Add rfrohl to qam-openqa-review

As a fallback option: to be able to unblock updates during vacations periods.

.gitmodules

@@ -17350,6 +17350,10 @@
 	path = rasqal
 	url = ../../pool/rasqal
 	branch = leap-16.0
+[submodule "rawtherapee"]
+	path = rawtherapee
+	url = ../../pool/rawtherapee
+	branch = leap-16.0
 [submodule "raw-thumbnailer"]
 	path = raw-thumbnailer
 	url = ../../pool/raw-thumbnailer
@@ -17562,10 +17566,6 @@
 	path = rlwrap
 	url = ../../pool/rlwrap
 	branch = leap-16.0
-[submodule "rmt-server"]
-	path = rmt-server
-	url = ../../pool/rmt-server
-	branch = leap-16.0
 [submodule "rmw"]
 	path = rmw
 	url = ../../pool/rmw
@@ -26134,3 +26134,7 @@
 	path = python-pyRFC3339
 	url = ../../pool/python-pyRFC3339
 	branch = leap-16.0
+[submodule "openQA-devel-container"]
+	path = openQA-devel-container
+	url =  ../../pool/openQA-devel-container
+	branch = leap-16.0

0Backports/Backports.productcompose

@@ -149,6 +149,8 @@ packagesets:
   - kernel-livepatch-6_12_0-160000_5-rt
   - kernel-livepatch-6_12_0-160000_6-default
   - kernel-livepatch-6_12_0-160000_6-rt
+  - kernel-livepatch-6_12_0-160000_7-default
+  - kernel-livepatch-6_12_0-160000_7-rt
   - kernel-rt-livepatch
   - kernel-rt-livepatch-devel
   - krb5-mini
@@ -1922,6 +1924,27 @@ packagesets:
   - java-21-openjdk-javadoc
   - java-21-openjdk-jmods
   - java-21-openjdk-src
+  - java-22-openjdk
+  - java-22-openjdk-demo
+  - java-22-openjdk-devel
+  - java-22-openjdk-headless
+  - java-22-openjdk-javadoc
+  - java-22-openjdk-jmods
+  - java-22-openjdk-src
+  - java-23-openjdk
+  - java-23-openjdk-demo
+  - java-23-openjdk-devel
+  - java-23-openjdk-headless
+  - java-23-openjdk-javadoc
+  - java-23-openjdk-jmods
+  - java-23-openjdk-src
+  - java-24-openjdk
+  - java-24-openjdk-demo
+  - java-24-openjdk-devel
+  - java-24-openjdk-headless
+  - java-24-openjdk-javadoc
+  - java-24-openjdk-jmods
+  - java-24-openjdk-src
   - java-cup
   - java-cup-manual
   - javacc
@@ -7932,6 +7955,8 @@ packagesets:
   - kernel-kvmsmall
   - kernel-kvmsmall-devel
   - kernel-livepatch-6_12_0-160000_5-default
+  - kernel-livepatch-6_12_0-160000_6-default
+  - kernel-livepatch-6_12_0-160000_7-default
   - libLLVMSPIRVLib19
   - libatopology2
   - libdpdk-25
@@ -8043,6 +8068,8 @@ packagesets:
   - grub2-s390x-emu
   - kernel-default-livepatch
   - kernel-livepatch-6_12_0-160000_5-default
+  - kernel-livepatch-6_12_0-160000_6-default
+  - kernel-livepatch-6_12_0-160000_7-default
   - kernel-zfcpdump
   - kiwi-settings
   - libHBAAPI2
@@ -8182,6 +8209,8 @@ packagesets:
   - kernel-kvmsmall-devel
   - kernel-kvmsmall-vdso
   - kernel-livepatch-6_12_0-160000_5-default
+  - kernel-livepatch-6_12_0-160000_6-default
+  - kernel-livepatch-6_12_0-160000_7-default
   - kiwi-pxeboot
   - kubevirt-virtctl
   - libFLAC++10-x86-64-v3

patchinfo.20251117131911819330.187004354831441/_patchinfo

@@ -0,0 +1,15 @@
+<patchinfo incident="packagehub-36">
+  <issue tracker="bnc" id="1252722">Evolution crashes when opening JPEG attachments after webkit2gtk3 security update</issue>
+  <packager>mgorse</packager>
+  <rating>moderate</rating>
+  <category>recommended</category>
+  <summary>Recommended update for evolution</summary>
+  <description>This update for evolution fixes the following issues:
+
+Changes in evolution:
+
+- Fix JavaScript dictionary objects creation. Needed for WebKitGTK &gt;= 2.50
+  (bsc#1252722 glgo#GNOME/evolution#3124).
+</description>
+  <package>evolution</package>
+</patchinfo>

patchinfo.20251117132509463589.187004354831441/_patchinfo

@@ -0,0 +1,14 @@
+<patchinfo incident="packagehub-49">
+  <packager>okurz</packager>
+  <rating>moderate</rating>
+  <category>recommended</category>
+  <summary>Recommended update for perl-Mojolicious-Plugin-Webpack</summary>
+  <description>This update for perl-Mojolicious-Plugin-Webpack fixes the following issues:
+
+Changes in perl-Mojolicious-Plugin-Webpack:
+
+- See https://github.com/jhthorsen/mojolicious-plugin-webpack/pull/17
+</description>
+  <package>perl-Mojolicious-Plugin-Webpack</package>
+  
+</patchinfo>

patchinfo.20251126120323268597.93181000773252/_patchinfo

@@ -0,0 +1,62 @@
+<patchinfo incident="packagehub-37">
+  <issue tracker="cve" id="2025-46817">cve#2025-46817 not resolved: 404 Client Error: Not Found for url: https://bugzilla.suse.com/api2/issues/?references__name=CVE-2025-46817</issue>
+  <issue tracker="cve" id="2025-62507">cve#2025-62507 not resolved: 404 Client Error: Not Found for url: https://bugzilla.suse.com/api2/issues/?references__name=CVE-2025-62507</issue>
+  <issue tracker="cve" id="2025-49844">cve#2025-49844 not resolved: 404 Client Error: Not Found for url: https://bugzilla.suse.com/api2/issues/?references__name=CVE-2025-49844</issue>
+  <issue tracker="cve" id="2025-46818">cve#2025-46818 not resolved: 404 Client Error: Not Found for url: https://bugzilla.suse.com/api2/issues/?references__name=CVE-2025-46818</issue>
+  <issue tracker="bnc" id="1250995">VUL-0: CVE-2025-49844,CVE-2025-46817,CVE-2025-46818,CVE-2025-46819: valkey,redis,redis7: multiple LUA issues</issue>
+  <issue tracker="bnc" id="1252996">VUL-0: CVE-2025-62507: redis,redis7,valkey: XACKDEL - potential stack overflow and RCE</issue>
+  <issue tracker="cve" id="2025-46819">cve#2025-46819 not resolved: 404 Client Error: Not Found for url: https://bugzilla.suse.com/api2/issues/?references__name=CVE-2025-46819</issue>
+  <packager>ateixeira</packager>
+  <rating>critical</rating>
+  <category>security</category>
+  <summary>Security update for redis</summary>
+  <description>This update for redis fixes the following issues:
+
+- Updated to 8.2.3 (boo#1252996 CVE-2025-62507)
+  * https://github.com/redis/redis/releases/tag/8.2.3
+  - Security fixes
+    - (CVE-2025-62507) Bug in `XACKDEL` may lead to stack overflow
+      and potential RCE
+  - Bug fixes
+    - `HGETEX`: A missing `numfields` argument when `FIELDS` is
+      used can lead to Redis crash
+    - An overflow in `HyperLogLog` with 2GB+ entries may result in
+      a Redis crash
+    - Cuckoo filter - Division by zero in Cuckoo filter insertion
+    - Cuckoo filter - Counter overflow
+    - Bloom filter - Arbitrary memory read/write with invalid
+      filter
+    - Bloom filter - Out-of-bounds access with empty chain
+    - Top-k - Out-of-bounds access
+    - Bloom filter - Restore invalid filter [We thank AWS security
+      for responsibly disclosing the security bug]
+
+- Updated to 8.2.2 (boo#1250995)
+  * https://github.com/redis/redis/releases/tag/8.2.2
+  * Fixed Lua script may lead to remote code execution (CVE-2025-49844).
+  * Fixed Lua script may lead to integer overflow (CVE-2025-46817).
+  * Fixed Lua script can be executed in the context of another user
+    (CVE-2025-46818).
+  * Fixed LUA out-of-bound read (CVE-2025-46819).
+  * Fixed potential crash on Lua script or streams and HFE defrag.
+  * Fixed potential crash when using ACL rules.
+  * Added VSIM: new EPSILON argument to specify maximum distance.
+  * Added SVS-VAMANA: allow use of BUILD_INTEL_SVS_OPT flag.
+  * Added RESP3 serialization performance.
+  * Added INFO SEARCH: new SVS-VAMANA metrics.
+
+- Updated to 8.2.1
+  * https://github.com/redis/redis/releases/tag/8.2.1
+  - Bug fixes
+    * #14240 INFO KEYSIZES - potential incorrect histogram updates
+      on cluster mode with modules
+    * #14274 Disable Active Defrag during flushing replica
+    * #14276 XADD or XTRIM can crash the server after loading RDB
+    * #Q6601 Potential crash when running FLUSHDB (MOD-10681)
+  * Performance and resource utilization
+    * Query Engine - LeanVec and LVQ proprietary Intel
+      optimizations were removed from Redis Open Source
+    * #Q6621 Fix regression in INFO (MOD-10779)
+</description>
+  <package>redis</package>
+</patchinfo>

