Update patchinfo incident numbers [skip actions]

PR: products/PackageHub!338

.gitmodules

@@ -290,6 +290,10 @@
 	path = PrusaSlicer
 	url = ../../pool/PrusaSlicer
 	branch = leap-16.0
+[submodule "dehydrated"]
+	path = dehydrated
+	url = ../../pool/dehydrated
+	branch = leap-16.0
 [submodule "QR-Code-generator"]
 	path = QR-Code-generator
 	url = ../../pool/QR-Code-generator
@@ -17350,6 +17354,10 @@
 	path = rasqal
 	url = ../../pool/rasqal
 	branch = leap-16.0
+[submodule "rawtherapee"]
+	path = rawtherapee
+	url = ../../pool/rawtherapee
+	branch = leap-16.0
 [submodule "raw-thumbnailer"]
 	path = raw-thumbnailer
 	url = ../../pool/raw-thumbnailer
@@ -26130,6 +26138,106 @@
 	path = python-pyRFC3339
 	url = ../../pool/python-pyRFC3339
 	branch = leap-16.0
+[submodule "certbot-systemd-timer"]
+	path = certbot-systemd-timer
+	url = ../../pool/certbot-systemd-timer
+	branch = leap-16.0
+[submodule "python-augeas"]
+	path = python-augeas
+	url = ../../pool/python-augeas
+	branch = leap-16.0
+[submodule "python-bson"]
+	path = python-bson
+	url = ../../pool/python-bson
+	branch = leap-16.0
+[submodule "python-certbot-apache"]
+	path = python-certbot-apache
+	url = ../../pool/python-certbot-apache
+	branch = leap-16.0
+[submodule "python-certbot-dns-cloudflare"]
+	path = python-certbot-dns-cloudflare
+	url = ../../pool/python-certbot-dns-cloudflare
+	branch = leap-16.0
+[submodule "python-certbot-dns-digitalocean"]
+	path = python-certbot-dns-digitalocean
+	url = ../../pool/python-certbot-dns-digitalocean
+	branch = leap-16.0
+[submodule "python-certbot-dns-dnsimple"]
+	path = python-certbot-dns-dnsimple
+	url = ../../pool/python-certbot-dns-dnsimple
+	branch = leap-16.0
+[submodule "python-certbot-dns-dnsmadeeasy"]
+	path = python-certbot-dns-dnsmadeeasy
+	url = ../../pool/python-certbot-dns-dnsmadeeasy
+	branch = leap-16.0
+[submodule "python-certbot-dns-linode"]
+	path = python-certbot-dns-linode
+	url = ../../pool/python-certbot-dns-linode
+	branch = leap-16.0
+[submodule "python-certbot-dns-luadns"]
+	path = python-certbot-dns-luadns
+	url = ../../pool/python-certbot-dns-luadns
+	branch = leap-16.0
+[submodule "python-certbot-dns-nsone"]
+	path = python-certbot-dns-nsone
+	url = ../../pool/python-certbot-dns-nsone
+	branch = leap-16.0
+[submodule "python-certbot-dns-ovh"]
+	path = python-certbot-dns-ovh
+	url = ../../pool/python-certbot-dns-ovh
+	branch = leap-16.0
+[submodule "python-certbot-dns-rfc2136"]
+	path = python-certbot-dns-rfc2136
+	url = ../../pool/python-certbot-dns-rfc2136
+	branch = leap-16.0
+[submodule "python-certbot-dns-route53"]
+	path = python-certbot-dns-route53
+	url = ../../pool/python-certbot-dns-route53
+	branch = leap-16.0
+[submodule "python-cloudflare"]
+	path = python-cloudflare
+	url = ../../pool/python-cloudflare
+	branch = leap-16.0
+[submodule "python-digitalocean"]
+	path = python-digitalocean
+	url = ../../pool/python-digitalocean
+	branch = leap-16.0
+[submodule "python-dns-lexicon"]
+	path = python-dns-lexicon
+	url = ../../pool/python-dns-lexicon
+	branch = leap-16.0
+[submodule "python-jsonlines"]
+	path = python-jsonlines
+	url = ../../pool/python-jsonlines
+	branch = leap-16.0
+[submodule "python-jsonpickle"]
+	path = python-jsonpickle
+	url = ../../pool/python-jsonpickle
+	branch = leap-16.0
+[submodule "python-localzone"]
+	path = python-localzone
+	url = ../../pool/python-localzone
+	branch = leap-16.0
+[submodule "python-pytest-httpx"]
+	path = python-pytest-httpx
+	url = ../../pool/python-pytest-httpx
+	branch = leap-16.0
+[submodule "python-requests-file"]
+	path = python-requests-file
+	url = ../../pool/python-requests-file
+	branch = leap-16.0
+[submodule "python-softlayer"]
+	path = python-softlayer
+	url = ../../pool/python-softlayer
+	branch = leap-16.0
+[submodule "python-softlayer-zeep"]
+	path = python-softlayer-zeep
+	url = ../../pool/python-softlayer-zeep
+	branch = leap-16.0
+[submodule "python-tldextract"]
+	path = python-tldextract
+	url = ../../pool/python-tldextract
+	branch = leap-16.0
 [submodule "openQA-devel-container"]
 	path = openQA-devel-container
 	url =  ../../pool/openQA-devel-container

0Backports/Backports.changes

@@ -1,3 +1,10 @@
+-------------------------------------------------------------------
+Mon Jan  5 10:38:32 UTC 2026 - Wolfgang Engel <wolfgang.engel@suse.com>
+
+- Backports.productcompose:
+  + add to backports_unneeded, remove xen related packages (bsc#1253226)
+      xen-tools-xendomains-wait-disk
+
 -------------------------------------------------------------------
 Fri Oct 10 07:19:41 UTC 2025 - Wolfgang Engel <wolfgang.engel@suse.com>
 

0Backports/Backports.productcompose

@@ -281,6 +281,7 @@ packagesets:
   - xen-doc-html
   - xen-tools
   - xen-tools-domU
+  - xen-tools-xendomains-wait-disk
   - yum-utils
 
 # TODO: unneeded Leap package per architecture
@@ -701,6 +702,9 @@ packagesets:
   - cargo-packaging
   - cargo1.87
   - cargo1.88
+  - cargo1.89
+  - cargo1.90
+  - cargo1.91
   - catatonit
   - cblas-devel
   - cblas-devel-static
@@ -1408,7 +1412,6 @@ packagesets:
   - gobject-introspection-devel
   - golang-github-cpuguy83-go-md2man
   - golang-github-google-jsonnet
-  - golang-github-prometheus-prometheus
   - golang-github-prometheus-promu
   - golang-packaging
   - google-errorprone-annotation
@@ -6796,6 +6799,9 @@ packagesets:
   - rhino-engine
   - rhino-javadoc
   - rhino-runtime
+  - rmt-server
+  - rmt-server-config
+  - rmt-server-pubcloud
   - rollback-helper
   - rootlesskit
   - rp-pppoe
@@ -6852,6 +6858,9 @@ packagesets:
   - rust-keylime
   - rust1.87
   - rust1.88
+  - rust1.89
+  - rust1.90
+  - rust1.91
   - samba
   - samba-ad-dc
   - samba-ad-dc-libs
@@ -7080,7 +7089,6 @@ packagesets:
   - system-user-news
   - system-user-nobody
   - system-user-ntp
-  - system-user-prometheus
   - system-user-pulse
   - system-user-qemu
   - system-user-root

_config

@@ -168,7 +168,7 @@ Macros:
 
 # Leap specific package list, the same list with excludebuild must add to Backports project
 # Most of package should be built in Backports
-%if "%_project" == "openSUSE:Backports:SLE-16.0"
+%if 0%{?_is_in_project}
 # we build ffado:ffado-mixer for openSUSE, the main one is built in SLFO
 BuildFlags: excludebuild:ffado
 # build gpgme:qt flavor for qt5 support

patchinfo.20251027101540783529.187004354831441/_patchinfo

@@ -0,0 +1,14 @@
+<patchinfo incident="packagehub-67">
+  <packager>lkocman</packager>
+  <rating>moderate</rating>
+  <category>recommended</category>
+  <summary>Recommended update for grub2-compat-ia32</summary>
+  <description>This update for grub2-compat-ia32 fixes the following issues:
+
+- Drop update-bootloader --get as it returns 0
+  even if the variable is unset
+- Add update-bootloader also into post and postun Requires 
+  </description>
+  <package>grub2-compat-ia32</package>
+  <seperate_build_arch/>
+</patchinfo>

