes #2900)
+  * fix #2873 WM_NAME now shows "not accessible" in non-existent directories
+  * Fixed inconsistency in ranger documentation where it was stated that commanding 'linemode humanreadablesizemtime' changed the linemode to display human readable modification time and file size, but the correct command for this is 'linemode sizehumanreadablemtime'
+  * README: fix link formatting on github's markdown renderer
+  * README: add liberapay badge
+  * Mention viewmode key binding in man
+</description>
+  <package>ranger</package>
+</patchinfo>

patchinfo.20260108114750488113.93181000773252/_patchinfo

@@ -0,0 +1,19 @@
+<patchinfo incident="packagehub-64">
+  <issue tracker="cve" id="2026-0628">VUL-0: CVE-2026-0628: chromium: Insufficient policy enforcement in WebView tag fixed in 143.0.7499.192</issue>
+  <issue tracker="bnc" id="1256067">VUL-0: CVE-2026-0628: chromium: Insufficient policy enforcement in WebView tag fixed in 143.0.7499.192</issue>
+  <packager>AndreasStieger</packager>
+  <rating>important</rating>
+  <category>security</category>
+  <summary>Security update for chromium</summary>
+  <description>This update for chromium fixes the following issues:
+
+Changes in chromium:
+
+- Chromium 143.0.7499.192 (boo#1256067):
+  * CVE-2026-0628: Insufficient policy enforcement in WebView tag
+
+- Chromium 143.0.7499.169 (stable released 2025-12-18)
+  * no cve listed yet
+</description>
+  <package>chromium</package>
+</patchinfo>

patchinfo.20260112114750488113.93181000773252/_patchinfo

@@ -0,0 +1,35 @@
+<patchinfo incident="packagehub-68">
+  <packager>mcalabkova</packager>
+  <rating>moderate</rating>
+  <category>optional</category>
+  <summary>Optional update for certbot</summary>
+  <description>This update for certbot fixes the following issues:
+
+Various certbot packages and dependencies are being added.
+</description>
+<package>certbot-systemd-timer</package>
+<package>python-augeas</package>
+<package>python-bson</package>
+<package>python-certbot-apache</package>
+<package>python-certbot-dns-cloudflare</package>
+<package>python-certbot-dns-digitalocean</package>
+<package>python-certbot-dns-dnsimple</package>
+<package>python-certbot-dns-dnsmadeeasy</package>
+<package>python-certbot-dns-linode</package>
+<package>python-certbot-dns-luadns</package>
+<package>python-certbot-dns-nsone</package>
+<package>python-certbot-dns-ovh</package>
+<package>python-certbot-dns-rfc2136</package>
+<package>python-certbot-dns-route53</package>
+<package>python-cloudflare</package>
+<package>python-digitalocean</package>
+<package>python-dns-lexicon</package>
+<package>python-jsonlines</package>
+<package>python-jsonpickle</package>
+<package>python-localzone</package>
+<package>python-pytest-httpx</package>
+<package>python-requests-file</package>
+<package>python-softlayer</package>
+<package>python-softlayer-zeep</package>
+<package>python-tldextract</package>
+</patchinfo>