patchinfo.20251127113212085239.93181000773252/_patchinfo

@@ -0,0 +1,13 @@
+<patchinfo incident="packagehub-40">
+  <issue tracker="cve" id="2025-61659"/>
+  <issue tracker="bnc" id="1247489">VUL-0: CVE-2025-61659: bash-git-prompt: uses predictable file in /tmp for a copy of the git index</issue>
+  <packager>michals</packager>
+  <rating>moderate</rating>
+  <category>security</category>
+  <summary>Security update for bash-git-prompt</summary>
+  <description>This update for bash-git-prompt fixes the following issues:
+
+- CVE-2025-61659: Fixed an issue where predictable files in /tmp were used for a copy of the git index (bsc#1247489)
+</description>
+  <package>bash-git-prompt</package>
+</patchinfo>

patchinfo.20251127122850445245.93181000773252/_patchinfo

@@ -1,4 +1,4 @@
-<patchinfo>
+<patchinfo incident="packagehub-38">
   <issue tracker="bnc" id="1243954">VUL-0: CVE-2025-29785: shadowsocks-v2ray-plugin: github.com/quic-go/quic-go/internal/ackhandler: loss recovery logic for path probe packets can be used by a malicious QUIC client to trigger a null pointer dereference</issue>
   <issue tracker="cve" id="2025-47911">cve#2025-47911 not resolved: 404 Client Error: Not Found for url: https://bugzilla.suse.com/api2/issues/?references__name=CVE-2025-47911</issue>
   <issue tracker="bnc" id="1243946">VUL-0: CVE-2025-29785: v2ray-core: github.com/quic-go/quic-go/internal/ackhandler: loss recovery logic for path probe packets can be used by a malicious QUIC client to trigger a null pointer dereference</issue>
@@ -62,4 +62,4 @@ Changes in v2ray-core:
 </description>
   <package>shadowsocks-v2ray-plugin</package>
   <package>v2ray-core</package>
-</patchinfo>
+</patchinfo>

patchinfo.20251127153254678434.93181000773252/_patchinfo

@@ -0,0 +1,90 @@
+<patchinfo incident="packagehub-39">
+  <packager>os-autoinst-obs-workflow</packager>
+  <rating>moderate</rating>
+  <category>recommended</category>
+  <summary>Recommended update for openQA, os-autoinst, openQA-devel-container</summary>
+  <description>This update for openQA, os-autoinst, openQA-devel-container fixes the following issues:
+
+Changes in openQA:
+
+- Update to version 5.1763743683.1da97aa2:
+  * Optimize Job Group dropdown database query
+  * Split dependency handling out of create_from_settings
+  * Give jobs with high MAX_JOB_TIME a priority malus
+  * Make the number of builds per group on the front page configurable
+  * docs: Feature auto-generated deepwiki less prominently
+  * apparmor: Additional perms for tests in osado to run
+
+- Update to version 5.1763153079.b36ac754:
+  * Skip a build if there are no jobs
+  * Remove unused variable
+
+- Update to version 5.1762879267.52145e9a:
+  * Avoid installing unwanted package versions
+  * Fix check in git_clone for dirty git dir
+  * Prevent `t/24-worker-webui-connection.t` from running into timeout
+  * Be explicit about certain aspects of archiving in the documentation
+  * Fix sporadic failures in `t/ui/10-tests_overview.t`
+  * Adapt os-autoinst-scripts reference after rename
+  * Properly conclude scheduling if there are no jobs
+
+- Update to version 5.1762193001.2f6e71ca:
+  * Potentially improve stability of `t/ui/16-tests_job_next_previous.t`
+  * Avoid failing check in `t/16-utils-runcmd.t`
+  * README: Add deepwiki badge
+  * Dependency cron 2025-10-27
+  * Retry image optimizations
+
+Changes in os-autoinst:
+
+- Update to version 5.1763561851.03e049d:
+  * Avoid `Can't exec "ffmpeg"` if ffmpeg isn't present
+  * Fix syntax errors in nft due to multiple interfaces in $ethernet
+  * README: Feature auto-generated deepwiki less prominently
+  * Install NetworkManager-ovs in os-autoinst-setup-multi-machine
+  * Add disconnect_usb (qemu only, for now)
+
+- Update to version 5.1763048144.30f43a0:
+  * Configure ftables in os-autoinst-setup-multi-machine
+  * Makefile: Fix reruns on incomplete build dir generations
+  * Propagate C++ exceptions to Perl in image write function
+  * Add support NICPCIADDR variable to QEMU backend
+  * Remove test which causes unhandled output
+  * Improve includes in tinycv library
+  * Handle OpenCV exceptions when writing an image
+  * Avoid ignoring errors silently when writing images
+  * Avoid saving test results referring to non-existent screenshots
+
+- Update to version 5.1762250353.5150272:
+  * Makefile: Fix reruns on incomplete build dir generations
+  * Propagate C++ exceptions to Perl in image write function
+  * Add support NICPCIADDR variable to QEMU backend
+  * Remove test which causes unhandled output
+  * Allow array keys like `ISSUES[]` as introduced in openQA commit a53b19b
+  * Improve includes in tinycv library
+
+- Update to version 5.1761723693.2b88807:
+  * Propagate C++ exceptions to Perl in image write function
+  * Add support NICPCIADDR variable to QEMU backend
+  * Remove test which causes unhandled output
+  * Allow array keys like `ISSUES[]` as introduced in openQA commit a53b19b
+  * Improve includes in tinycv library
+  * Handle OpenCV exceptions when writing an image
+  * Avoid ignoring errors silently when writing images
+
+Changes in openQA-devel-container:
+
+- Update to version 5.1763743683.1da97aa28:
+  * Update to latest openQA version
+</description>
+  <package>openQA</package>
+  <package>openQA:openQA-devel-test</package>
+  <package>openQA:openQA-test</package>
+  <package>openQA:openQA-worker-test</package>
+  <package>openQA:openQA-client-test</package>
+  <package>os-autoinst</package>
+  <package>os-autoinst:os-autoinst-test</package>
+  <package>os-autoinst:os-autoinst-devel-test</package>
+  <package>os-autoinst:os-autoinst-openvswitch-test</package>
+  <package>openQA-devel-container</package>
+</patchinfo>