patchinfo.20251117131718442159.187004354831441/_patchinfo

@@ -0,0 +1,236 @@
+<patchinfo incident="packagehub-81">
+  <issue tracker="bnc" id="1250499">VUL-0: CVE-2025-10924: gimp: GIMP FF File Parsing Integer Overflow Remote Code Execution Vulnerability</issue>
+  <issue tracker="bnc" id="1250497">VUL-0: CVE-2025-10922: gimp: GIMP DCM File Parsing Heap-based Buffer Overflow Remote Code Execution Vulnerability</issue>
+  <issue tracker="cve" id="2025-10922">VUL-0: CVE-2025-10922: gimp: GIMP DCM File Parsing Heap-based Buffer Overflow Remote Code Execution Vulnerability</issue>
+  <issue tracker="cve" id="2025-2760">VUL-0: CVE-2025-2760: gimp: integer overflow may lead to remote code execution</issue>
+  <issue tracker="bnc" id="1250501">VUL-0: CVE-2025-10925: gimp: GIMP ILBM File Parsing Stack-based Buffer Overflow Remote Code Execution Vulnerability</issue>
+  <issue tracker="bnc" id="1241690">VUL-0: CVE-2025-2760: gimp: integer overflow may lead to remote code execution</issue>
+  <issue tracker="bnc" id="1250495">VUL-0: CVE-2025-10920: gimp: GIMP ICNS File Parsing Out-Of-Bounds Write Remote Code Execution Vulnerability</issue>
+  <issue tracker="cve" id="2025-10920">VUL-0: CVE-2025-10920: gimp: GIMP ICNS File Parsing Out-Of-Bounds Write Remote Code Execution Vulnerability</issue>
+  <issue tracker="cve" id="2025-10924">VUL-0: CVE-2025-10924: gimp: GIMP FF File Parsing Integer Overflow Remote Code Execution Vulnerability</issue>
+  <issue tracker="cve" id="2025-10925">VUL-0: CVE-2025-10925: gimp: GIMP ILBM File Parsing Stack-based Buffer Overflow Remote Code Execution Vulnerability</issue>
+  <packager>mgorse</packager>
+  <rating>important</rating>
+  <category>security</category>
+  <summary>Security update for gimp</summary>
+  <description>This update for gimp fixes the following issues:
+
+Changes in gimp:
+
+Update to 3.0.6:
+
+  - Security:
+
+    - During development, we received reports from the Zero Day
+      Initiative of potential security issues with some of our file
+      import plug-ins. While these issues are very unlikely to
+      occur with real files, developers like Jacob Boerema and Alx
+      Sa proactively improved security for those imports.
+      The resolved reports are:
+      - ZDI-CAN-27793
+      - ZDI-CAN-27823
+      - ZDI-CAN-27836
+      - ZDI-CAN-27878
+      - ZDI-CAN-27863
+      - ZDI-CAN-27684
+
+  - Core:
+
+    - Many false-positive build warnings have been cleaned out (and
+      proper issues fixed).
+    - Various crashes fixed.
+    - When creating a layer mask from the layer's alpha, but the
+      layer has no alpha, simply fill the mask with complete
+      opacity instead of a completely transparent layer.
+    - Various core infrastructure code reviewed, cleaned up,
+      refactored and improved, in drawable, layer and filter
+      handling code, tree view code, and more.
+    - GIMP_ICONS_LIKE_A_BOSS environment variable is not working
+      anymore (because "gtk-menu-images" and "gtk-button-images"
+      have been deprecated in GTK3 and removed in GTK4) and was
+      therefore removed.
+    - Lock Content now shows as an undo step.
+    - Add alpha channel for certain transforms.
+    - Add alpha channel on filter merge, when necessary.
+    - Filters can now be applied non-destructively on channels.
+    - Improved Photoshop brush support.
+    - After deleting a palette entry, the next entry is
+      automatically selected. This allows easily deleting several
+      entries in a row, among other usage.
+    - Resize image to layers irrespective to selections.
+    - Improved in-GUI release notes' demo script language:
+
+      - We can now set a button value to click it: "toolbox:text,
+        tool-options:outline=1, tool-options:outline-direction"
+      - Color selector's module names can be used as identifiers:
+        "color-editor,color-editor:CMYK=1,color-editor:total-ink-coverage"
+
+    - Fixed Alpha to Selection on single layers with no
+      transparency.
+    - Various code is slowly ported to newer code, preparing for
+      GTK4 port (in an unplanned future step):
+
+      - Using g_set_str() (optionally redefining it in our core
+        code to avoid bumping the GLib minimum requirement).
+      - Start using GListModel in various pieces of code, in
+        particular getting rid of more and more usage of
+        GtkTreeView when possible (as it will be deprecated with
+        GTK4).
+      - New GimpRow class for all future row widgets.
+      - Use more of G_DECLARE_DERIVABLE_TYPE and
+        G_DECLARE_FINAL_TYPE where relevant.
+      - New GimpContainerListView using a GtkListBox.
+      - New GimpRowSeparator, GimpRowSettings, GimpRowFilter and
+        GimpRowDrawableFilter widgets.
+
+    - (Experimental) GEX Format was updated.
+    - Palette import:
+
+      - Set alpha value for image palette imports.
+      - Fix Lab &amp; CMYK ACB palette import.
+      - Add palette format filters to import dialog, making it more
+        apparent what palette formats are supported, and giving the
+        ability to hide irrelevant files.
+
+    - Improved filter actions' sensitivity to make sure they are
+      set insensitive when relevant. In particular filters which
+      cannot be run non-destructively (e.g. filters with aux
+      inputs, non-interactive filters and GEGL Graph) must be
+      insensitive when trying to run them on group layers.
+    - Fix bad axis centering on zoom out.
+    - Export better SVG when exporting paths.
+
+  - Tools:
+
+    - Text tool: make sure the default color is only changed when
+      the user confirms the color change.
+    - Foreground Selection tool: do not create a selection when no
+      strokes has been made. In particular this removes the
+      unnecessary delay which happened when switching to another
+      tool without actually stroking anything.
+    - All Transform tools: transform boundaries for preview is now
+      multi-layers aware.
+    - (Experimental) Seamless Clone tool: made to work again,
+      though it is still too slow to get out of Playground.
+
+  - Graphical User Interface:
+
+    - Various improvements to window management:
+
+      - Keep-Above windows are set with the Utility hint.
+      - Utility windows are not made transient to a parent.
+      - Transient factory dialogs follow the active display,
+        ensuring that new image windows would not hide your toolbox
+        and dock windows.
+
+    - Various CSS improvements for styling of the interface. Some
+      theme leaks were also fixed.
+    - New toggle button in Brushes and Fonts dockable, allowing
+      brush and font previews to optionally follow the color theme.
+      For instance, when using a dark theme, the brush and font
+      previews could be drawn on the theme background, using the
+      theme foreground colors. By default, these data previews are
+      still drawn as black on white.
+    - Palette grid is now drawn with the theme's background color.
+    - Consistent naming patterns on human-facing options (first
+      word only capitalized).
+    - About dialog:
+
+      - We will now display the date and time of the last check in
+        a "Up to date as of &lt;date&gt; at &lt;time&gt;" string, differing
+        from the "Last checked on &lt;date&gt; at &lt;time&gt;" string. The
+        former will be used to indicate that GIMP is indeed
+        up-to-date whereas the latter when a new version was
+        released and that you should update.
+      - We now respect the system time/date format on macOS and
+        Windows.
+
+    - The search popup won't pop up without an image.
+    - Better zoom step algorithm for data previews in container
+      popup (e.g. the brush popup in paint Tool Options).
+    - Disable animation in the Input Controller, Preferences and
+      Welcome dialogs for stack transition when animation are
+      disabled in system settings.
+    - Fixed crosshair hotspot on Windows (crosshair cursor for
+      brushes was offset with a non-100% display scale factor).
+    - Debug/CRITICAL dialog:
+
+      - Make sure it is non-modal.
+      - Follow the theme mode under Windows.
+
+    - While loading images, all widgets in the file dialog are made
+      insensitive, except for the Cancel button and the progress
+      bar.
+    - Both grid and list views can now zoom via scroll and zoom
+      gestures (it used to only work in list views).
+    - Pop an error message up on startup when GIO modules to read
+      HTTPS links are not found and that we therefore fail to load
+      the remote gimp_versions.json file. With the AppImage package
+      in particular, we depend on an environment daemon which
+      cannot be shipped in the package. So the next best thing is
+      to warn people and tell them what they should install to get
+      version checks.
+    - Welcome dialog:
+
+      - The "Community Tutorials" link is now shown after the
+        "Documentation" link.
+      - The "Learn more" link in Release Notes tab leads to the
+        actual release news for this version.
+
+  - Plug-ins:
+
+    - PDF export: do not draw disabled layer masks.
+    - Jigsaw: the plug-in can now draw on transparent layers.
+    - Various file format fixes and improvements: JPEG 2000 import,
+      TIFF import, DDS import, SVG import, PSP import, FITS export,
+      ICNS import, Dicom import, WBMP import, Farbfeld import, XWD
+      import, ILBM import.
+    - Sphere Designer: use spin scale instead of spin entries (the
+      latter is unusable with little horizontal space).
+    - Animation Play: frames are shown again in the playback
+      progress bar.
+    - Vala Goat Exercise: ignoring C warning in this Vala plug-in
+      as it is generated code and we cannot control it.
+    - file-gih: brush pipe selection modes now have nice,
+      translatable names.
+    - Metadata viewer: port from GtkTreeView to GtkListBox.
+    - File Raw Data: reduce Raw Data load dialogue height by moving
+      to a 2-column layout.
+    - SVG import: it is now possible to break aspect ratio with
+      specific width/height arguments, when calling the PDB
+      procedure non-interactively (from other plug-ins).
+    - Print: when run through a portal print dialog, the "Image
+      Settings" will be exposed as a secondary dialog, outputted
+      after the portal dialog, instead of a tab on the main print
+      dialog (because it is not possible to tweak the print dialog
+      when it is created by a portal). This will bring back usable
+      workflow of printing with GIMP when run in a sandbox (e.g.
+      Flatpak or Snap).
+    - Recompose: fixed for YCbCr decomposed images.
+    - Fixed vulnerabilities: ZDI-CAN-27684, ZDI-CAN-27863,
+      ZDI-CAN-27878, ZDI-CAN-27836, ZDI-CAN-27823, ZDI-CAN-27793.
+    - C Source and HTML export can now be run non-interactively too
+      (e.g. from other plug-ins).
+    - Map Object: fix missing spin boxes.
+    - Small Tiles: fix display lag.
+
+- CVE-2025-10925: Fix GIMP ILBM file parsing stack-based buffer overflow remote code
+  execution vulnerability. (ZDI-25-914, ZDI-CAN-27793, bsc#1250501)
+
+- CVE-2025-10922: Fix GIMP DCM file parsing heap-based buffer overflow remote code
+  execution vulnerability.  (ZDI-25-911, ZDI-CAN-27863, bsc#1250497)
+
+- CVE-2025-10920: Prevent overflow attack by checking if output &gt;= max, not just
+  output &gt; max. (ZDI-25-909, ZDI-CAN-27684, bsc#1250495)
+
+- CVE-2025-10924: Fix integer overflow while parsing FF files. (bsc#1250499)
+
+- CVE-2025-2760: A vulnerability allows remote attackers to execute arbitrary
+  code on affected installations of GIMP. The specific flaw exists
+  within parsing of XWD files. An integer overflow happens before
+  allocating a buffer. This fixed in GIMP 3.0.0.
+  https://www.gimp.org/news/2025/03/16/gimp-3-0-released
+  (bsc#1241690)
+</description>
+  <package>gimp</package>
+</patchinfo>