patchinfo.20260113100304813079.93181000773252/_patchinfo

@@ -0,0 +1,47 @@
+<patchinfo incident="packagehub-72">
+  <issue tracker="cve" id="2025-14325">firefox: JIT miscompilation in the JavaScript Engine: JIT component</issue>
+  <issue tracker="cve" id="2025-14321">firefox: Use-after-free in the WebRTC: Signaling component</issue>
+  <issue tracker="cve" id="2025-14328">firefox: Privilege escalation in the Netmonitor component</issue>
+  <issue tracker="cve" id="2025-14323">firefox: Privilege escalation in the DOM: Notifications component</issue>
+  <issue tracker="cve" id="2025-14322">firefox: Sandbox escape due to incorrect boundary conditions in the Graphics: CanvasWebGL component</issue>
+  <issue tracker="bnc" id="1254551">VUL-0: MozillaFirefox / MozillaThunderbird: update to 146.0 and 140.6esr</issue>
+  <issue tracker="cve" id="2025-14324">firefox: JIT miscompilation in the JavaScript Engine: JIT component</issue>
+  <issue tracker="cve" id="2025-14330">firefox: JIT miscompilation in the JavaScript Engine: JIT component</issue>
+  <issue tracker="cve" id="2025-14329">firefox: Privilege escalation in the Netmonitor component</issue>
+  <issue tracker="cve" id="2025-14331">firefox: Same-origin policy bypass in the Request Handling component</issue>
+  <issue tracker="cve" id="2025-14333">firefox: Memory safety bugs fixed in Firefox ESR 140.6, Thunderbird ESR 140.6, Firefox 146 and Thunderbird 146</issue>
+  <packager>Yoshio_Sato</packager>
+  <rating>important</rating>
+  <category>security</category>
+  <summary>Security update for MozillaThunderbird</summary>
+  <description>This update for MozillaThunderbird fixes the following issues:
+
+Changes in MozillaThunderbird:
+
+- Mozilla Thunderbird 140.6.0 ESR
+  MFSA 2025-96 (bsc#1254551)
+  * CVE-2025-14321 (bmo#1992760)
+    Use-after-free in the WebRTC: Signaling component
+  * CVE-2025-14322 (bmo#1996473)
+    Sandbox escape due to incorrect boundary conditions in the
+    Graphics: CanvasWebGL component
+  * CVE-2025-14323 (bmo#1996555)
+    Privilege escalation in the DOM: Notifications component
+  * CVE-2025-14324 (bmo#1996840)
+    JIT miscompilation in the JavaScript Engine: JIT component
+  * CVE-2025-14325 (bmo#1998050)
+    JIT miscompilation in the JavaScript Engine: JIT component
+  * CVE-2025-14328 (bmo#1996761)
+    Privilege escalation in the Netmonitor component
+  * CVE-2025-14329 (bmo#1997018)
+    Privilege escalation in the Netmonitor component
+  * CVE-2025-14330 (bmo#1997503)
+    JIT miscompilation in the JavaScript Engine: JIT component
+  * CVE-2025-14331 (bmo#2000218)
+    Same-origin policy bypass in the Request Handling component
+  * CVE-2025-14333 (bmo#1966501, bmo#1997639)
+    Memory safety bugs fixed in Firefox ESR 140.6, Thunderbird
+    ESR 140.6, Firefox 146 and Thunderbird 146
+</description>
+  <package>MozillaThunderbird</package>
+</patchinfo>

patchinfo.20260113100344517680.93181000773252/_patchinfo

@@ -0,0 +1,45 @@
+<patchinfo incident="packagehub-70">
+  <issue tracker="cve" id="2025-69195"/>
+  <issue tracker="bnc" id="1255729">VUL-0: CVE-2025-69195: wget2: memory corruption and crash via filename sanitization logic with attacker-controlled URLs</issue>
+  <issue tracker="cve" id="2025-69194"/>
+  <issue tracker="bnc" id="1255728">VUL-0: CVE-2025-69194: wget2: arbitrary file write via Metalink path traversal</issue>
+  <packager>jengelh</packager>
+  <rating>important</rating>
+  <category>security</category>
+  <summary>Security update for wget2</summary>
+  <description>This update for wget2 fixes the following issues:
+
+Changes in wget2:
+
+- Update to release 2.2.1
+  * Fix file overwrite issue with metalink [CVE-2025-69194 bsc#1255728]
+  * Fix remote buffer overflow in get_local_filename_real()
+    [CVE-2025-69195 bsc#1255729]
+  * Fix a redirect/mirror regression from 400713ca
+  * Use the local system timestamp when requested via
+    --no-use-server-timestamps
+  * Prevent file truncation with --no-clobber
+  * Improve messages about why URLs are not being followed
+  * Fix metalink with -O/--output-document
+  * Fix sorting of metalink mirrors by priority
+  * Add --show-progress to improve backwards compatibility to wget
+  * Fix buffer overflow in wget_iri_clone() after
+    wget_iri_set_scheme()
+  * Allow 'no_' prefix in config options
+  * Use libnghttp2 for HTTP/2 testing
+  * Set exit status to 8 on 403 response code
+  * Fix convert-links
+  * Fix --server-response for HTTP/1.1
+
+- Update to release 2.2.0
+  * Don't truncate file when -c and -O are combined
+  * Don't log URI userinfo to logs
+  * Fix downloading multiple files via HTTP/2
+  * Support connecting with HTTP/1.0 proxies
+  * Ignore 1xx HTTP responses for HTTP/1.1
+  * Disable TCP Fast Open by default
+  * Fix segfault when OCSP response is missing
+  * Add libproxy support
+</description>
+  <package>wget2</package>
+</patchinfo>