patchinfo.20251201094854511762.93181000773252/_patchinfo

@@ -0,0 +1,15 @@
+<patchinfo incident="packagehub-41">
+  <issue tracker="bnc" id="1253608">VUL-0: CVE-2025-47913: act: golang.org/x/crypto/ssh/agent: client process termination when receiving an unexpected message type in response to a key listing or signing request</issue>
+  <issue tracker="cve" id="2025-47913">cve#2025-47913 not resolved: 404 Client Error: Not Found for url: https://bugzilla.suse.com/api2/issues/?references__name=CVE-2025-47913</issue>
+  <packager>elimat</packager>
+  <rating>important</rating>
+  <category>security</category>
+  <summary>Security update for act</summary>
+  <description>This update for act fixes the following issues:
+
+- CVE-2025-47913: Prevent panic in embedded golang.org/x/crypto/ssh/agent client when
+  receiving unexpected message types for key listing or signing requests (boo#1253608)
+</description>
+  <package>act</package>
+  <seperate_build_arch/>
+</patchinfo>

patchinfo.20251201094954024941.93181000773252/_patchinfo

@@ -0,0 +1,209 @@
+<patchinfo incident="packagehub-54">
+  <issue tracker="bnc" id="1251651">VUL-0: CVE-2025-58190: hauler: golang.org/x/net/html: excessive memory consumption by `html.ParseFragment` when processing specially crafted input</issue>
+  <issue tracker="cve" id="2025-22872">cve#2025-22872 not resolved: 404 Client Error: Not Found for url: https://bugzilla.suse.com/api2/issues/?references__name=CVE-2025-22872</issue>
+  <issue tracker="cve" id="2025-58058">cve#2025-58058 not resolved: 404 Client Error: Not Found for url: https://bugzilla.suse.com/api2/issues/?references__name=CVE-2025-58058</issue>
+  <issue tracker="cve" id="2024-45338">cve#2024-45338 not resolved: 404 Client Error: Not Found for url: https://bugzilla.suse.com/api2/issues/?references__name=CVE-2024-45338</issue>
+  <issue tracker="bnc" id="1241184">VUL-0: CVE-2024-0406: hauler: mholt/archiver: access to restricted files or directories when unpacking specially crafted tar file</issue>
+  <issue tracker="bnc" id="1235332">VUL-0: CVE-2024-45338: hauler: golang.org/x/net/html: denial of service due to non-linear parsing of case-insensitive content</issue>
+  <issue tracker="cve" id="2025-11579">cve#2025-11579 not resolved: 404 Client Error: Not Found for url: https://bugzilla.suse.com/api2/issues/?references__name=CVE-2025-11579</issue>
+  <issue tracker="cve" id="2024-0406">cve#2024-0406 not resolved: 404 Client Error: Not Found for url: https://bugzilla.suse.com/api2/issues/?references__name=CVE-2024-0406</issue>
+  <issue tracker="cve" id="2025-47911">cve#2025-47911 not resolved: 404 Client Error: Not Found for url: https://bugzilla.suse.com/api2/issues/?references__name=CVE-2025-47911</issue>
+  <issue tracker="cve" id="2025-46569">cve#2025-46569 not resolved: 404 Client Error: Not Found for url: https://bugzilla.suse.com/api2/issues/?references__name=CVE-2025-46569</issue>
+  <issue tracker="bnc" id="1246722">VUL-0: CVE-2025-46569: hauler: github.com/open-policy-agent/opa: HTTP request path can be crafted to inject Rego code into a constructed query when a virtual document is requested through the Data API</issue>
+  <issue tracker="bnc" id="1248937">VUL-0: CVE-2025-58058: hauler: github.com/ulikunitz/xz: github.com/ulikunitz/xz leaks memory</issue>
+  <issue tracker="bnc" id="1241804">VUL-0: CVE-2025-22872: hauler: golang.org/x/net/html: incorrectly interpreted tags can cause content to be placed wrong scope during DOM construction</issue>
+  <issue tracker="bnc" id="1251516">VUL-0: CVE-2025-47911: hauler: golang.org/x/net/html: various algorithms with quadratic complexity when parsing HTML documents</issue>
+  <issue tracker="cve" id="2025-58190">cve#2025-58190 not resolved: 404 Client Error: Not Found for url: https://bugzilla.suse.com/api2/issues/?references__name=CVE-2025-58190</issue>
+  <issue tracker="bnc" id="1251891">VUL-0: CVE-2025-11579: hauler: github.com/nwaples/rardecode: failure to restrict the dictionary size when processing RAR files allows for excessive memory consumpti</issue>
+  <packager>dirkmueller</packager>
+  <rating>important</rating>
+  <category>security</category>
+  <summary>Security update for hauler</summary>
+  <description>This update for hauler fixes the following issues:
+
+- Update to version 1.3.1 (bsc#1251516, CVE-2025-47911,
+  bsc#1251891, CVE-2025-11579, bsc#1251651, CVE-2025-58190,
+  bsc#1248937, CVE-2025-58058):
+  * bump github.com/containerd/containerd (#474)
+  * another fix to tests for new tests (#472)
+  * fixed typo in testdata (#471)
+  * fixed/cleaned new tests (#470)
+  * trying a new way for hauler testing (#467)
+  * update for cosign v3 verify (#469)
+  * added digests view to info (#465)
+  * bump github.com/nwaples/rardecode/v2 from 2.1.1 to 2.2.0 in the go_modules group across 1 directory (#457)
+  * update oras-go to v1.2.7 for security patches (#464)
+  * update cosign to v3.0.2+hauler.1 (#463)
+  * fixed homebrew directory deprecation (#462)
+  * add registry logout command (#460)
+
+- Update to version 1.3.0:
+  * bump the go_modules group across 1 directory with 2 updates (#455)
+  * upgraded versions/dependencies/deprecations (#454)
+  * allow loading of docker tarballs (#452)
+  * bump the go_modules group across 1 directory with 2 updates (#449)
+
+- update to 1.2.5 (bsc#1246722, CVE-2025-46569):
+  * Bump github.com/open-policy-agent/opa from 1.1.0 to 1.4.0 in
+    the go_modules group across 1 directory (CVE-2025-46569)
+  * deprecate auth from hauler store copy
+  * Bump github.com/cloudflare/circl from 1.3.7 to 1.6.1 in the
+    go_modules group across 1 directory
+  * Bump github.com/go-viper/mapstructure/v2 from 2.2.1 to 2.3.0
+    in the go_modules group across 1 directory
+  * upgraded go and dependencies versions
+
+- Update to version 1.2.5:
+  * upgraded go and dependencies versions (#444)
+  * Bump github.com/go-viper/mapstructure/v2 (#442)
+  * bump github.com/cloudflare/circl (#441)
+  * deprecate auth from hauler store copy (#440)
+  * Bump github.com/open-policy-agent/opa (#438)
+
+- update to 1.2.4 (CVE-2025-22872, bsc#1241804):
+  * Bump golang.org/x/net from 0.37.0 to 0.38.0 in the go_modules
+    group across 1 directory
+  * minor tests updates
+
+- Update to version 1.2.3:
+  * formatting and flag text updates
+  * add keyless signature verification (#434)
+  * bump helm.sh/helm/v3 in the go_modules group across 1 directory (#430)
+  * add --only flag to hauler store copy (for images) (#429)
+  * fix tlog verification error/warning output (#428)
+
+- Update to version 1.2.2 (bsc#1241184, CVE-2024-0406):
+  * cleanup new tlog flag typos and add shorthand (#426)
+  * default public transparency log verification to false to be airgap friendly but allow override (#425)
+  * bump github.com/golang-jwt/jwt/v4 (#423)
+  * bump the go_modules group across 1 directory with 2 updates (#422)
+  * bump github.com/go-jose/go-jose/v3 (#417)
+  * bump github.com/go-jose/go-jose/v4 (#415)
+  * clear default manifest name if product flag used with sync (#412)
+  * updates for v1.2.0 (#408)
+  * fixed remote code (#407)
+  * added remote file fetch to load (#406)
+  * added remote and multiple file fetch to sync (#405)
+  * updated save flag and related logs (#404)
+  * updated load flag and related logs [breaking change] (#403)
+  * updated sync flag and related logs [breaking change] (#402)
+  * upgraded api update to v1/updated dependencies (#400)
+  * fixed consts for oci declarations (#398)
+  * fix for correctly grabbing platform post cosign 2.4 updates (#393)
+  * use cosign v2.4.1+carbide.2 to address containerd annotation in index.json (#390)
+  * Bump the go_modules group across 1 directory with 2 updates (#385)
+  * replace mholt/archiver with mholt/archives (#384)
+  * forked cosign bump to 2.4.1 and use as a library vs embedded binary (#383)
+  * cleaned up registry and improved logging (#378)
+  * Bump golang.org/x/crypto in the go_modules group across 1 directory (#377)
+- bump net/html dependencies (bsc#1235332, CVE-2024-45338)
+
+- Update to version 1.1.1:
+  * fixed cli desc for store env var (#374)
+  * updated versions for go/k8s/helm (#373)
+  * updated version flag to internal/flags (#369)
+  * renamed incorrectly named consts (#371)
+  * added store env var (#370)
+  * adding ignore errors and retries for continue on error/fail on error (#368)
+  * updated/fixed hauler directory (#354)
+  * standardize consts (#353)
+  * removed cachedir code (#355)
+  * removed k3s code (#352)
+  * updated dependencies for go, helm, and k8s (#351)
+  * [feature] build with boring crypto where available (#344)
+  * updated workflow to goreleaser builds (#341)
+  * added timeout to goreleaser workflow (#340)
+  * trying new workflow build processes (#337)
+  * improved workflow performance (#336)
+  * have extract use proper ref (#335)
+  * yet another workflow goreleaser fix (#334)
+  * even more workflow fixes (#333)
+  * added more fixes to github workflow (#332)
+  * fixed typo in hauler store save (#331)
+  * updates to fix build processes (#330)
+  * added integration tests for non hauler tarballs (#325)
+  * bump: golang &gt;= 1.23.1 (#328)
+  * add platform flag to store save (#329)
+  * Update feature_request.md
+  * updated/standardize command descriptions (#313)
+  * use new annotation for 'store save' manifest.json (#324)
+  * enable docker load for hauler tarballs (#320)
+  * bump to cosign v2.2.3-carbide.3 for new annotation (#322)
+  * continue on error when adding images to store (#317)
+  * Update README.md (#318)
+  * fixed completion commands (#312)
+  * github.com/rancherfederal/hauler =&gt; hauler.dev/go/hauler (#311)
+  * pages: enable go install hauler.dev/go/hauler (#310)
+  * Create CNAME
+  * pages: initial workflow (#309)
+  * testing and linting updates (#305)
+  * feat-273: TLS Flags (#303)
+  * added list-repos flag (#298)
+  * fixed hauler login typo (#299)
+  * updated cobra function for shell completion (#304)
+  * updated install.sh to remove github api (#293)
+  * fix image ref keys getting squashed when containing sigs/atts (#291)
+  * fix missing versin info in release build (#283)
+  * bump github.com/docker/docker in the go_modules group across 1 directory (#281)
+  * updated install script (`install.sh`) (#280)
+  * fix digest images being lost on load of hauls (Signed). (#259)
+  * feat: add readonly flag (#277)
+  * fixed makefile for goreleaser v2 changes (#278)
+  * updated goreleaser versioning defaults (#279)
+  * update feature_request.md (#274)
+  * updated old references
+  * updated actions workflow user
+  * added dockerhub to github actions workflow
+  * removed helm chart
+  * added debug container and workflow
+  * updated products flag description
+  * updated chart for release
+  * fixed workflow errors/warnings
+  * fixed permissions on testdata
+  * updated chart versions (will need to update again)
+  * last bit of fixes to workflow
+  * updated unit test workflow
+  * updated goreleaser deprecations
+  * added helm chart release job
+  * updated github template names
+  * updated imports (and go fmt)
+  * formatted gitignore to match dockerignore
+  * formatted all code (go fmt)
+  * updated chart tests for new features
+  * Adding the timeout flag for fileserver command
+  * Configure chart commands to use helm clients for OCI and private registry support
+  * Added some documentation text to sync command
+  * Bump golang.org/x/net from 0.17.0 to 0.23.0
+  * fix for dup digest smashing in cosign
+  * removed vagrant scripts
+  * last bit of updates and formatting of chart
+  * updated hauler testdata
+  * adding functionality and cleaning up
+  * added initial helm chart
+  * removed tag in release workflow
+  * updated/fixed image ref in release workflow
+  * updated/fixed platforms in release workflow
+  * updated/cleaned github actions (#222)
+  * Make Product Registry configurable (#194)
+  * updated fileserver directory name (#219)
+  * fix logging for files
+  * add extra info for the tempdir override flag
+  * tempdir override flag for load
+  * deprecate the cache flag instead of remove
+  * switch to using bci-golang as builder image
+  * fix: ensure /tmp for hauler store load
+  * added the copy back for now
+  * remove copy at the image sync not needed with cosign update
+  * removed misleading cache flag
+  * better logging when adding to store
+  * update to v2.2.3 of our cosign fork
+  * add: dockerignore
+  * add: Dockerfile
+  * Bump google.golang.org/protobuf from 1.31.0 to 1.33.0
+  * Bump github.com/docker/docker
+  * updated and added new logos
+  * updated github files
+</description>
+  <package>hauler</package>
+  <seperate_build_arch/>
+</patchinfo>