patchinfo.20251201094954024941.93181000773252/_patchinfo

@@ -0,0 +1,209 @@
+<patchinfo incident="packagehub-54">
+  <issue tracker="bnc" id="1251651">VUL-0: CVE-2025-58190: hauler: golang.org/x/net/html: excessive memory consumption by `html.ParseFragment` when processing specially crafted input</issue>
+  <issue tracker="cve" id="2025-22872">cve#2025-22872 not resolved: 404 Client Error: Not Found for url: https://bugzilla.suse.com/api2/issues/?references__name=CVE-2025-22872</issue>
+  <issue tracker="cve" id="2025-58058">cve#2025-58058 not resolved: 404 Client Error: Not Found for url: https://bugzilla.suse.com/api2/issues/?references__name=CVE-2025-58058</issue>
+  <issue tracker="cve" id="2024-45338">cve#2024-45338 not resolved: 404 Client Error: Not Found for url: https://bugzilla.suse.com/api2/issues/?references__name=CVE-2024-45338</issue>
+  <issue tracker="bnc" id="1241184">VUL-0: CVE-2024-0406: hauler: mholt/archiver: access to restricted files or directories when unpacking specially crafted tar file</issue>
+  <issue tracker="bnc" id="1235332">VUL-0: CVE-2024-45338: hauler: golang.org/x/net/html: denial of service due to non-linear parsing of case-insensitive content</issue>
+  <issue tracker="cve" id="2025-11579">cve#2025-11579 not resolved: 404 Client Error: Not Found for url: https://bugzilla.suse.com/api2/issues/?references__name=CVE-2025-11579</issue>
+  <issue tracker="cve" id="2024-0406">cve#2024-0406 not resolved: 404 Client Error: Not Found for url: https://bugzilla.suse.com/api2/issues/?references__name=CVE-2024-0406</issue>
+  <issue tracker="cve" id="2025-47911">cve#2025-47911 not resolved: 404 Client Error: Not Found for url: https://bugzilla.suse.com/api2/issues/?references__name=CVE-2025-47911</issue>
+  <issue tracker="cve" id="2025-46569">cve#2025-46569 not resolved: 404 Client Error: Not Found for url: https://bugzilla.suse.com/api2/issues/?references__name=CVE-2025-46569</issue>
+  <issue tracker="bnc" id="1246722">VUL-0: CVE-2025-46569: hauler: github.com/open-policy-agent/opa: HTTP request path can be crafted to inject Rego code into a constructed query when a virtual document is requested through the Data API</issue>
+  <issue tracker="bnc" id="1248937">VUL-0: CVE-2025-58058: hauler: github.com/ulikunitz/xz: github.com/ulikunitz/xz leaks memory</issue>
+  <issue tracker="bnc" id="1241804">VUL-0: CVE-2025-22872: hauler: golang.org/x/net/html: incorrectly interpreted tags can cause content to be placed wrong scope during DOM construction</issue>
+  <issue tracker="bnc" id="1251516">VUL-0: CVE-2025-47911: hauler: golang.org/x/net/html: various algorithms with quadratic complexity when parsing HTML documents</issue>
+  <issue tracker="cve" id="2025-58190">cve#2025-58190 not resolved: 404 Client Error: Not Found for url: https://bugzilla.suse.com/api2/issues/?references__name=CVE-2025-58190</issue>
+  <issue tracker="bnc" id="1251891">VUL-0: CVE-2025-11579: hauler: github.com/nwaples/rardecode: failure to restrict the dictionary size when processing RAR files allows for excessive memory consumpti</issue>
+  <packager>dirkmueller</packager>
+  <rating>important</rating>
+  <category>security</category>
+  <summary>Security update for hauler</summary>
+  <description>This update for hauler fixes the following issues:
+
+- Update to version 1.3.1 (bsc#1251516, CVE-2025-47911,
+  bsc#1251891, CVE-2025-11579, bsc#1251651, CVE-2025-58190,
+  bsc#1248937, CVE-2025-58058):
+  * bump github.com/containerd/containerd (#474)
+  * another fix to tests for new tests (#472)
+  * fixed typo in testdata (#471)
+  * fixed/cleaned new tests (#470)
+  * trying a new way for hauler testing (#467)
+  * update for cosign v3 verify (#469)
+  * added digests view to info (#465)
+  * bump github.com/nwaples/rardecode/v2 from 2.1.1 to 2.2.0 in the go_modules group across 1 directory (#457)
+  * update oras-go to v1.2.7 for security patches (#464)
+  * update cosign to v3.0.2+hauler.1 (#463)
+  * fixed homebrew directory deprecation (#462)
+  * add registry logout command (#460)
+
+- Update to version 1.3.0:
+  * bump the go_modules group across 1 directory with 2 updates (#455)
+  * upgraded versions/dependencies/deprecations (#454)
+  * allow loading of docker tarballs (#452)
+  * bump the go_modules group across 1 directory with 2 updates (#449)
+
+- update to 1.2.5 (bsc#1246722, CVE-2025-46569):
+  * Bump github.com/open-policy-agent/opa from 1.1.0 to 1.4.0 in
+    the go_modules group across 1 directory (CVE-2025-46569)
+  * deprecate auth from hauler store copy
+  * Bump github.com/cloudflare/circl from 1.3.7 to 1.6.1 in the
+    go_modules group across 1 directory
+  * Bump github.com/go-viper/mapstructure/v2 from 2.2.1 to 2.3.0
+    in the go_modules group across 1 directory
+  * upgraded go and dependencies versions
+
+- Update to version 1.2.5:
+  * upgraded go and dependencies versions (#444)
+  * Bump github.com/go-viper/mapstructure/v2 (#442)
+  * bump github.com/cloudflare/circl (#441)
+  * deprecate auth from hauler store copy (#440)
+  * Bump github.com/open-policy-agent/opa (#438)
+
+- update to 1.2.4 (CVE-2025-22872, bsc#1241804):
+  * Bump golang.org/x/net from 0.37.0 to 0.38.0 in the go_modules
+    group across 1 directory
+  * minor tests updates
+
+- Update to version 1.2.3:
+  * formatting and flag text updates
+  * add keyless signature verification (#434)
+  * bump helm.sh/helm/v3 in the go_modules group across 1 directory (#430)
+  * add --only flag to hauler store copy (for images) (#429)
+  * fix tlog verification error/warning output (#428)
+
+- Update to version 1.2.2 (bsc#1241184, CVE-2024-0406):
+  * cleanup new tlog flag typos and add shorthand (#426)
+  * default public transparency log verification to false to be airgap friendly but allow override (#425)
+  * bump github.com/golang-jwt/jwt/v4 (#423)
+  * bump the go_modules group across 1 directory with 2 updates (#422)
+  * bump github.com/go-jose/go-jose/v3 (#417)
+  * bump github.com/go-jose/go-jose/v4 (#415)
+  * clear default manifest name if product flag used with sync (#412)
+  * updates for v1.2.0 (#408)
+  * fixed remote code (#407)
+  * added remote file fetch to load (#406)
+  * added remote and multiple file fetch to sync (#405)
+  * updated save flag and related logs (#404)
+  * updated load flag and related logs [breaking change] (#403)
+  * updated sync flag and related logs [breaking change] (#402)
+  * upgraded api update to v1/updated dependencies (#400)
+  * fixed consts for oci declarations (#398)
+  * fix for correctly grabbing platform post cosign 2.4 updates (#393)
+  * use cosign v2.4.1+carbide.2 to address containerd annotation in index.json (#390)
+  * Bump the go_modules group across 1 directory with 2 updates (#385)
+  * replace mholt/archiver with mholt/archives (#384)
+  * forked cosign bump to 2.4.1 and use as a library vs embedded binary (#383)
+  * cleaned up registry and improved logging (#378)
+  * Bump golang.org/x/crypto in the go_modules group across 1 directory (#377)
+- bump net/html dependencies (bsc#1235332, CVE-2024-45338)
+
+- Update to version 1.1.1:
+  * fixed cli desc for store env var (#374)
+  * updated versions for go/k8s/helm (#373)
+  * updated version flag to internal/flags (#369)
+  * renamed incorrectly named consts (#371)
+  * added store env var (#370)
+  * adding ignore errors and retries for continue on error/fail on error (#368)
+  * updated/fixed hauler directory (#354)
+  * standardize consts (#353)
+  * removed cachedir code (#355)
+  * removed k3s code (#352)
+  * updated dependencies for go, helm, and k8s (#351)
+  * [feature] build with boring crypto where available (#344)
+  * updated workflow to goreleaser builds (#341)
+  * added timeout to goreleaser workflow (#340)
+  * trying new workflow build processes (#337)
+  * improved workflow performance (#336)
+  * have extract use proper ref (#335)
+  * yet another workflow goreleaser fix (#334)
+  * even more workflow fixes (#333)
+  * added more fixes to github workflow (#332)
+  * fixed typo in hauler store save (#331)
+  * updates to fix build processes (#330)
+  * added integration tests for non hauler tarballs (#325)
+  * bump: golang &gt;= 1.23.1 (#328)
+  * add platform flag to store save (#329)
+  * Update feature_request.md
+  * updated/standardize command descriptions (#313)
+  * use new annotation for 'store save' manifest.json (#324)
+  * enable docker load for hauler tarballs (#320)
+  * bump to cosign v2.2.3-carbide.3 for new annotation (#322)
+  * continue on error when adding images to store (#317)
+  * Update README.md (#318)
+  * fixed completion commands (#312)
+  * github.com/rancherfederal/hauler =&gt; hauler.dev/go/hauler (#311)
+  * pages: enable go install hauler.dev/go/hauler (#310)
+  * Create CNAME
+  * pages: initial workflow (#309)
+  * testing and linting updates (#305)
+  * feat-273: TLS Flags (#303)
+  * added list-repos flag (#298)
+  * fixed hauler login typo (#299)
+  * updated cobra function for shell completion (#304)
+  * updated install.sh to remove github api (#293)
+  * fix image ref keys getting squashed when containing sigs/atts (#291)
+  * fix missing versin info in release build (#283)
+  * bump github.com/docker/docker in the go_modules group across 1 directory (#281)
+  * updated install script (`install.sh`) (#280)
+  * fix digest images being lost on load of hauls (Signed). (#259)
+  * feat: add readonly flag (#277)
+  * fixed makefile for goreleaser v2 changes (#278)
+  * updated goreleaser versioning defaults (#279)
+  * update feature_request.md (#274)
+  * updated old references
+  * updated actions workflow user
+  * added dockerhub to github actions workflow
+  * removed helm chart
+  * added debug container and workflow
+  * updated products flag description
+  * updated chart for release
+  * fixed workflow errors/warnings
+  * fixed permissions on testdata
+  * updated chart versions (will need to update again)
+  * last bit of fixes to workflow
+  * updated unit test workflow
+  * updated goreleaser deprecations
+  * added helm chart release job
+  * updated github template names
+  * updated imports (and go fmt)
+  * formatted gitignore to match dockerignore
+  * formatted all code (go fmt)
+  * updated chart tests for new features
+  * Adding the timeout flag for fileserver command
+  * Configure chart commands to use helm clients for OCI and private registry support
+  * Added some documentation text to sync command
+  * Bump golang.org/x/net from 0.17.0 to 0.23.0
+  * fix for dup digest smashing in cosign
+  * removed vagrant scripts
+  * last bit of updates and formatting of chart
+  * updated hauler testdata
+  * adding functionality and cleaning up
+  * added initial helm chart
+  * removed tag in release workflow
+  * updated/fixed image ref in release workflow
+  * updated/fixed platforms in release workflow
+  * updated/cleaned github actions (#222)
+  * Make Product Registry configurable (#194)
+  * updated fileserver directory name (#219)
+  * fix logging for files
+  * add extra info for the tempdir override flag
+  * tempdir override flag for load
+  * deprecate the cache flag instead of remove
+  * switch to using bci-golang as builder image
+  * fix: ensure /tmp for hauler store load
+  * added the copy back for now
+  * remove copy at the image sync not needed with cosign update
+  * removed misleading cache flag
+  * better logging when adding to store
+  * update to v2.2.3 of our cosign fork
+  * add: dockerignore
+  * add: Dockerfile
+  * Bump google.golang.org/protobuf from 1.31.0 to 1.33.0
+  * Bump github.com/docker/docker
+  * updated and added new logos
+  * updated github files
+</description>
+  <package>hauler</package>
+  <seperate_build_arch/>
+</patchinfo>