patchinfo.20260113125217848639.93181000773252/_patchinfo

@@ -0,0 +1,45 @@
+<patchinfo incident="packagehub-69">
+  <packager>os-autoinst-obs-workflow</packager>
+  <rating>moderate</rating>
+  <category>recommended</category>
+  <summary>Recommended update for openQA, os-autoinst, openQA-devel-container</summary>
+  <description>This update for openQA, os-autoinst, openQA-devel-container fixes the following issues:
+
+Changes in openQA:
+
+Thu Jan 08 10:09:35 UTC 2026 - okurz@suse.com
+- Update to version 5.1767864265.63cd20df:
+  * Skip caching for KERNEL and INITRD variables
+
+- Update to version 5.1766150951.2799046e:
+  * Coverage of openQA: add folder Client/ in codecov.yaml
+  * Improve openQA coverage of _download_handler in Archive.pm
+
+- Update to version 5.1766053374.57cdeee3:
+  * fix(docs): Fix indentation in job template examples
+
+Changes in os-autoinst:
+
+- Update to version 5.1767893100.fd5003c:
+  * Add documentation of APPEND variable
+  * Add undocumented KERNEL/INITRD to the supported variables
+  * os-autoinst-generate-needle-preview: Embed PNG
+  * Tweak curl call not to hang
+  * Fix opencv dependency due to upstream changes
+
+Changes in openQA-devel-container:
+
+- Update to version 5.1767864265.63cd20dfc:
+  * Update to latest openQA version
+</description>
+  <package>openQA</package>
+  <package>openQA:openQA-devel-test</package>
+  <package>openQA:openQA-test</package>
+  <package>openQA:openQA-worker-test</package>
+  <package>openQA:openQA-client-test</package>
+  <package>os-autoinst</package>
+  <package>os-autoinst:os-autoinst-test</package>
+  <package>os-autoinst:os-autoinst-devel-test</package>
+  <package>os-autoinst:os-autoinst-openvswitch-test</package>
+  <package>openQA-devel-container</package>
+</patchinfo>

patchinfo.20260113130548514612.93181000773252/_patchinfo

@@ -0,0 +1,14 @@
+<patchinfo incident="packagehub-74">
+  <issue tracker="bnc" id="1255237">scripts it $XDG_CONFIG_DIRS/plasma-workspace/env stop working after ibus update</issue>
+  <packager>ftake</packager>
+  <rating>moderate</rating>
+  <category>recommended</category>
+  <summary>Recommended update for fcitx5</summary>
+  <description>This update for fcitx5 fixes the following issues:
+
+
+- Use return instead of exit in 20-fcitx-plasma-setup.sh (boo#1255237)
+- Replace "IBus" with "Fcitx" in a log message
+</description>
+  <package>fcitx5</package>
+</patchinfo>