patchinfo.20251201095419906173.93181000773252/_patchinfo

@@ -0,0 +1,56 @@
+<patchinfo incident="packagehub-42">
+  <packager>os-autoinst-obs-workflow</packager>
+  <rating>moderate</rating>
+  <category>recommended</category>
+  <summary>Recommended update for openQA, os-autoinst, openQA-devel-container</summary>
+  <description>This update for openQA, os-autoinst, openQA-devel-container fixes the following issues:
+
+Changes in openQA:
+
+- Update to version 5.1764349525.ffb59486:
+  * Also use TIMEOUT_SCALE for priority malus calculation
+  * docs: Fix wrapping and typo
+  * Document multi machine ovs flow setup and IPv6 usage
+  * Avoid computing time constraint for scheduled product cleanup in Perl
+  * rpm: Move `…-enqueue-needle-ref-cleanup` to other `…-enqueue-…` scripts
+  * Add task to limit scheduled products similar to audit events
+  * Extract generic parts from audit event cleanup task into generic task
+  * parser: ktap: Show full output by default if no line was parsed
+  * Ignore npm scripts also via `.npmrc` to make bare npm calls more secure
+  * Avoid repeating `MAIN_SETTINGS` in various places
+  * Fix possibly excessive memory use when computer test result overview
+  * Fix typo in `_prepare_complex_query_search_args`
+  * Fix indentation in `overview.html.ep`
+  * Prevent logging AMQP credentials in debug output
+  * Make restart_openqa_job emit proper event payload
+  * Enable gru tasks to emit AMQP messages
+  * Remove explicit loading AMQP plugin in Gru plugin
+  * Emit restart events when job restarted automatically
+  * Add debug message about priority malus
+  * Fix ordering of job groups after 2ad929ceca43d
+
+Changes in os-autoinst:
+
+- Update to version 5.1764330105.c5cfd48:
+  * Add port forwarding example for NICTYPE_USER_OPTIONS
+  * Fix regression from abcaa66b by disabling virtio-keyboard by default
+  * Add IPv6 support for multi machine tests
+  * distribution: Add "disable_key_repeat"
+  * Use 'virtio-keyboard' by default to allow fixing key repetition errors
+
+Changes in openQA-devel-container:
+
+- Update to version 5.1764349525.ffb594867:
+</description>
+  <package>openQA</package>
+  <package>openQA:openQA-devel-test</package>
+  <package>openQA:openQA-test</package>
+  <package>openQA:openQA-worker-test</package>
+  <package>openQA:openQA-client-test</package>
+  <package>os-autoinst</package>
+  <package>os-autoinst:os-autoinst-test</package>
+  <package>os-autoinst:os-autoinst-devel-test</package>
+  <package>os-autoinst:os-autoinst-openvswitch-test</package>
+  <package>openQA-devel-container</package>
+  <seperate_build_arch/>
+</patchinfo>