patchinfo.20251205103932570835.187004354831441/_patchinfo

@@ -0,0 +1,127 @@
+<patchinfo incident="packagehub-51">
+  <packager>dirkmueller</packager>
+  <rating>moderate</rating>
+  <category>recommended</category>
+  <summary>Recommended update for trivy</summary>
+  <description>This update for trivy fixes the following issues:
+
+Changes in trivy:
+
+Update to version 0.68.1:
+
+  * fix: update cosing settings for GoReleaser after bumping cosing to v3 (#9863)
+  * chore(deps): bump the testcontainers group with 2 updates (#9506)
+  * feat(aws): Add support for dualstack ECR endpoints (#9862)
+  * fix(vex): use a separate `visited` set for each DFS path (#9760)
+  * docs: catch some missed docs -&gt; guide (#9850)
+  * refactor(misconf): parse azure_policy_enabled to addonprofile.azurepolicy.enabled (#9851)
+  * chore(cli): Remove Trivy Cloud (#9847)
+  * fix(misconf): ensure value used as ignore marker is non-null and known (#9835)
+  * fix(misconf): map healthcheck start period flag to --start-period instead of --startPeriod (#9837)
+  * chore(deps): bump the docker group with 3 updates (#9776)
+  * chore(deps): bump golang.org/x/crypto from 0.41.0 to 0.45.0 (#9827)
+  * chore(deps): bump the common group across 1 directory with 20 updates (#9840)
+  * feat(image): add Sigstore bundle SBOM support (#9516)
+  * chore(deps): bump the aws group with 7 updates (#9691)
+  * test(k8s): update k8s integrtion test (#9725)
+  * chore(deps): bump github.com/containerd/containerd from 1.7.28 to 1.7.29 (#9764)
+  * feat(sbom): add support for SPDX attestations (#9829)
+  * docs(misconf): Remove duplicate sections (#9819)
+  * feat(misconf): Update Azure network schema for new checks (#9791)
+  * feat(misconf): Update AppService schema (#9792)
+  * fix(misconf): ensure boolean metadata values are correctly interpreted (#9770)
+  * feat(misconf): support https_traffic_only_enabled in Az storage account (#9784)
+  * docs: restructure docs for new hosting (#9799)
+  * docs(server): fix info about scanning licenses on the client side. (#9805)
+  * ci: remove unused preinstalled software/images for build tests to free up disk space. (#9814)
+  * feat(report): add fingerprint generation for vulnerabilities (#9794)
+  * chore: trigger the trivy-www workflow (#9737)
+  * fix: update all documentation links (#9777)
+  * feat(suse): Add new openSUSE, Micro and SLES releases end of life dates (#9788)
+  * test(go): set `GOPATH` for tests (#9785)
+  * feat(flag): add `--cacert` flag (#9781)
+  * fix(misconf): handle unsupported experimental flags in Dockerfile (#9769)
+  * test(go): refactor mod_test.go to use txtar format (#9775)
+  * docs: Fix typos and linguistic errors in documentation / hacktoberfest (#9586)
+  * chore(deps): bump github.com/opencontainers/selinux from 1.12.0 to 1.13.0 (#9778)
+  * chore(deps): bump github.com/containerd/containerd/v2 from 2.1.4 to 2.1.5 (#9763)
+  * fix(java): use `true` as default value for Repository Release|Snapshot Enabled in pom.xml and settings.xml files (#9751)
+  * docs: add info that `SSL_CERT_FILE` works on `Unix systems other than macOS` only (#9772)
+  * docs: change SecObserve URLs in documentatio (#9771)
+  * feat(db): enable concurrent access to vulnerability database (#9750)
+  * feat(misconf): add agentpools to azure container schema (#9714)
+  * feat(report): switch ReportID from UUIDv4 to UUIDv7 (#9749)
+  * feat(misconf): Update Azure Compute schema (#9675)
+  * feat(misconf): Update azure storage schema (#9728)
+  * feat(misconf): Update SecurityCenter schema (#9674)
+  * feat(image): pass global context to docker/podman image save func (#9733)
+  * chore(deps): bump the github-actions group with 4 updates (#9739)
+  * fix(flag): remove viper.SetDefault to fix IsSet() for config-only flags (#9732)
+  * feat(license): use separate SPDX ids to ignore SPDX expressions (#9087)
+  * feat(dotnet): add dependency graph support for .deps.json files (#9726)
+  * feat(misconf): Add support for configurable Rego error limit (#9657)
+  * feat(misconf): Add RoleAssignments attribute (#9396)
+  * feat(report): add image reference to report metadata (#9729)
+  * fix(os): Add photon 5.0 in supported OS (#9724)
+  * fix(license): handle SPDX WITH exceptions as single license in category detection (#9380)
+  * refactor: add case-insensitive string set implementation (#9720)
+  * feat: include registry and repository in artifact ID calculation (#9689)
+  * feat(java): add support remote repositories from settings.xml files (#9708)
+  * fix(sbom): don’t panic on SBOM format if scanned CycloneDX file has empty metadata (#9562)
+  * docs: update vulnerability reporting guidelines in SECURITY.md (#9395)
+  * docs: add info about `java-db` subdir (#9706)
+  * fix(report): correct field order in SARIF license results (#9712)
+  * test: improve golden file management in integration tests (#9699)
+  * ci: get base_sha using base.ref (#9704)
+  * refactor(misconf): mark AVDID fields as deprecated and use ID internally (#9576)
+  * fix(nodejs): fix npmjs parser.pkgNameFromPath() panic issue (#9688)
+  * fix: close all opened resources if an error occurs (#9665)
+  * refactor(misconf): type-safe parser results in generic scanner (#9685)
+  * feat(image): add RepoTags support for Docker archives (#9690)
+  * chore(deps): bump github.com/quic-go/quic-go from 0.52.0 to 0.54.1 (#9694)
+  * feat(misconf): Update Azure Container Schema (#9673)
+  * ci: use merge commit for apidiff to avoid false positives (#9622)
+  * feat(misconf): include map key in manifest snippet for diagnostics (#9681)
+  * refactor(misconf): add ManifestFromYAML for unified manifest parsing (#9680)
+  * test: update golden files for TestRepository* integration tests (#9684)
+  * refactor(cli): Update the cloud config command (#9676)
+  * fix(sbom): add `buildInfo` info as properties (#9683)
+  * feat: add ReportID field to scan reports (#9670)
+  * docs: add vulnerability database contribution guide (#9667)
+  * feat(cli): Add trivy cloud suppport (#9637)
+  * feat: add ArtifactID field to uniquely identify scan targets (#9663)
+  * fix(nodejs): use the default ID format to match licenses in pnpm packages. (#9661)
+  * feat(sbom): use SPDX license IDs list to validate SPDX IDs  (#9569)
+  * fix: use context for analyzers (#9538)
+  * chore(deps): bump the docker group with 3 updates (#9545)
+  * chore(deps): bump the aws group with 6 updates (#9547)
+  * ci(helm): bump Trivy version to 0.67.2 for Trivy Helm Chart 0.19.1 (#9641)
+  * test(helm): bump up Yamale dependency for Helm chart-testing-action (#9653)
+  * fix: Trim the end-of-range suffix (#9618)
+  * test(k8s): use a specific bundle for k8s misconfig scan (#9633)
+  * fix: Use `fetch-level: 1` to check out trivy-repo in the release workflow (#9636)
+  * refactor: move the aws config (#9617)
+  * fix(license): don't normalize `unlicensed` licenses into `unlicense` (#9611)
+  * fix: using SrcVersion instead of Version for echo detector (#9552)
+  * feat(fs): change artifact type to repository when git info is detected (#9613)
+  * fix: add `buildInfo` for `BlobInfo` in `rpc` package (#9608)
+  * fix(vex): don't use reused BOM (#9604)
+  * ci: use pull_request_target for apidiff workflow to support fork PRs (#9605)
+  * fix: restore compatibility for google.protobuf.Value (#9559)
+  * ci: add API diff workflow (#9600)
+  * chore(deps): update to module-compatible docker-credential-gcr/v2 (#9591)
+  * docs: improve documentation for scanning raw IaC configurations (#9571)
+  * feat: allow ignoring findings by type in Rego (#9578)
+  * docs: bump pygments from 2.18.0 to 2.19.2 (#9596)
+  * refactor(misconf): add ID to scan.Rule (#9573)
+  * fix(java): update order for resolving package fields from multiple demManagement (#9575)
+  * chore(deps): bump the github-actions group across 1 directory with 9 updates (#9563)
+  * chore(deps): bump the common group across 1 directory with 7 updates (#9590)
+  * chore(deps): Switch to go-viper/mapstructure (#9579)
+  * chore: add context to the cache interface (#9565)
+  * ci(helm): bump Trivy version to 0.67.0 for Trivy Helm Chart 0.19.0 (#9554)
+  * fix: validate backport branch name (#9548)
+</description>
+  <package>trivy</package>
+  <seperate_build_arch/>
+</patchinfo>