patchinfo.20260115100809875766.93181000773252/_patchinfo

@@ -0,0 +1,35 @@
+<patchinfo incident="packagehub-80">
+  <issue tracker="cve" id="2026-0907">VUL-0: chromium: release 144.0.7559.59</issue>
+  <issue tracker="cve" id="2026-0908">VUL-0: chromium: release 144.0.7559.59</issue>
+  <issue tracker="cve" id="2026-0901">VUL-0: chromium: release 144.0.7559.59</issue>
+  <issue tracker="cve" id="2026-0902">VUL-0: chromium: release 144.0.7559.59</issue>
+  <issue tracker="cve" id="2026-0906">VUL-0: chromium: release 144.0.7559.59</issue>
+  <issue tracker="cve" id="2026-0903">VUL-0: chromium: release 144.0.7559.59</issue>
+  <issue tracker="cve" id="2026-0905">VUL-0: chromium: release 144.0.7559.59</issue>
+  <issue tracker="cve" id="2026-0900">VUL-0: chromium: release 144.0.7559.59</issue>
+  <issue tracker="cve" id="2026-0904">VUL-0: chromium: release 144.0.7559.59</issue>
+  <issue tracker="cve" id="2026-0899">VUL-0: chromium: release 144.0.7559.59</issue>
+  <issue tracker="bnc" id="1256614">VUL-0: chromium: release 144.0.7559.59</issue>
+  <packager>oertel</packager>
+  <rating>moderate</rating>
+  <category>security</category>
+  <summary>Security update for chromium</summary>
+  <description>This update for chromium fixes the following issues:
+
+Changes in chromium:
+
+- Chromium 144.0.7559.59 (boo#1256614)
+  * CVE-2026-0899: Out of bounds memory access in V8
+  * CVE-2026-0900: Inappropriate implementation in V8
+  * CVE-2026-0901: Inappropriate implementation in Blink
+  * CVE-2026-0902: Inappropriate implementation in V8
+  * CVE-2026-0903: Insufficient validation of untrusted input in Downloads
+  * CVE-2026-0904: Incorrect security UI in Digital Credentials
+  * CVE-2026-0905: Insufficient policy enforcement in Network
+  * CVE-2026-0906: Incorrect security UI
+  * CVE-2026-0907: Incorrect security UI in Split View
+  * CVE-2026-0908: Use after free in ANGLE
+- use noopenh264 where available
+</description>
+  <package>chromium</package>
+</patchinfo>

patchinfo.20260115100949201882.93181000773252/_patchinfo

@@ -0,0 +1,55 @@
+<patchinfo incident="packagehub-79">
+  <packager>os-autoinst-obs-workflow</packager>
+  <rating>moderate</rating>
+  <category>recommended</category>
+  <summary>Recommended update for openQA, os-autoinst, openQA-devel-container</summary>
+  <description>This update for openQA, os-autoinst, openQA-devel-container fixes the following issues:
+
+Changes in openQA:
+
+- Update to version 5.1768323619.9a70ab91:
+  * refactor: Extend tests of df-based cleanup
+  * fix: Avoid wrong deletion of archived jobs in df-based cleanup
+  * refactor: Move logic for validating percentage into helper
+  * refactor: Clarify wording in comment regarding job cleanup
+  * Use template literals in certain JavaScript code
+  * Retry delete_needles job on server restart
+  * Add test for _delete_needles
+  * feat(OpenQA::Git): Cleanup git dir in commit() on shutdown
+  * feat: Improve rendering results on the scheduled product page
+
+- Update to version 5.1768209690.f34c2973:
+  * feat(scheduled-products): Allow adding note to result data
+  * docs: Use node_modules target
+  * docs: Mention minimum PostgreSQL version
+  * ci: Update PostgreSQL in CI/packaging to at least 14
+  * Revert "Add MCP tool annotations for Claude connector compliance"
+
+- Update to version 5.1767868268.dacbd3f7:
+  * Add MCP tool annotations for Claude connector compliance
+
+Changes in os-autoinst:
+
+- Update to version 5.1768317525.86a9a7f:
+  * fix(dist): exclude unstable t/28-signalblocker.t in OBS checks
+  * Remove deprecated BIOS and UEFI_PFLASH variables
+  * Add documentation of APPEND variable
+  * Add undocumented KERNEL/INITRD to the supported variables
+  * os-autoinst-generate-needle-preview: Embed PNG
+
+Changes in openQA-devel-container:
+
+- Update to version 5.1768323619.9a70ab916:
+  * Update to latest openQA version
+</description>
+  <package>openQA</package>
+  <package>openQA:openQA-devel-test</package>
+  <package>openQA:openQA-test</package>
+  <package>openQA:openQA-worker-test</package>
+  <package>openQA:openQA-client-test</package>
+  <package>os-autoinst</package>
+  <package>os-autoinst:os-autoinst-test</package>
+  <package>os-autoinst:os-autoinst-devel-test</package>
+  <package>os-autoinst:os-autoinst-openvswitch-test</package>
+  <package>openQA-devel-container</package>
+</patchinfo>