patchinfo.20251203090122170457.187004354831441/_patchinfo

@@ -0,0 +1,43 @@
+<patchinfo incident="packagehub-43">
+  <issue tracker="bnc" id="1254429">VUL-0: chromium: release 143.0.7499.40):</issue>
+  <issue tracker="cve" id="2025-13632">VUL-0: chromium: release 143.0.7499.40):</issue>
+  <issue tracker="cve" id="2025-13636">VUL-0: chromium: release 143.0.7499.40):</issue>
+  <issue tracker="cve" id="2025-13720">VUL-0: chromium: release 143.0.7499.40):</issue>
+  <issue tracker="cve" id="2025-13721">VUL-0: chromium: release 143.0.7499.40):</issue>
+  <issue tracker="cve" id="2025-13637">VUL-0: chromium: release 143.0.7499.40):</issue>
+  <issue tracker="cve" id="2025-13639">VUL-0: chromium: release 143.0.7499.40):</issue>
+  <issue tracker="cve" id="2025-13640">VUL-0: chromium: release 143.0.7499.40):</issue>
+  <issue tracker="cve" id="2025-13635">VUL-0: chromium: release 143.0.7499.40):</issue>
+  <issue tracker="cve" id="2025-13633">VUL-0: chromium: release 143.0.7499.40):</issue>
+  <issue tracker="cve" id="2025-13638">VUL-0: chromium: release 143.0.7499.40):</issue>
+  <issue tracker="cve" id="2025-13630">VUL-0: chromium: release 143.0.7499.40):</issue>
+  <issue tracker="cve" id="2025-13634">VUL-0: chromium: release 143.0.7499.40):</issue>
+  <issue tracker="cve" id="2025-13631">VUL-0: chromium: release 143.0.7499.40):</issue>
+  <packager>AndreasStieger</packager>
+  <rating>important</rating>
+  <category>security</category>
+  <summary>Security update for chromium</summary>
+  <description>This update for chromium fixes the following issues:
+
+Changes in chromium:
+
+Chromium 143.0.7499.40 (boo#1254429):
+
+  * CVE-2025-13630: Type Confusion in V8
+  * CVE-2025-13631: Inappropriate implementation in Google Updater
+  * CVE-2025-13632: Inappropriate implementation in DevTools
+  * CVE-2025-13633: Use after free in Digital Credentials
+  * CVE-2025-13634: Inappropriate implementation in Downloads
+  * CVE-2025-13720: Bad cast in Loader
+  * CVE-2025-13721: Race in v8
+  * CVE-2025-13635: Inappropriate implementation in Downloads
+  * CVE-2025-13636: Inappropriate implementation in Split View
+  * CVE-2025-13637: Inappropriate implementation in Downloads
+  * CVE-2025-13638: Use after free in Media Stream
+  * CVE-2025-13639: Inappropriate implementation in WebRTC
+  * CVE-2025-13640: Inappropriate implementation in Passwords
+
+</description>
+  <package>chromium</package>
+  <seperate_build_arch/>
+</patchinfo>

patchinfo.20251203090149653113.187004354831441/_patchinfo

@@ -0,0 +1,43 @@
+<patchinfo incident="packagehub-44">
+  <packager>michals</packager>
+  <rating>moderate</rating>
+  <category>recommended</category>
+  <summary>Recommended update for virtme</summary>
+  <description>This update for virtme fixes the following issues:
+
+Changes in virtme:
+
+Update to 1.39:
+
+  * The most noticeable change in this release is the new Model Context
+    Protocol (MCP) server. This feature lets you connect with AI
+    assistants such as Claude, Cursor, etc., and use natural human
+    language to automate kernel development tasks.
+    In this way, AI agents can automatically configure kernels, apply
+    patches from lore.kernel.org, and run commands within recompiled
+    kernels. You can even have the AI agent perform bug bisection for
+    you and run specific commands/scripts inside each recompiled
+    version to determine whether the kernel is good or bad.
+  * An additional feature is vCPU pinning (using the --pin CPU_LIST option),
+    which enables binding virtual CPUs to particular physical host CPUs.
+    This ensures more consistent performance testing within the vng guest
+    environment.
+  * The release also adds support for memoryless NUMA nodes,
+    enablingusers to specify size=0 with the --numa argument to create
+    NUMA nodes without memory. This capability can be useful for simulating
+    heterogeneous architectures, where devices like GPUs are represented
+    as memoryless NUMA nodes to model their CPU locality relationships.
+  * Last, but not least, there's a new --shell BINARY option which lets
+    users choose a different shell to use within the vng session, rather
+    than using their system's default shell and a new --empty-password
+    option that creates empty passwords in the vng guest, instead of
+    blocking login for other users, enabling easier debugging and SSH
+    access during testing.
+  * Updated Python versions in CI (dropped EOL 3.8 and 3.9)
+  * Various bug fixes in virtme-init
+  * Enhanced documentation and README updates
+  * Improved error handling and validation
+</description>
+  <package>virtme</package>
+  <seperate_build_arch/>
+</patchinfo>

patchinfo.20251203090209179395.187004354831441/_patchinfo

@@ -0,0 +1,14 @@
+<patchinfo incident="packagehub-45">
+  <packager>michals</packager>
+  <rating>moderate</rating>
+  <category>recommended</category>
+  <summary>Recommended update for gitea-tea</summary>
+  <description>This update for gitea-tea fixes the following issues:
+
+Changes in gitea-tea:
+
+- Do not make config file group-readable.
+</description>
+  <package>gitea-tea</package>
+  <seperate_build_arch/>
+</patchinfo>