patchinfo.20251208143300643166.187004354831441/_patchinfo

@@ -0,0 +1,63 @@
+<patchinfo incident="packagehub-61">
+  <packager>bigironman</packager>
+  <rating>moderate</rating>
+  <category>recommended</category>
+  <summary>Recommended update for icinga-php-thirdparty, icinga-php-library, icingaweb2</summary>
+  <description>This update for icinga-php-thirdparty, icinga-php-library, icingaweb2 fixes the following issues:
+
+Changes in icinga-php-thirdparty:
+
+- Update to 0.13.1
+
+  - No changelog from upstream.
+
+- Update to 0.12.1
+
+  - No changelog from upstream.
+
+Changes in icinga-php-library:
+
+- Update to 1.17.0
+
+  - No changelog from upstream.
+
+Changes in icingaweb2:
+
+- Update to 2.12.6
+
+  - Search box shows many magnifying glasses for some community themes #5395
+  - Authentication hooks are not called with external backends #5415
+  - Improve Minimal layout #5386
+
+- Update to 2.12.5
+
+  * PHP 8.4 Support
+    We're again a little behind schedule, but now we support PHP 8.4!
+    This means that installations on Ubuntu 25.04 and Fedora 42+ can
+    now install Icinga Web without worrying about PHP related
+    incompatibilities. Icinga packages will be available in the
+    next few days.
+  * Good Things Take Time
+    There's only a single (notable) recent issue that is fixed
+    with this release. All the others are a bit older.
+    - External URLs set up as dashlets are not embedded the same
+      as navigation items #5346
+  * But the team sat together a few weeks ago and fixed a bug here
+    and there. And of course, also in Icinga Web!
+    - Users who are not allowed to change the theme, cannot change
+      the theme mode either #5385
+    - Improved compatibility with several SSO authentication
+      providers #5000, #5227
+    - Filtering for older-than events with relative time does not
+      work #5263
+    - Empty values are NULL in CSV exports #5350
+  * Breaking, Somewhat
+    This is mainly for developers.
+    With the support of PHP 8.4, we introduced a new environment
+    variable, ICINGAWEB_ENVIRONMENT. Unless set to dev, Icinga Web
+    will not show nor log deprecation notices anymore.
+</description>
+  <package>icinga-php-thirdparty</package>
+  <package>icinga-php-library</package>
+  <package>icingaweb2</package>
+</patchinfo>

patchinfo.20251209165835367165.93181000773252/_patchinfo

@@ -1,4 +1,4 @@
-<patchinfo>
+<patchinfo incident="packagehub-52">
   <issue tracker="cve" id="2025-53881">cve#2025-53881 not resolved: 404 Client Error: Not Found for url: https://bugzilla.suse.com/api2/issues/?references__name=CVE-2025-53881</issue>
   <issue tracker="bnc" id="1246457">VUL-0: CVE-2025-53881: exim: SUSE-specific logrotate configuration allows escalation from mail user/group to root</issue>
   <packager>bigironman</packager>
@@ -10,4 +10,4 @@
 - CVE-2025-53881: Fixed a potential security issue with logfile rotation (bsc#1246457)
 </description>
   <package>exim</package>
-</patchinfo>
+</patchinfo>

patchinfo.20251210101443200408.93181000773252/_patchinfo

@@ -0,0 +1,18 @@
+<patchinfo incident="packagehub-53">
+  <packager>michals</packager>
+  <rating>moderate</rating>
+  <category>recommended</category>
+  <summary>Recommended update for virtme</summary>
+  <description>This update for virtme fixes the following issues:
+
+- Update to 1.40:
+  * No significant change, this is just a very small hotfix release
+    to solve a packaging problem introduced by a conflict with the
+    new vng-mcp tool.
+  * While at it, there're also some small improved hints in the MCP
+    server, so that AI agents can better understand how to build
+    the kernel using vng --build.
+</description>
+  <package>virtme</package>
+  <seperate_build_arch/>
+</patchinfo>

patchinfo.20251210102155991569.93181000773252/_patchinfo

@@ -0,0 +1,20 @@
+<patchinfo incident="packagehub-57">
+  <issue tracker="bnc" id="1254531">cmake-extras: Could not locate qmlplugindump</issue>
+  <issue tracker="bnc" id="1239788">cmake4: build failure tracker bug.</issue>
+  <packager>hillwood</packager>
+  <rating>moderate</rating>
+  <category>recommended</category>
+  <summary>Recommended update for cmake-extras</summary>
+  <description>This update for cmake-extras fixes the following issues:
+
+- Support both qmlplugindump-qt5 and qmlplugindump-qt6 (boo#1254531)
+- Fix filename and path of qmlplugindump-qt5 for openSUSE
+- Update to 1.9
+  * add support for CMake 4.0
+- Update to 1.8
+  * GMock: wire dependencies between GMock step and library files
+  * QmlPlugins: Crude support for qt6
+</description>
+  <package>cmake-extras</package>
+  <seperate_build_arch/>
+</patchinfo>

patchinfo.20251210175743200408.93181000773252/_patchinfo

@@ -0,0 +1,11 @@
+<patchinfo incident="packagehub-58">
+  <packager>pgajdos</packager>
+  <rating>moderate</rating>
+  <category>optional</category>
+  <summary>Optional update for rawtherapee</summary>
+  <description>This update for rawtherapee fixes the following issues:
+
+Ship rawtherapee image editor.
+</description>
+  <package>rawtherapee</package>
+</patchinfo>

patchinfo.20251211092111744764.93181000773252/_patchinfo

@@ -0,0 +1,17 @@
+<patchinfo incident="packagehub-55">
+  <issue tracker="cve" id="2025-14372">cve#2025-14372 not resolved: 404 Client Error: Not Found for url: https://bugzilla.suse.com/api2/issues/?references__name=CVE-2025-14372</issue>
+  <issue tracker="bnc" id="1254776">VUL-0: chromium: release 143.0.7499.109</issue>
+  <issue tracker="cve" id="2025-14373">cve#2025-14373 not resolved: 404 Client Error: Not Found for url: https://bugzilla.suse.com/api2/issues/?references__name=CVE-2025-14373</issue>
+  <packager>AndreasStieger</packager>
+  <rating>important</rating>
+  <category>security</category>
+  <summary>Security update for chromium</summary>
+  <description>This update for chromium fixes the following issues:
+
+- Chromium 143.0.7499.109 (boo#1254776):
+  * CVE-2025-14372: Use after free in Password Manager
+  * CVE-2025-14373: Inappropriate implementation in Toolbar
+  * third issue with an exploit is known to exist in the wild
+</description>
+  <package>chromium</package>
+</patchinfo>

patchinfo.20251214181248399975.93181000773252/_patchinfo

@@ -0,0 +1,15 @@
+<patchinfo incident="packagehub-56">
+  <issue tracker="bnc" id="1254386">labwc crashes when turning display off with wlr-randr (fixed in upstream and Factory)</issue>
+  <packager>lucsansag</packager>
+  <rating>moderate</rating>
+  <category>recommended</category>
+  <summary>Recommended update for labwc</summary>
+  <description>This update for labwc fixes the following issues:
+
+Changes in labwc:
+
+- Fixed layershell unmap segfault when no outputs left (boo#1254386)
+</description>
+  <package>labwc</package>
+  <seperate_build_arch/>
+</patchinfo>

patchinfo.20251217091639760898.93181000773252/_patchinfo

@@ -0,0 +1,65 @@
+<patchinfo incident="packagehub-59">
+  <issue tracker="cve" id="2025-21614">CVE-2025-21614 go-git: go-git clients vulnerable to DoS via maliciously crafted Git server replies</issue>
+  <issue tracker="bnc" id="1247629">VUL-0: CVE-2025-21613: cheat: github.com/go-git/go-git/v5: argument injection via the URL field</issue>
+  <issue tracker="cve" id="2025-58181">VUL-0: CVE-2025-58181: TRACKERBUG: golang.org/x/crypto/ssh: invalidated number of mechanisms can cause unbounded memory consumption</issue>
+  <issue tracker="cve" id="2025-21613">VUL-0: CVE-2025-21613: TRACKERBUG: github.com/go-git/go-git/v5: argument injection via the URL field</issue>
+  <issue tracker="cve" id="2025-47913">VUL-0: CVE-2025-47913: TRACKERBUG: golang.org/x/crypto/ssh/agent: client process termination when receiving an unexpected message type in response to a key listing or</issue>
+  <issue tracker="bnc" id="1253922">VUL-0: CVE-2025-58181: cheat: golang.org/x/crypto/ssh: invalidated number of mechanisms can cause unbounded memory consumption</issue>
+  <issue tracker="cve" id="2025-47914">VUL-0: CVE-2025-47914: TRACKERBUG: golang.org/x/crypto/ssh/agent: non validated message size can cause a panic due to an out of bounds read</issue>
+  <issue tracker="cve" id="2025-22870">VUL-0: CVE-2025-22870: TRACKERBUG: golang.org/net/http, golang.org/x/net/proxy, golang.org/x/net/http/httpproxy: proxy bypass using IPv6 zone IDs</issue>
+  <issue tracker="cve" id="2023-48795">VUL-0: CVE-2023-48795: openssh: prefix truncation breaking ssh channel integrity aka Terrapin Attack</issue>
+  <issue tracker="bnc" id="1254051">VUL-0: CVE-2025-47914: cheat: golang.org/x/crypto/ssh/agent: non validated message size can cause a panic due to an out of bounds read</issue>
+  <issue tracker="bnc" id="1253593">VUL-0: CVE-2025-47913: cheat: golang.org/x/crypto/ssh/agent: client process termination when receiving an unexpected message type in response to a key listing or signing request</issue>
+  <issue tracker="cve" id="2025-22869">VUL-0: CVE-2025-22869: TRACKERBUG: golang.org/x/crypto/ssh: Denial of Service in the Key Exchange of golang.org/x/crypto/ssh</issue>
+  <packager>witekbedyk</packager>
+  <rating>important</rating>
+  <category>security</category>
+  <summary>Security update for cheat</summary>
+  <description>This update for cheat fixes the following issues:
+
+- Security:
+  * CVE-2025-47913: Fix client process termination (bsc#1253593)
+  * CVE-2025-58181: Fix potential unbounded memory consumption (bsc#1253922)
+  * CVE-2025-47914: Fix panic due to an out of bounds read (bsc#1254051)
+  * Replace golang.org/x/crypto=golang.org/x/crypto@v0.45.0
+  * Replace golang.org/x/net=golang.org/x/net@v0.47.0
+  * Replace golang.org/x/sys=golang.org/x/sys@v0.38.0
+
+- Packaging improvements:
+  * Drop Requires: golang-packaging. The recommended Go toolchain
+    dependency expression is BuildRequires: golang(API) &gt;= 1.x or
+    optionally the metapackage BuildRequires: go
+  * Use BuildRequires: golang(API) &gt;= 1.19 matching go.mod
+  * Build PIE with pattern that may become recommended procedure:
+    %%ifnarch ppc64 GOFLAGS="-buildmode=pie" %%endif go build
+    A go toolchain buildmode default config would be preferable
+    but none exist at this time.
+  * Drop mod=vendor, go1.14+ will detect vendor dir and auto-enable
+  * Remove go build -o output binary location and name. Default
+    binary has the same name as package of func main() and is
+    placed in the top level of the build directory.
+  * Add basic %check to execute binary --help
+
+- Packaging improvements:
+  * Service go_modules replace dependencies with CVEs
+  * Replace github.com/cloudflare/circl=github.com/cloudflare/circl@v1.6.1
+    Fix GO-2025-3754 GHSA-2x5j-vhc8-9cwm
+  * Replace golang.org/x/net=golang.org/x/net@v0.36.0
+    Fixes GO-2025-3503 CVE-2025-22870
+  * Replace golang.org/x/crypto=golang.org/x/crypto@v0.35.0
+    Fixes GO-2023-2402 CVE-2023-48795 GHSA-45x7-px36-x8w8
+    Fixes GO-2025-3487 CVE-2025-22869
+  * Replace github.com/go-git/go-git/v5=github.com/go-git/go-git/v5@v5.13.0
+    Fixes GO-2025-3367 CVE-2025-21614 GHSA-r9px-m959-cxf4
+    Fixes GO-2025-3368 CVE-2025-21613 GHSA-v725-9546-7q7m
+  * Service tar_scm set mode manual from disabled
+  * Service tar_scm create archive from git so we can exclude
+    vendor directory upstream committed to git. Committed vendor
+    directory contents have build issues even after go mod tidy.
+  * Service tar_scm exclude dir vendor
+  * Service set_version set mode manual from disabled
+  * Service set_version remove param basename not needed
+</description>
+  <package>cheat</package>
+  <seperate_build_arch/>
+</patchinfo>