patchinfo.20260115101101937926.93181000773252/_patchinfo

@@ -0,0 +1,22 @@
+<patchinfo incident="packagehub-83">
+  <issue tracker="jsc" id="PED-1942">feature request for adding ipvlan support to wicked for SLES15</issue>
+  <packager>cfconrad</packager>
+  <rating>moderate</rating>
+  <category>recommended</category>
+  <summary>Recommended update for wicked</summary>
+  <description>This update for wicked fixes the following issues:
+
+Changes in wicked:
+
+- Update to version 0.6.78
+  - man: small fixes in wireless manpage (gh#opensuse/wicked#1053)
+  - rtnetlink: fix RTM_NEWLINK name resolution in debug (gh#opensuse/wicked#1052)
+  - Add support for IPVLAN/IPVTAP (jsc#PED-1942, gh#opensuse/wicked#1050, gh#opensuse/wicked#1051)
+  - fsm: remove children reference array from worker (gh#opensuse/wicked#1049)
+  - ifxml: migrate and generate lower configs/policies (gh#opensuse/wicked#1048)
+  - fsm: use refcount and array macros in worker and policy (gh#opensuse/wicked#1047)
+  - route: use refcounted array and fix error leaks (gh#opensuse/wicked#1046)
+  - utils: add support for refcounted objects in generic array (gh#openSUSE/wicked#1045)
+</description>
+  <package>wicked</package>
+</patchinfo>

patchinfo.20260115101600453573.93181000773252/_patchinfo

@@ -0,0 +1,14 @@
+<patchinfo incident="packagehub-75">
+  <packager>jengelh</packager>
+  <rating>moderate</rating>
+  <category>recommended</category>
+  <summary>Recommended update for flint</summary>
+  <description>This update for flint fixes the following issues:
+
+Changes in flint:
+
+- Fixed a compile error for downstream users when using -std=c23 or
+  a newer GCC which defaults to such.
+</description>
+  <package>flint</package>
+</patchinfo>

patchinfo.20260115114750488113.93181000773252/_patchinfo

@@ -0,0 +1,11 @@
+<patchinfo incident="packagehub-76">
+  <packager>pgajdos</packager>
+  <rating>moderate</rating>
+  <category>optional</category>
+  <summary>Optional update for dehydrated</summary>
+  <description>This update for dehydrated fixes the following issues:
+
+Adds dehydrated to PackageHub / Leap 16.0.
+</description>
+  <package>dehydrated</package>
+</patchinfo>

patchinfo.20260115143001930772.93181000773252/_patchinfo

@@ -0,0 +1,41 @@
+<patchinfo incident="packagehub-77">
+  <issue tracker="bnc" id="1256453">polymake-devel unusable</issue>
+  <packager>jengelh</packager>
+  <rating>moderate</rating>
+  <category>recommended</category>
+  <summary>Recommended update for polymake, cddlib</summary>
+  <description>This update for polymake, cddlib fixes the following issues:
+
+Changes in polymake:
+
+- Enable polydb for Tumbleweed / suse_version &gt;=1690
+
+- Reenable callable library mode [boo#1256453]
+
+- Update to release 4.15
+  * graph: graphviz: use PDF instead of PS
+  * polytope: MILP: allow non-rational coordinates
+  * Some bugfixes
+
+- Update to release 4.14
+  * tropical: cone: refactoring and fixes for DOME, COVECTORs and
+    PSEUDOVERTICES
+  * tropical: polytope: fix vertices computation
+  * tropical: hypersurface: fixes for monomials and binomials
+
+- Update to release 4.13
+  * Support for Perl 5.40 and -std=c++20 builds
+
+Changes in cddlib:
+
+- Update to release 0.94n
+  * Fixed a potential dd_MatrixCanonicalize segfault.
+  * cddlib.pc file now points to the non-GMP version, and
+    cddgmp.pc has been added for the GMP version.
+  * Copy certificate and handle errors correctly in dd_SRedundant
+    for the V-representation code path.
+  * cddlib is now thread-safe.
+</description>
+  <package>polymake</package>
+  <package>cddlib</package>
+</patchinfo>