patchinfo.20251203090227587250.187004354831441/_patchinfo

@@ -0,0 +1,106 @@
+<patchinfo incident="packagehub-46">
+  <issue tracker="bnc" id="1253506">VUL-0: CVE-2025-47913: TRACKERBUG: golang.org/x/crypto/ssh/agent: client process termination when receiving an unexpected message type in response to a key listing or</issue>
+  <issue tracker="cve" id="2025-47913">VUL-0: CVE-2025-47913: TRACKERBUG: golang.org/x/crypto/ssh/agent: client process termination when receiving an unexpected message type in response to a key listing or</issue>
+  <issue tracker="bnc" id="1251463">VUL-0: CVE-2025-47911: git-bug: golang.org/x/net/html: various algorithms with quadratic complexity when parsing HTML documents</issue>
+  <issue tracker="bnc" id="1254084">VUL-0: CVE-2025-47914: git-bug: golang.org/x/crypto/ssh/agent: non validated message size can cause a panic due to an out of bounds read</issue>
+  <issue tracker="cve" id="2025-58190"/>
+  <issue tracker="cve" id="2025-22869">VUL-0: CVE-2025-22869: TRACKERBUG: golang.org/x/crypto/ssh: Denial of Service in the Key Exchange of golang.org/x/crypto/ssh</issue>
+  <issue tracker="bnc" id="1234565">VUL-0: CVE-2024-45337: git-bug: golang.org/x/crypto/ssh: Misuse of ServerConfig.PublicKeyCallback may cause authorization bypass in golang.org/x/crypto</issue>
+  <issue tracker="cve" id="2025-47914">VUL-0: CVE-2025-47914: TRACKERBUG: golang.org/x/crypto/ssh/agent: non validated message size can cause a panic due to an out of bounds read</issue>
+  <issue tracker="bnc" id="1251664">VUL-0: CVE-2025-58190: git-bug: golang.org/x/net/html: excessive memory consumption by `html.ParseFragment` when processing specially crafted input</issue>
+  <issue tracker="bnc" id="1239494">VUL-0: CVE-2025-22869: git-bug: golang.org/x/crypto/ssh: Denial of Service in the Key Exchange of golang.org/x/crypto/ssh</issue>
+  <issue tracker="cve" id="2024-45337">VUL-0: CVE-2024-45337: TRACKERBUG: golang.org/x/crypto/ssh: Misuse of ServerConfig.PublicKeyCallback may cause authorization bypass in golang.org/x/crypto</issue>
+  <issue tracker="cve" id="2025-47911">VUL-0: CVE-2025-47911: TRACKERBUG: golang.org/x/net/html: various algorithms with quadratic complexity when parsing HTML documents</issue>
+  <issue tracker="cve" id="2025-58181">VUL-0: CVE-2025-58181: TRACKERBUG: golang.org/x/crypto/ssh: invalidated number of mechanisms can cause unbounded memory consumption</issue>
+  <issue tracker="bnc" id="1253930">VUL-0: CVE-2025-58181: git-bug: golang.org/x/crypto/ssh: invalidated number of mechanisms can cause unbounded memory consumption</issue>
+  <packager>mcepl</packager>
+  <rating>important</rating>
+  <category>security</category>
+  <summary>Security update for git-bug</summary>
+  <description>This update for git-bug fixes the following issues:
+
+Changes in git-bug:
+
+- Revendor to include fixed version of depending libraries:
+  - GO-2025-4116 (CVE-2025-47913, bsc#1253506) upgrade
+    golang.org/x/crypto to v0.43.0
+  - GO-2025-3900 (GHSA-2464-8j7c-4cjm) upgrade
+    github.com/go-viper/mapstructure/v2 to v2.4.0
+  - GO-2025-3787 (GHSA-fv92-fjc5-jj9h) included in the previous
+  - GO-2025-3754 (GHSA-2x5j-vhc8-9cwm) upgrade
+    github.com/cloudflare/circl to v1.6.1
+  - GO-2025-4134 (CVE-2025-58181, bsc#1253930) upgrade
+    golang.org/x/crypto/ssh to v0.45.0
+  - GO-2025-4135 (CVE-2025-47914, bsc#1254084) upgrade
+    golang.org/x/crypto/ssh/agent to v0.45.0
+
+- Revendor to include golang.org/x/net/html v 0.45.0 to prevent
+  possible DoS by various algorithms with quadratic complexity
+  when parsing HTML documents (bsc#1251463, CVE-2025-47911 and
+  bsc#1251664, CVE-2025-58190).
+
+Update to version 0.10.1:
+
+  - cli: ignore missing sections when removing configuration (ddb22a2f)
+
+Update to version 0.10.0:
+
+  - bridge: correct command used to create a new bridge (9942337b)
+  - web: simplify header navigation (7e95b169)
+  - webui: remark upgrade + gfm + syntax highlighting (6ee47b96)
+  - BREAKING CHANGE: dev-infra: remove gokart (89b880bd)
+
+Update to version 0.10.0:
+
+  - bridge: correct command used to create a new bridge (9942337b)
+  - web: simplify header navigation (7e95b169)
+  - web: remark upgrade + gfm + syntax highlighting (6ee47b96)
+
+Update to version 0.9.0:
+
+  - completion: remove errata from string literal (aa102c91)
+  - tui: improve readability of the help bar (23be684a)
+
+Update to version 0.8.1+git.1746484874.96c7a111:
+
+  * docs: update install, contrib, and usage documentation (#1222)
+  * fix: resolve the remote URI using url.*.insteadOf (#1394)
+  * build(deps): bump the go_modules group across 1 directory with 3 updates (#1376)
+  * chore: gofmt simplify gitlab/export_test.go (#1392)
+  * fix: checkout repo before setting up go environment (#1390)
+  * feat: bump to go v1.24.2 (#1389)
+  * chore: update golang.org/x/net (#1379)
+  * fix: use -0700 when formatting time (#1388)
+  * fix: use correct url for gitlab PATs (#1384)
+  * refactor: remove depdendency on pnpm for auto-label action (#1383)
+  * feat: add action: auto-label (#1380)
+  * feat: remove lifecycle/frozen (#1377)
+  * build(deps): bump the npm_and_yarn group across 1 directory with 12 updates (#1378)
+  * feat: support new exclusion label: lifecycle/pinned (#1375)
+  * fix: refactor how gitlab title changes are detected (#1370)
+  * revert: "Create Dependabot config file" (#1374)
+  * refactor: rename //:git-bug.go to //:main.go (#1373)
+  * build(deps): bump github.com/vektah/gqlparser/v2 from 2.5.16 to 2.5.25 (#1361)
+  * fix: set GitLastTag to an empty string when git-describe errors (#1355)
+  * chore: update go-git to v5@masterupdate_mods (#1284)
+  * refactor: Directly swap two variables to optimize code (#1272)
+  * Update README.md Matrix link to new room (#1275)
+
+- Update to version 0.8.0+git.1742269202.0ab94c9:
+  * deps(crypto): bump golang.org/x/crypto from v0.26.0 to v0.31.0 (fix for CVE-2024-45337) (#1312)
+
+- Update golang.org/x/crypto/ssh to v0.35.0 (bsc#1239494,
+  CVE-2025-22869).
+
+- Add missing Requires to completion subpackages.
+
+Update to version 0.8.0+git.1733745604.d499b6e:
+
+  * fix typos in docs (#1266)
+  * build(deps): bump github.com/go-git/go-billy/v5 from 5.5.0 to 5.6.0 (#1289)
+
+- bump golang.org/x/crypto from v0.26.0 to v0.31.0 (fix for CVE-2024-45337, bsc#1234565).
+</description>
+  <package>git-bug</package>
+  <seperate_build_arch/>
+</patchinfo>

patchinfo.20251203090353000871.187004354831441/_patchinfo

@@ -0,0 +1,23 @@
+<patchinfo incident="packagehub-47">
+  <packager>regularhunter</packager>
+  <rating>moderate</rating>
+  <category>recommended</category>
+  <summary>Recommended update for weechat</summary>
+  <description>This update for weechat fixes the following issues:
+
+Changes in weechat:
+
+Update to 4.7.2:
+
+  Fixed:
+
+  * api: fix file descriptor leak in hook_url when a timeout occurs
+    or if the hook is removed during the transfer (#2284)
+  * irc: fix colors in messages 367 (ban mask), 728 (quiet mask) and
+    MODE (#2286)
+  * irc: fix reset of color when multiple modes are set with
+    command /mode
+</description>
+  <package>weechat</package>
+  <seperate_build_arch/>
+</patchinfo>

patchinfo.20251203090415508822.187004354831441/_patchinfo

@@ -0,0 +1,15 @@
+<patchinfo incident="packagehub-48">
+  <packager>rrahl0</packager>
+  <rating>moderate</rating>
+  <category>recommended</category>
+  <summary>Recommended update for gnome-browser-connector</summary>
+  <description>This update for gnome-browser-connector fixes the following issues:
+
+Changes in gnome-browser-connector:
+
+- add unzip as a requires, otherwise the extensions can't get
+  extracted
+</description>
+  <package>gnome-browser-connector</package>
+  <seperate_build_arch/>
+</patchinfo>