patchinfo.20251218074156387460.187004354831441/_patchinfo

@@ -0,0 +1,21 @@
+<patchinfo incident="packagehub-60">
+  <issue tracker="cve" id="2025-14766">VUL-0: chromium: release 143.0.7499.146</issue>
+  <issue tracker="cve" id="2025-14174">Google Chrome: chromium: Out of bounds memory access via crafted HTML page</issue>
+  <issue tracker="bnc" id="1255115">VUL-0: chromium: release 143.0.7499.146</issue>
+  <issue tracker="cve" id="2025-14765">VUL-0: chromium: release 143.0.7499.146</issue>
+  <packager>oertel</packager>
+  <rating>important</rating>
+  <category>security</category>
+  <summary>Security update for chromium</summary>
+  <description>This update for chromium fixes the following issues:
+
+Changes in chromium:
+
+Chromium 143.0.7499.146 (boo#1255115):
+
+  * CVE-2025-14765: Use after free in WebGPU
+  * CVE-2025-14766: Out of bounds read and write in V8
+  * CVE-2025-14174: Out of bounds memory access in ANGLE
+</description>
+  <package>chromium</package>
+</patchinfo>

patchinfo.20251218142204589141.93181000773252/_patchinfo

@@ -0,0 +1,123 @@
+<patchinfo incident="packagehub-62">
+  <packager>os-autoinst-obs-workflow</packager>
+  <rating>moderate</rating>
+  <category>recommended</category>
+  <summary>Recommended update for openQA, os-autoinst, openQA-devel-container</summary>
+  <description>This update for openQA, os-autoinst, openQA-devel-container fixes the following issues:
+
+Changes in openQA:
+
+Thu Dec 18 03:54:10 UTC 2025 - okurz@suse.com
+
+- Update to version 5.1766014013.377e64fe:
+  * feat(Needle::Save): Adapt to new error handling
+  * feat(OpenQA::Git): Make error handling more flexible with exceptions
+
+- Update to version 5.1765887110.8fc02990:
+  * Avoid partial deletion of a screenshot if Minion job is aborted
+  * Add `SignalBlocker` to delay signal handling during critical sections
+
+- Update to version 5.1765805960.2112d43d:
+  * fix(codecov): Fix wrong casing for 'fully_covered' entries
+
+- Update to version 5.1765535865.b566a24c:
+  * fix(codecov): Be strict about coverage thresholds
+  * Show jobs that have been cloned when `t` parameter is used on overview
+
+- Update to version 5.1765469360.5c0525b5:
+  * worker: Add coverage for OVS DBus checks
+  * Fix overview when filtering by test and module result at the same time
+  * Return signal as part of run_cmd result
+  * Add scanner for untracked screenshots
+  * KTAP: Properly hide details of a skipped subtest
+  * docs: Restory logic of the sentence about NFT vs firewalld
+  * docs: Clarify DHCP/RA availability on MM networks
+  * feat: Allow to configure key+secret with env variables
+
+- Update to version 5.1765286149.3debb8ea:
+  * KTAP: Don't increment parsed_lines_count in "SKIP" lines
+  * KTAP: Define unparsed_lines and parsed_lines_count
+
+- Update to version 5.1765217707.d6e697fd:
+  * Test commenting on overview page together with TODO filter
+  * Fix job IDs that are considered for mass-commenting on overview page
+
+- Update to version 5.1765009312.be30f6e0:
+  * README: Remove left-over empty badge reference
+
+Changes in os-autoinst:
+
+- Update to version 5.1767623406.688dd0e:
+  * os-autoinst-generate-needle-preview: Embed PNG
+  * Tweak curl call not to hang
+  * Fix opencv dependency due to upstream changes
+  * Restore package  builds on older openSUSE versions
+  * Remove `ShellCheck` from devel dependencies on s390x
+
+- Update to version 5.1766037062.44c7d2a:
+  * Tweak curl call not to hang
+  * Fix opencv dependency due to upstream changes
+  * Restore package  builds on older openSUSE versions
+  * Remove `ShellCheck` from devel dependencies on s390x
+  * Remove obsolete 'bin/' folder
+
+- Update to version 5.1765976654.0026f92:
+  * Fix opencv dependency due to upstream changes
+  * Restore package  builds on older openSUSE versions
+  * Remove `ShellCheck` from devel dependencies on s390x
+  * Remove obsolete 'bin/' folder
+  * Improve documentation strings for get/check_var
+
+- Update to version 5.1765808557.b89e9b4:
+  * Restore package  builds on older openSUSE versions
+  * Remove `ShellCheck` from devel dependencies on s390x
+  * Remove obsolete 'bin/' folder
+  * Simplify the code to increment the counter
+  * audio: Allow for multiple audio recordings per test
+
+- Update to version 5.1765804109.1e7c99a:
+  * Remove `ShellCheck` from devel dependencies on s390x
+  * Remove obsolete 'bin/' folder
+  * Simplify the code to increment the counter
+  * audio: Allow for multiple audio recordings per test
+  * Improve documentation strings for get/check_var
+
+- Update to version 5.1765533145.a82864c:
+  * Remove obsolete 'bin/' folder
+  * Simplify the code to increment the counter
+  * audio: Allow for multiple audio recordings per test
+  * Improve documentation strings for get/check_var
+  * Add port forwarding example for NICTYPE_USER_OPTIONS
+
+- Update to version 5.1765450253.f16e6ac:
+  * Simplify the code to increment the counter
+  * audio: Allow for multiple audio recordings per test
+  * Improve documentation strings for get/check_var
+  * Add port forwarding example for NICTYPE_USER_OPTIONS
+  * Fix regression from abcaa66b by disabling virtio-keyboard by default
+  * distribution: Add "disable_key_repeat"
+  * Use 'virtio-keyboard' by default to allow fixing key repetition errors
+
+- Update to version 5.1765311639.7e3a762:
+  * Simplify the code to increment the counter
+  * audio: Allow for multiple audio recordings per test
+  * Add port forwarding example for NICTYPE_USER_OPTIONS
+  * Fix regression from abcaa66b by disabling virtio-keyboard by default
+  * Add IPv6 support for multi machine tests
+
+Changes in openQA-devel-container:
+
+- Update to version 5.1766014013.377e64fe9:
+  * Update to latest openQA version
+</description>
+  <package>openQA</package>
+  <package>openQA:openQA-devel-test</package>
+  <package>openQA:openQA-test</package>
+  <package>openQA:openQA-worker-test</package>
+  <package>openQA:openQA-client-test</package>
+  <package>os-autoinst</package>
+  <package>os-autoinst:os-autoinst-test</package>
+  <package>os-autoinst:os-autoinst-devel-test</package>
+  <package>os-autoinst:os-autoinst-openvswitch-test</package>
+  <package>openQA-devel-container</package>
+</patchinfo>

patchinfo.20251227105430923343.187004354831441/_patchinfo

@@ -0,0 +1,33 @@
+<patchinfo incident="packagehub-73">
+  <packager>pgajdos</packager>
+  <rating>moderate</rating>
+  <category>recommended</category>
+  <summary>Recommended update for apache2-mod_wsgi</summary>
+  <description>This update for apache2-mod_wsgi fixes the following issues:
+
+Changes in apache2-mod_wsgi:
+
+- Don't enable the module by default. Instead, include instructions in the
+  description, consistent with other comparable modules, such as
+  apache2-mod_fcgid, apache2-mod_jk and apache2-mod_mono.  If a reverse
+  dependency of this module requires it, that package may execute
+  `a2enmod wsgi`.
+
+Update to 5.0.2 includes changes from 5.0.1:
+
+  * Eliminate noise in logs under Python 3.13 when Python garbage collection
+    decides to delay destruction of objects until a second phase, resulting in
+    the wsgi.errors log object being accessed after the request had been
+    completed and the log object marked as invalid. This resulted due to changes
+    in garbage collection behaviour in Python 3.13.
+  * Internally, when using Python 3.8 or newer, the PyConfig API will now be
+    used due to deprecation and future removal of older C API alternatives.
+    This was required to support Python 3.13.
+  * Fix issue which could result in process crashing when values were supplied
+    for user/password/realm of HTTP basic authentication which weren’t
+    compliant with UTF-8 encoding format.
+  * Fix memory leak in check_password() authentication hook handler.
+  * Change use of deprecated thread.setDaemon to thread.daemon.
+</description>
+  <package>apache2-mod_wsgi</package>
+</patchinfo>