patchinfo.20260115164300444802.93181000773252/_patchinfo

@@ -0,0 +1,25 @@
+<patchinfo incident="packagehub-78">
+  <packager>mmamula</packager>
+  <rating>moderate</rating>
+  <category>recommended</category>
+  <summary>Recommended update for ansible-sap-launchpad</summary>
+  <description>This update for ansible-sap-launchpad fixes the following issues:
+
+Changes in ansible-sap-launchpad:
+
+- Refactor Ansible Modules and adjust for ansible-core 2.19.
+
+- 1.3.1
+  - Bugfixes:
+    - collection: Add ansible-test sanity workflow and fix sanity errors
+
+- 1.3.0
+  - Changes:
+    - collection: Refactor all Ansible Modules
+    - sap_software_download: Update for ansible-core 2.19
+  - Bugfixes:
+    - sap_software_download: Fix for failed checksums not correctly retrying
+
+</description>
+  <package>ansible-sap-launchpad</package>
+</patchinfo>

patchinfo.20260116150132416590.93181000773252/_patchinfo

@@ -0,0 +1,95 @@
+<patchinfo incident="packagehub-82">
+  <issue tracker="cve" id="2025-58190"/>
+  <issue tracker="bnc" id="1241814">VUL-0: CVE-2025-22872: go-sendxmpp: golang.org/x/net/html: incorrectly interpreted tags can cause content to be placed wrong scope during DOM construction</issue>
+  <issue tracker="cve" id="2025-22872">VUL-0: CVE-2025-22872: TRACKERBUG: golang.org/x/net/html: tags incorrectly interpreted by tokenizer can lead to content being placed in the wrong scope during</issue>
+  <issue tracker="bnc" id="1251677">VUL-0: CVE-2025-58190: go-sendxmpp: golang.org/x/net/html: excessive memory consumption by `html.ParseFragment` when processing specially crafted input</issue>
+  <issue tracker="bnc" id="1251461">VUL-0: CVE-2025-47911: go-sendxmpp: golang.org/x/net/html: various algorithms with quadratic complexity when parsing HTML documents</issue>
+  <issue tracker="cve" id="2025-47911">VUL-0: CVE-2025-47911: TRACKERBUG: golang.org/x/net/html: various algorithms with quadratic complexity when parsing HTML documents</issue>
+  <packager>fstrba</packager>
+  <rating>moderate</rating>
+  <category>security</category>
+  <summary>Security update for go-sendxmpp</summary>
+  <description>This update for go-sendxmpp fixes the following issues:
+
+Changes in go-sendxmpp:
+
+- Update to 0.15.1:
+  Added
+  * Add XEP-0359 Origin-ID to messages (requires go-xmpp &gt;= v0.2.18).
+  Changed
+  * HTTP upload: Ignore timeouts on disco IQs as some components do
+    not reply.
+- Upgrades the embedded golang.org/x/net to 0.46.0
+  * Fixes: bsc#1251461, CVE-2025-47911: various algorithms with
+    quadratic complexity when parsing HTML documents
+  * Fixes: bsc#1251677, CVE-2025-58190: excessive memory consumption
+    by 'html.ParseFragment' when processing specially crafted input
+
+- Update to 0.15.0:
+  Added:
+  * Add flag --verbose to show debug information.
+  * Add flag --recipients to specify recipients by file.
+  * Add flag --retry-connect to try after a waiting time if the connection fails.
+  * Add flag --retry-connect-max to specify the amount of retry attempts.
+  * Add flag --legacy-pgp for using XEP-0027 PGP encryption with Ox keys.
+  * Add support for punycode domains.
+  Changed:
+  * Update gopenpgp library to v3.
+  * Improve error detection for MUC joins.
+  * Don't try to connect to other SRV record targets if error contains 'auth-failure'.
+  * Remove support for old SSDP version (via go-xmpp v0.2.15).
+  * Http-upload: Stop checking other disco items after finding upload component.
+  * Increase default TLS version to 1.3.
+- bsc#1241814 (CVE-2025-22872): This update includes golang.org/x/net/html 0.43.0
+
+- Update to 0.14.1:
+  * Use prettier date format for error messages.
+  * Update XEP-0474 to version 0.4.0 (requires go-xmpp &gt;= 0.2.10).
+
+- Update to 0.14.0:
+  Added:
+  * Add --fast-invalidate to allow invalidating the FAST token.
+  Changed:
+  * Don't create legacy Ox private key directory in ~/.local/share/go-sendxmpp/oxprivkeys.
+  * Delete legacy Ox private key directory if it's empty.
+  * Show proper error if saved FAST mechanism isn't usable with current TLS version (requires go-xmpp &gt;= 0.2.9).
+  * Print debug output to stdout, not stderr (requires go-xmpp &gt;= 0.2.9).
+  * Show RECV: and SEND: prefix for debug output (requires go-xmpp &gt;= 0.2.9).
+  * Delete stored fast token if --fast-invalidate and --fast-off are set.
+  * Show error when FAST creds are stored but non-FAST mechanism is requested.
+
+- Update to 0.13.0:
+  Added:
+  * Add --anonymous to support anonymous authentication (requires go-xmpp &gt;= 0.2.8).
+  * Add XEP-0480: SASL Upgrade Tasks support (requires go-xmpp &gt;= 0.2.8).
+  * Add support for see-other-host stream error (requires go-xmpp &gt;= 0.2.8).
+  Changed:
+  * Don't automatically try other auth mechanisms if FAST authentication fails.
+
+- Update to 0.12.1:
+  Changed:
+  * Print error instead of quitting if a message of type error is received.
+  * Allow upload of multiple files.
+  Added:
+  * Add flag --suppress-root-warning to suppress the warning when go-sendxmpp is used by the root user.
+
+- Update to 0.12.0:
+  Added:
+  * Add possibility to look up direct TLS connection endpoint via hostmeta2 (requires xmppsrv &gt;= 0.3.3).
+  * Add flag --allow-plain to allow PLAIN authentication (requires go-xmpp &gt;= 0.2.5).
+  Changed:
+  * Disable PLAIN authentication per default.
+  * Disable PLAIN authentication after first use of a SCRAM auth mechanism (overrides --allow-plain) (requires
+    go-xmpp &gt;= 0.2.5).
+
+- Update to 0.11.4:
+  * Fix bug in SCRAM-SHA-256-PLUS (via go-xmpp &gt;= 0.2.4).
+
+- Update to 0.11.3:
+  * Add go-xmpp library version to --version output (requires go-xmpp &gt;= 0.2.2).
+  * Fix XEP-0474: SASL SCRAM Downgrade Protection hash calculation bug (via go-xmpp &gt;= v0.2.3).
+  * [gocritic]: Improve code quality.
+</description>
+  <package>go-sendxmpp</package>
+  <seperate_build_arch/>
+</patchinfo>