patchinfo.20251205103932570835.187004354831441/_patchinfo

@@ -0,0 +1,127 @@
+<patchinfo incident="packagehub-51">
+  <packager>dirkmueller</packager>
+  <rating>moderate</rating>
+  <category>recommended</category>
+  <summary>Recommended update for trivy</summary>
+  <description>This update for trivy fixes the following issues:
+
+Changes in trivy:
+
+Update to version 0.68.1:
+
+  * fix: update cosing settings for GoReleaser after bumping cosing to v3 (#9863)
+  * chore(deps): bump the testcontainers group with 2 updates (#9506)
+  * feat(aws): Add support for dualstack ECR endpoints (#9862)
+  * fix(vex): use a separate `visited` set for each DFS path (#9760)
+  * docs: catch some missed docs -&gt; guide (#9850)
+  * refactor(misconf): parse azure_policy_enabled to addonprofile.azurepolicy.enabled (#9851)
+  * chore(cli): Remove Trivy Cloud (#9847)
+  * fix(misconf): ensure value used as ignore marker is non-null and known (#9835)
+  * fix(misconf): map healthcheck start period flag to --start-period instead of --startPeriod (#9837)
+  * chore(deps): bump the docker group with 3 updates (#9776)
+  * chore(deps): bump golang.org/x/crypto from 0.41.0 to 0.45.0 (#9827)
+  * chore(deps): bump the common group across 1 directory with 20 updates (#9840)
+  * feat(image): add Sigstore bundle SBOM support (#9516)
+  * chore(deps): bump the aws group with 7 updates (#9691)
+  * test(k8s): update k8s integrtion test (#9725)
+  * chore(deps): bump github.com/containerd/containerd from 1.7.28 to 1.7.29 (#9764)
+  * feat(sbom): add support for SPDX attestations (#9829)
+  * docs(misconf): Remove duplicate sections (#9819)
+  * feat(misconf): Update Azure network schema for new checks (#9791)
+  * feat(misconf): Update AppService schema (#9792)
+  * fix(misconf): ensure boolean metadata values are correctly interpreted (#9770)
+  * feat(misconf): support https_traffic_only_enabled in Az storage account (#9784)
+  * docs: restructure docs for new hosting (#9799)
+  * docs(server): fix info about scanning licenses on the client side. (#9805)
+  * ci: remove unused preinstalled software/images for build tests to free up disk space. (#9814)
+  * feat(report): add fingerprint generation for vulnerabilities (#9794)
+  * chore: trigger the trivy-www workflow (#9737)
+  * fix: update all documentation links (#9777)
+  * feat(suse): Add new openSUSE, Micro and SLES releases end of life dates (#9788)
+  * test(go): set `GOPATH` for tests (#9785)
+  * feat(flag): add `--cacert` flag (#9781)
+  * fix(misconf): handle unsupported experimental flags in Dockerfile (#9769)
+  * test(go): refactor mod_test.go to use txtar format (#9775)
+  * docs: Fix typos and linguistic errors in documentation / hacktoberfest (#9586)
+  * chore(deps): bump github.com/opencontainers/selinux from 1.12.0 to 1.13.0 (#9778)
+  * chore(deps): bump github.com/containerd/containerd/v2 from 2.1.4 to 2.1.5 (#9763)
+  * fix(java): use `true` as default value for Repository Release|Snapshot Enabled in pom.xml and settings.xml files (#9751)
+  * docs: add info that `SSL_CERT_FILE` works on `Unix systems other than macOS` only (#9772)
+  * docs: change SecObserve URLs in documentatio (#9771)
+  * feat(db): enable concurrent access to vulnerability database (#9750)
+  * feat(misconf): add agentpools to azure container schema (#9714)
+  * feat(report): switch ReportID from UUIDv4 to UUIDv7 (#9749)
+  * feat(misconf): Update Azure Compute schema (#9675)
+  * feat(misconf): Update azure storage schema (#9728)
+  * feat(misconf): Update SecurityCenter schema (#9674)
+  * feat(image): pass global context to docker/podman image save func (#9733)
+  * chore(deps): bump the github-actions group with 4 updates (#9739)
+  * fix(flag): remove viper.SetDefault to fix IsSet() for config-only flags (#9732)
+  * feat(license): use separate SPDX ids to ignore SPDX expressions (#9087)
+  * feat(dotnet): add dependency graph support for .deps.json files (#9726)
+  * feat(misconf): Add support for configurable Rego error limit (#9657)
+  * feat(misconf): Add RoleAssignments attribute (#9396)
+  * feat(report): add image reference to report metadata (#9729)
+  * fix(os): Add photon 5.0 in supported OS (#9724)
+  * fix(license): handle SPDX WITH exceptions as single license in category detection (#9380)
+  * refactor: add case-insensitive string set implementation (#9720)
+  * feat: include registry and repository in artifact ID calculation (#9689)
+  * feat(java): add support remote repositories from settings.xml files (#9708)
+  * fix(sbom): don’t panic on SBOM format if scanned CycloneDX file has empty metadata (#9562)
+  * docs: update vulnerability reporting guidelines in SECURITY.md (#9395)
+  * docs: add info about `java-db` subdir (#9706)
+  * fix(report): correct field order in SARIF license results (#9712)
+  * test: improve golden file management in integration tests (#9699)
+  * ci: get base_sha using base.ref (#9704)
+  * refactor(misconf): mark AVDID fields as deprecated and use ID internally (#9576)
+  * fix(nodejs): fix npmjs parser.pkgNameFromPath() panic issue (#9688)
+  * fix: close all opened resources if an error occurs (#9665)
+  * refactor(misconf): type-safe parser results in generic scanner (#9685)
+  * feat(image): add RepoTags support for Docker archives (#9690)
+  * chore(deps): bump github.com/quic-go/quic-go from 0.52.0 to 0.54.1 (#9694)
+  * feat(misconf): Update Azure Container Schema (#9673)
+  * ci: use merge commit for apidiff to avoid false positives (#9622)
+  * feat(misconf): include map key in manifest snippet for diagnostics (#9681)
+  * refactor(misconf): add ManifestFromYAML for unified manifest parsing (#9680)
+  * test: update golden files for TestRepository* integration tests (#9684)
+  * refactor(cli): Update the cloud config command (#9676)
+  * fix(sbom): add `buildInfo` info as properties (#9683)
+  * feat: add ReportID field to scan reports (#9670)
+  * docs: add vulnerability database contribution guide (#9667)
+  * feat(cli): Add trivy cloud suppport (#9637)
+  * feat: add ArtifactID field to uniquely identify scan targets (#9663)
+  * fix(nodejs): use the default ID format to match licenses in pnpm packages. (#9661)
+  * feat(sbom): use SPDX license IDs list to validate SPDX IDs  (#9569)
+  * fix: use context for analyzers (#9538)
+  * chore(deps): bump the docker group with 3 updates (#9545)
+  * chore(deps): bump the aws group with 6 updates (#9547)
+  * ci(helm): bump Trivy version to 0.67.2 for Trivy Helm Chart 0.19.1 (#9641)
+  * test(helm): bump up Yamale dependency for Helm chart-testing-action (#9653)
+  * fix: Trim the end-of-range suffix (#9618)
+  * test(k8s): use a specific bundle for k8s misconfig scan (#9633)
+  * fix: Use `fetch-level: 1` to check out trivy-repo in the release workflow (#9636)
+  * refactor: move the aws config (#9617)
+  * fix(license): don't normalize `unlicensed` licenses into `unlicense` (#9611)
+  * fix: using SrcVersion instead of Version for echo detector (#9552)
+  * feat(fs): change artifact type to repository when git info is detected (#9613)
+  * fix: add `buildInfo` for `BlobInfo` in `rpc` package (#9608)
+  * fix(vex): don't use reused BOM (#9604)
+  * ci: use pull_request_target for apidiff workflow to support fork PRs (#9605)
+  * fix: restore compatibility for google.protobuf.Value (#9559)
+  * ci: add API diff workflow (#9600)
+  * chore(deps): update to module-compatible docker-credential-gcr/v2 (#9591)
+  * docs: improve documentation for scanning raw IaC configurations (#9571)
+  * feat: allow ignoring findings by type in Rego (#9578)
+  * docs: bump pygments from 2.18.0 to 2.19.2 (#9596)
+  * refactor(misconf): add ID to scan.Rule (#9573)
+  * fix(java): update order for resolving package fields from multiple demManagement (#9575)
+  * chore(deps): bump the github-actions group across 1 directory with 9 updates (#9563)
+  * chore(deps): bump the common group across 1 directory with 7 updates (#9590)
+  * chore(deps): Switch to go-viper/mapstructure (#9579)
+  * chore: add context to the cache interface (#9565)
+  * ci(helm): bump Trivy version to 0.67.0 for Trivy Helm Chart 0.19.0 (#9554)
+  * fix: validate backport branch name (#9548)
+</description>
+  <package>trivy</package>
+  <seperate_build_arch/>
+</patchinfo>