patchinfo.20260106100749431638.93181000773252/_patchinfo

@@ -0,0 +1,24 @@
+<patchinfo incident="packagehub-63">
+  <issue tracker="cve" id="2025-58181"/>
+  <issue tracker="cve" id="2025-47913"/>
+  <issue tracker="cve" id="2025-58190"/>
+  <issue tracker="cve" id="2025-47914"/>
+  <issue tracker="cve" id="2025-47911"/>
+  <issue tracker="bnc" id="1253512">VUL-0: CVE-2025-47913: trivy: golang.org/x/crypto/ssh/agent: client process termination when receiving an unexpected message type in response to a key listing or signing request</issue>
+  <issue tracker="bnc" id="1253977">VUL-0: CVE-2025-47914: trivy: golang.org/x/crypto/ssh/agent: non validated message size can cause a panic due to an out of bounds read</issue>
+  <issue tracker="bnc" id="1251547">VUL-0: CVE-2025-58190: trivy: golang.org/x/net/html: excessive memory consumption by `html.ParseFragment` when processing specially crafted input</issue>
+  <issue tracker="bnc" id="1251363">VUL-0: CVE-2025-47911: trivy: golang.org/x/net/html: various algorithms with quadratic complexity when parsing HTML documents</issue>
+  <issue tracker="bnc" id="1253786">VUL-0: CVE-2025-58181: trivy: golang.org/x/crypto/ssh: invalidated number of mechanisms can cause unbounded memory consumption</issue>
+  <packager>dirkmueller</packager>
+  <rating>moderate</rating>
+  <category>recommended</category>
+  <summary>Recommended update for trivy</summary>
+  <description>This update for trivy fixes the following issues:
+
+- Update to version 0.68.2:
+  * release: v0.68.2 [release/v0.68] (#9950)
+  * fix(deps): bump alpine from `3.22.1` to `3.23.0` [backport: release/v0.68] (#9949)
+  * ci: enable `check-latest` for `setup-go` [backport: release/v0.68] (#9946)
+</description>
+  <package>trivy</package>
+</patchinfo>

patchinfo.20260106101959221503.93181000773252/_patchinfo

@@ -0,0 +1,33 @@
+<patchinfo incident="packagehub-66">
+  <issue tracker="bnc" id="1239678">VUL-0: CVE-2025-2337: matio: heap buffer overflow in function Mat_VarPrint of file src/mat.c</issue>
+  <issue tracker="cve" id="2025-2337">VUL-0: CVE-2025-2337: matio: heap buffer overflow in function Mat_VarPrint of file src/mat.c</issue>
+  <issue tracker="cve" id="2025-2338">VUL-0: CVE-2025-2338: matio: heap buffer overflow in function strdup_vprintf of file src/io.c</issue>
+  <issue tracker="bnc" id="1239677">VUL-0: CVE-2025-2338: matio: heap buffer overflow in function strdup_vprintf of file src/io.c</issue>
+  <packager>AndreasStieger</packager>
+  <rating>important</rating>
+  <category>security</category>
+  <summary>Security update for matio</summary>
+  <description>This update for matio fixes the following issues:
+
+- update to version 1.5.29:
+  * Fix printing rank-1-variable in Mat_VarPrint
+  * Fix array index out of bounds in Mat_VarPrint when printing
+    UTF-8 character data (boo#1239678, CVE-2025-2337)
+  * Fix heap-based buffer overflow in strdup_vprintf
+    (boo#1239677, CVE-2025-2338)
+  * Changed Mat_VarPrint to print all values of rank-2-variable
+  * Several other fixes, for example for access violations in
+    Mat_VarPrint
+
+- Update to version 1.5.28:
+  * Fixed bug writing MAT_T_INT8/MAT_T_UINT8 encoded character
+    array to compressed v5 MAT file (regression of v1.5.12).
+  * Fixed bug reading all-zero sparse array of v4 MAT file
+    (regression of v1.5.18).
+  * Updated C99 snprintf.c.
+  * CMake: Enabled testing.
+  * Several other fixes, for example for access violations in
+    Mat_VarPrint.
+</description>
+  <package>matio</package>
+</patchinfo>

patchinfo.20260106152652552214.93181000773252/_patchinfo

@@ -0,0 +1,12 @@
+<patchinfo incident="packagehub-71">
+  <packager>miska</packager>
+  <rating>moderate</rating>
+  <category>recommended</category>
+  <summary>Recommended update for knot</summary>
+  <description>This update for knot fixes the following issues:
+
+- update to version 3.5.2, see
+  https://www.knot-dns.cz/2025-11-28-version-352.html
+</description>
+  <package>knot</package>
+</patchinfo>

patchinfo.20260106152825813077.93181000773252/_patchinfo

@@ -0,0 +1,12 @@
+<patchinfo incident="packagehub-85">
+  <issue tracker="bnc" id="1254975">niri doesn't set the right portal notification proxy</issue>
+  <packager>mantarimay</packager>
+  <rating>moderate</rating>
+  <category>recommended</category>
+  <summary>Recommended update for niri</summary>
+  <description>This update for niri fixes the following issues:
+
+- Fixed portal notification proxy (boo#1254975)
+</description>
+  <package>niri</package>
+</patchinfo>

patchinfo.20260107170113751929.93181000773252/_patchinfo

@@ -0,0 +1,76 @@
+<patchinfo incident="packagehub-65">
+  <packager>sbradnick</packager>
+  <rating>moderate</rating>
+  <category>recommended</category>
+  <summary>Recommended update for ranger</summary>
+  <description>This update for ranger fixes the following issues:
+
+- Update to version 1.9.4+git20250910.3f7a3546:
+  * img_display: Avoid unicode escape sequences for Ueberzug input
+  * man: fix documentation of which license ranger uses exactly
+  * rifle: fixed+clarified usage string
+
+- Update to version 1.9.4+git20250604.7e38143:
+  * fixed bug with command info staying
+  * Revert "fixed open_with bugginess"
+  * fixed open_with bugginess
+  * commands: Reword comment for brevity and accuracy
+  * GHActions: Pass config_files rather than boolean to flake8
+  * commands: Disable invalid-name and too-many-lines pylints
+  * Pylint: Disable invalid-name and too-many-lines for commands.py
+  * add :unnarrow to disable :narrow mode
+  * rifle: Update version
+
+- Update to version 1.9.4+git20250305.7ad50fa:
+  * 7-zip now has an official Linux version (7zz)
+  * add: support for tilde in bookmarks
+  * img_display: address PR feedback
+  * docs: kitty image previews are supported in other terminals now
+  * img_display: auto-detect support for kitty image previews
+  * rifle(terminals): support auto-detecting ghostty terminal emulator
+  * Modified order of expantions in peview_script
+  * Add GNOME papers to document viewers
+  * Added ability to use environmental variables in preview_script option
+  * doc: Regenerate man pages to have the proper version
+  * Makefile: Update version Grep since adding logo to README
+  * ranger/__init__: Caught another unbumped version
+  * mime.types: Add .nim extension for text/plain
+  * Fixed mistooks of nim scripts as a video aNIMations in rifle.conf
+  * GHActions: Pypy don't run old Flake8/Pylint
+  * GHActions: Use Pypy 3.10
+  * actions: Use keywords for rifle.execute
+  * runner: Allow action as positional argument
+  * ui: Refresh window in initialize
+  * ui: endwin already sets cursor to normal visibility
+  * requirements: Add setuptools
+  * img_display: Silence no-member false positive
+  * core/main: Drop unused variable prefix_length
+  * core,ext: Avoid return in finally shadowing return value
+  * test_py2_compat: Prevent use of yield from
+  * core,ext: Reduce positional arguments where possible
+  * pager,history: Replace branch with min/max builtins
+  * Pylint: Update custom checker for compatibility with 3.3.1
+  * GHActions: Bump action versions
+  * README: Use forge-agnostic URL
+  * README: Capitalize ranger
+  * README: Bump version
+  * README: Replace Travis with GHActions badge
+  * README: Center header
+  * make logo in readme wider
+  * move the ranger logo to the very top
+  * Add option confirm_on_trash
+  * Fix typos
+  * Add IINA to rifle.conf
+  * browsercolumn: ANSI escape codes support
+  * #1182: Fix signals for OS X
+
+- Update to version 1.9.3+git20240801.bd9b37f:
+  * properly decode file:// urls given to ranger as argument (fixes #2900)
+  * fix #2873 WM_NAME now shows "not accessible" in non-existent directories
+  * Fixed inconsistency in ranger documentation where it was stated that commanding 'linemode humanreadablesizemtime' changed the linemode to display human readable modification time and file size, but the correct command for this is 'linemode sizehumanreadablemtime'
+  * README: fix link formatting on github's markdown renderer
+  * README: add liberapay badge
+  * Mention viewmode key binding in man
+</description>
+  <package>ranger</package>
+</patchinfo>

patchinfo.20260108114750488113.93181000773252/_patchinfo

@@ -0,0 +1,19 @@
+<patchinfo incident="packagehub-64">
+  <issue tracker="cve" id="2026-0628">VUL-0: CVE-2026-0628: chromium: Insufficient policy enforcement in WebView tag fixed in 143.0.7499.192</issue>
+  <issue tracker="bnc" id="1256067">VUL-0: CVE-2026-0628: chromium: Insufficient policy enforcement in WebView tag fixed in 143.0.7499.192</issue>
+  <packager>AndreasStieger</packager>
+  <rating>important</rating>
+  <category>security</category>
+  <summary>Security update for chromium</summary>
+  <description>This update for chromium fixes the following issues:
+
+Changes in chromium:
+
+- Chromium 143.0.7499.192 (boo#1256067):
+  * CVE-2026-0628: Insufficient policy enforcement in WebView tag
+
+- Chromium 143.0.7499.169 (stable released 2025-12-18)
+  * no cve listed yet
+</description>
+  <package>chromium</package>
+</patchinfo>