patchinfo.20260119100234029640.93181000773252/_patchinfo

@@ -0,0 +1,13 @@
+<patchinfo incident="packagehub-84">
+  <issue tracker="cve" id="2025-63757"/>
+  <issue tracker="bnc" id="1255392">VUL-0: CVE-2025-63757: ffmpeg,ffmpeg-4: ffmpeg: accumulation of filtered pixel values can lead to an integer overflow</issue>
+  <packager>jonathankang</packager>
+  <rating>important</rating>
+  <category>security</category>
+  <summary>Security update for ffmpeg-4</summary>
+  <description>This update for ffmpeg-4 fixes the following issues:
+
+- CVE-2025-63757: Fixed swscale/output: Fix integer overflow in yuv2ya16_X_c_template() (bsc#1255392).
+</description>
+  <package>ffmpeg-4</package>
+</patchinfo>

patchinfo.20260120143234408409.93181000773252/_patchinfo

@@ -0,0 +1,15 @@
+<patchinfo incident="packagehub-86">
+  <issue tracker="cve" id="2025-68616">VUL-0: CVE-2025-68616: python-weasyprint: server-side request forgery (SSRF) protection bypass via HTTP redirects allows access to internal network resources</issue>
+  <issue tracker="bnc" id="1256936">VUL-0: CVE-2025-68616: python-weasyprint: server-side request forgery (SSRF) protection bypass via HTTP redirects allows access to internal network resources</issue>
+  <packager>dgarcia</packager>
+  <rating>important</rating>
+  <category>security</category>
+  <summary>Security update for python-weasyprint</summary>
+  <description>This update for python-weasyprint fixes the following issues:
+
+Changes in python-weasyprint:
+
+- CVE-2025-68616: Fixed a server-side request forgery in default fetcher (boo#1256936).
+</description>
+  <package>python-weasyprint</package>
+</patchinfo>