patchinfo.20251208125318499450.93181000773252/_patchinfo

@@ -0,0 +1,18 @@
+<patchinfo incident="packagehub-50">
+  <issue tracker="bnc" id="1254437">VUL-0: CVE-2025-64460,CVE-2025-13372: python-Django: Algorithmic complexity in `django.core.serializers.xml_serializer.getInnerText()` allows a remote attacker to cause a potential denial-of-service attack triggering CPU and memory exhaustion</issue>
+  <issue tracker="bnc" id="1252926">VUL-0: CVE-2025-64459: python-Django,python-Django4: Potential SQL injection via `_connector` keyword argument in `QuerySet` and `Q` objects</issue>
+  <issue tracker="cve" id="2025-13372">cve#2025-13372 not resolved: 404 Client Error: Not Found for url: https://bugzilla.suse.com/api2/issues/?references__name=CVE-2025-13372</issue>
+  <issue tracker="cve" id="2025-64460">cve#2025-64460 not resolved: 404 Client Error: Not Found for url: https://bugzilla.suse.com/api2/issues/?references__name=CVE-2025-64460</issue>
+  <issue tracker="cve" id="2025-64459">cve#2025-64459 not resolved: 404 Client Error: Not Found for url: https://bugzilla.suse.com/api2/issues/?references__name=CVE-2025-64459</issue>
+  <packager>mcalabkova</packager>
+  <rating>important</rating>
+  <category>security</category>
+  <summary>Security update for python-Django</summary>
+  <description>This update for python-Django fixes the following issues:
+
+- CVE-2025-64459: Fixed a potential SQL injection via `_connector` keyword argument in `QuerySet` and `Q` objects (bsc#1252926)
+- CVE-2025-13372,CVE-2025-64460: Fixed Denial of Service in 'django.core.serializers.xml_serializer.getInnerText()' (bsc#1254437)
+</description>
+  <package>python-Django</package>
+  <seperate_build_arch/>
+</patchinfo>

patchinfo.20251209165835367165.93181000773252/_patchinfo

@@ -0,0 +1,13 @@
+<patchinfo incident="packagehub-52">
+  <issue tracker="cve" id="2025-53881">cve#2025-53881 not resolved: 404 Client Error: Not Found for url: https://bugzilla.suse.com/api2/issues/?references__name=CVE-2025-53881</issue>
+  <issue tracker="bnc" id="1246457">VUL-0: CVE-2025-53881: exim: SUSE-specific logrotate configuration allows escalation from mail user/group to root</issue>
+  <packager>bigironman</packager>
+  <rating>moderate</rating>
+  <category>security</category>
+  <summary>Security update for exim</summary>
+  <description>This update for exim fixes the following issues:
+
+- CVE-2025-53881: Fixed a potential security issue with logfile rotation (bsc#1246457)
+</description>
+  <package>exim</package>
+</patchinfo>

patchinfo.20251210101443200408.93181000773252/_patchinfo

@@ -0,0 +1,18 @@
+<patchinfo incident="packagehub-53">
+  <packager>michals</packager>
+  <rating>moderate</rating>
+  <category>recommended</category>
+  <summary>Recommended update for virtme</summary>
+  <description>This update for virtme fixes the following issues:
+
+- Update to 1.40:
+  * No significant change, this is just a very small hotfix release
+    to solve a packaging problem introduced by a conflict with the
+    new vng-mcp tool.
+  * While at it, there're also some small improved hints in the MCP
+    server, so that AI agents can better understand how to build
+    the kernel using vng --build.
+</description>
+  <package>virtme</package>
+  <seperate_build_arch/>
+</patchinfo>

patchinfo.20251210102155991569.93181000773252/_patchinfo

@@ -0,0 +1,20 @@
+<patchinfo incident="packagehub-57">
+  <issue tracker="bnc" id="1254531">cmake-extras: Could not locate qmlplugindump</issue>
+  <issue tracker="bnc" id="1239788">cmake4: build failure tracker bug.</issue>
+  <packager>hillwood</packager>
+  <rating>moderate</rating>
+  <category>recommended</category>
+  <summary>Recommended update for cmake-extras</summary>
+  <description>This update for cmake-extras fixes the following issues:
+
+- Support both qmlplugindump-qt5 and qmlplugindump-qt6 (boo#1254531)
+- Fix filename and path of qmlplugindump-qt5 for openSUSE
+- Update to 1.9
+  * add support for CMake 4.0
+- Update to 1.8
+  * GMock: wire dependencies between GMock step and library files
+  * QmlPlugins: Crude support for qt6
+</description>
+  <package>cmake-extras</package>
+  <seperate_build_arch/>
+</patchinfo>

patchinfo.20251210175743200408.93181000773252/_patchinfo

@@ -0,0 +1,11 @@
+<patchinfo incident="packagehub-58">
+  <packager>pgajdos</packager>
+  <rating>moderate</rating>
+  <category>optional</category>
+  <summary>Optional update for rawtherapee</summary>
+  <description>This update for rawtherapee fixes the following issues:
+
+Ship rawtherapee image editor.
+</description>
+  <package>rawtherapee</package>
+</patchinfo>

patchinfo.20251211092111744764.93181000773252/_patchinfo

@@ -0,0 +1,17 @@
+<patchinfo incident="packagehub-55">
+  <issue tracker="cve" id="2025-14372">cve#2025-14372 not resolved: 404 Client Error: Not Found for url: https://bugzilla.suse.com/api2/issues/?references__name=CVE-2025-14372</issue>
+  <issue tracker="bnc" id="1254776">VUL-0: chromium: release 143.0.7499.109</issue>
+  <issue tracker="cve" id="2025-14373">cve#2025-14373 not resolved: 404 Client Error: Not Found for url: https://bugzilla.suse.com/api2/issues/?references__name=CVE-2025-14373</issue>
+  <packager>AndreasStieger</packager>
+  <rating>important</rating>
+  <category>security</category>
+  <summary>Security update for chromium</summary>
+  <description>This update for chromium fixes the following issues:
+
+- Chromium 143.0.7499.109 (boo#1254776):
+  * CVE-2025-14372: Use after free in Password Manager
+  * CVE-2025-14373: Inappropriate implementation in Toolbar
+  * third issue with an exploit is known to exist in the wild
+</description>
+  <package>chromium</package>
+</patchinfo>

patchinfo.20251214181248399975.93181000773252/_patchinfo

@@ -0,0 +1,15 @@
+<patchinfo incident="packagehub-56">
+  <issue tracker="bnc" id="1254386">labwc crashes when turning display off with wlr-randr (fixed in upstream and Factory)</issue>
+  <packager>lucsansag</packager>
+  <rating>moderate</rating>
+  <category>recommended</category>
+  <summary>Recommended update for labwc</summary>
+  <description>This update for labwc fixes the following issues:
+
+Changes in labwc:
+
+- Fixed layershell unmap segfault when no outputs left (boo#1254386)
+</description>
+  <package>labwc</package>
+  <seperate_build_arch/>
+</patchinfo>

workflow.config

@@ -65,6 +65,7 @@
         "mschnitzer",
         "msmeissn",
         "openqa-maintenance",
+        "rfrohl",
         "foursixnine-openqa",
         "szarate"
         ],