patchinfo.20260112114750488113.93181000773252/_patchinfo

@@ -0,0 +1,35 @@
+<patchinfo incident="packagehub-68">
+  <packager>mcalabkova</packager>
+  <rating>moderate</rating>
+  <category>optional</category>
+  <summary>Optional update for certbot</summary>
+  <description>This update for certbot fixes the following issues:
+
+Various certbot packages and dependencies are being added.
+</description>
+<package>certbot-systemd-timer</package>
+<package>python-augeas</package>
+<package>python-bson</package>
+<package>python-certbot-apache</package>
+<package>python-certbot-dns-cloudflare</package>
+<package>python-certbot-dns-digitalocean</package>
+<package>python-certbot-dns-dnsimple</package>
+<package>python-certbot-dns-dnsmadeeasy</package>
+<package>python-certbot-dns-linode</package>
+<package>python-certbot-dns-luadns</package>
+<package>python-certbot-dns-nsone</package>
+<package>python-certbot-dns-ovh</package>
+<package>python-certbot-dns-rfc2136</package>
+<package>python-certbot-dns-route53</package>
+<package>python-cloudflare</package>
+<package>python-digitalocean</package>
+<package>python-dns-lexicon</package>
+<package>python-jsonlines</package>
+<package>python-jsonpickle</package>
+<package>python-localzone</package>
+<package>python-pytest-httpx</package>
+<package>python-requests-file</package>
+<package>python-softlayer</package>
+<package>python-softlayer-zeep</package>
+<package>python-tldextract</package>
+</patchinfo>

patchinfo.20260113100304813079.93181000773252/_patchinfo

@@ -0,0 +1,47 @@
+<patchinfo incident="packagehub-72">
+  <issue tracker="cve" id="2025-14325">firefox: JIT miscompilation in the JavaScript Engine: JIT component</issue>
+  <issue tracker="cve" id="2025-14321">firefox: Use-after-free in the WebRTC: Signaling component</issue>
+  <issue tracker="cve" id="2025-14328">firefox: Privilege escalation in the Netmonitor component</issue>
+  <issue tracker="cve" id="2025-14323">firefox: Privilege escalation in the DOM: Notifications component</issue>
+  <issue tracker="cve" id="2025-14322">firefox: Sandbox escape due to incorrect boundary conditions in the Graphics: CanvasWebGL component</issue>
+  <issue tracker="bnc" id="1254551">VUL-0: MozillaFirefox / MozillaThunderbird: update to 146.0 and 140.6esr</issue>
+  <issue tracker="cve" id="2025-14324">firefox: JIT miscompilation in the JavaScript Engine: JIT component</issue>
+  <issue tracker="cve" id="2025-14330">firefox: JIT miscompilation in the JavaScript Engine: JIT component</issue>
+  <issue tracker="cve" id="2025-14329">firefox: Privilege escalation in the Netmonitor component</issue>
+  <issue tracker="cve" id="2025-14331">firefox: Same-origin policy bypass in the Request Handling component</issue>
+  <issue tracker="cve" id="2025-14333">firefox: Memory safety bugs fixed in Firefox ESR 140.6, Thunderbird ESR 140.6, Firefox 146 and Thunderbird 146</issue>
+  <packager>Yoshio_Sato</packager>
+  <rating>important</rating>
+  <category>security</category>
+  <summary>Security update for MozillaThunderbird</summary>
+  <description>This update for MozillaThunderbird fixes the following issues:
+
+Changes in MozillaThunderbird:
+
+- Mozilla Thunderbird 140.6.0 ESR
+  MFSA 2025-96 (bsc#1254551)
+  * CVE-2025-14321 (bmo#1992760)
+    Use-after-free in the WebRTC: Signaling component
+  * CVE-2025-14322 (bmo#1996473)
+    Sandbox escape due to incorrect boundary conditions in the
+    Graphics: CanvasWebGL component
+  * CVE-2025-14323 (bmo#1996555)
+    Privilege escalation in the DOM: Notifications component
+  * CVE-2025-14324 (bmo#1996840)
+    JIT miscompilation in the JavaScript Engine: JIT component
+  * CVE-2025-14325 (bmo#1998050)
+    JIT miscompilation in the JavaScript Engine: JIT component
+  * CVE-2025-14328 (bmo#1996761)
+    Privilege escalation in the Netmonitor component
+  * CVE-2025-14329 (bmo#1997018)
+    Privilege escalation in the Netmonitor component
+  * CVE-2025-14330 (bmo#1997503)
+    JIT miscompilation in the JavaScript Engine: JIT component
+  * CVE-2025-14331 (bmo#2000218)
+    Same-origin policy bypass in the Request Handling component
+  * CVE-2025-14333 (bmo#1966501, bmo#1997639)
+    Memory safety bugs fixed in Firefox ESR 140.6, Thunderbird
+    ESR 140.6, Firefox 146 and Thunderbird 146
+</description>
+  <package>MozillaThunderbird</package>
+</patchinfo>

patchinfo.20260113100344517680.93181000773252/_patchinfo

@@ -0,0 +1,45 @@
+<patchinfo incident="packagehub-70">
+  <issue tracker="cve" id="2025-69195"/>
+  <issue tracker="bnc" id="1255729">VUL-0: CVE-2025-69195: wget2: memory corruption and crash via filename sanitization logic with attacker-controlled URLs</issue>
+  <issue tracker="cve" id="2025-69194"/>
+  <issue tracker="bnc" id="1255728">VUL-0: CVE-2025-69194: wget2: arbitrary file write via Metalink path traversal</issue>
+  <packager>jengelh</packager>
+  <rating>important</rating>
+  <category>security</category>
+  <summary>Security update for wget2</summary>
+  <description>This update for wget2 fixes the following issues:
+
+Changes in wget2:
+
+- Update to release 2.2.1
+  * Fix file overwrite issue with metalink [CVE-2025-69194 bsc#1255728]
+  * Fix remote buffer overflow in get_local_filename_real()
+    [CVE-2025-69195 bsc#1255729]
+  * Fix a redirect/mirror regression from 400713ca
+  * Use the local system timestamp when requested via
+    --no-use-server-timestamps
+  * Prevent file truncation with --no-clobber
+  * Improve messages about why URLs are not being followed
+  * Fix metalink with -O/--output-document
+  * Fix sorting of metalink mirrors by priority
+  * Add --show-progress to improve backwards compatibility to wget
+  * Fix buffer overflow in wget_iri_clone() after
+    wget_iri_set_scheme()
+  * Allow 'no_' prefix in config options
+  * Use libnghttp2 for HTTP/2 testing
+  * Set exit status to 8 on 403 response code
+  * Fix convert-links
+  * Fix --server-response for HTTP/1.1
+
+- Update to release 2.2.0
+  * Don't truncate file when -c and -O are combined
+  * Don't log URI userinfo to logs
+  * Fix downloading multiple files via HTTP/2
+  * Support connecting with HTTP/1.0 proxies
+  * Ignore 1xx HTTP responses for HTTP/1.1
+  * Disable TCP Fast Open by default
+  * Fix segfault when OCSP response is missing
+  * Add libproxy support
+</description>
+  <package>wget2</package>
+</patchinfo>

patchinfo.20260113125217848639.93181000773252/_patchinfo

@@ -0,0 +1,45 @@
+<patchinfo incident="packagehub-69">
+  <packager>os-autoinst-obs-workflow</packager>
+  <rating>moderate</rating>
+  <category>recommended</category>
+  <summary>Recommended update for openQA, os-autoinst, openQA-devel-container</summary>
+  <description>This update for openQA, os-autoinst, openQA-devel-container fixes the following issues:
+
+Changes in openQA:
+
+Thu Jan 08 10:09:35 UTC 2026 - okurz@suse.com
+- Update to version 5.1767864265.63cd20df:
+  * Skip caching for KERNEL and INITRD variables
+
+- Update to version 5.1766150951.2799046e:
+  * Coverage of openQA: add folder Client/ in codecov.yaml
+  * Improve openQA coverage of _download_handler in Archive.pm
+
+- Update to version 5.1766053374.57cdeee3:
+  * fix(docs): Fix indentation in job template examples
+
+Changes in os-autoinst:
+
+- Update to version 5.1767893100.fd5003c:
+  * Add documentation of APPEND variable
+  * Add undocumented KERNEL/INITRD to the supported variables
+  * os-autoinst-generate-needle-preview: Embed PNG
+  * Tweak curl call not to hang
+  * Fix opencv dependency due to upstream changes
+
+Changes in openQA-devel-container:
+
+- Update to version 5.1767864265.63cd20dfc:
+  * Update to latest openQA version
+</description>
+  <package>openQA</package>
+  <package>openQA:openQA-devel-test</package>
+  <package>openQA:openQA-test</package>
+  <package>openQA:openQA-worker-test</package>
+  <package>openQA:openQA-client-test</package>
+  <package>os-autoinst</package>
+  <package>os-autoinst:os-autoinst-test</package>
+  <package>os-autoinst:os-autoinst-devel-test</package>
+  <package>os-autoinst:os-autoinst-openvswitch-test</package>
+  <package>openQA-devel-container</package>
+</patchinfo>

patchinfo.20260113130548514612.93181000773252/_patchinfo

@@ -0,0 +1,14 @@
+<patchinfo incident="packagehub-74">
+  <issue tracker="bnc" id="1255237">scripts it $XDG_CONFIG_DIRS/plasma-workspace/env stop working after ibus update</issue>
+  <packager>ftake</packager>
+  <rating>moderate</rating>
+  <category>recommended</category>
+  <summary>Recommended update for fcitx5</summary>
+  <description>This update for fcitx5 fixes the following issues:
+
+
+- Use return instead of exit in 20-fcitx-plasma-setup.sh (boo#1255237)
+- Replace "IBus" with "Fcitx" in a log message
+</description>
+  <package>fcitx5</package>
+</patchinfo>

patchinfo.20260115100809875766.93181000773252/_patchinfo

@@ -0,0 +1,35 @@
+<patchinfo incident="packagehub-80">
+  <issue tracker="cve" id="2026-0907">VUL-0: chromium: release 144.0.7559.59</issue>
+  <issue tracker="cve" id="2026-0908">VUL-0: chromium: release 144.0.7559.59</issue>
+  <issue tracker="cve" id="2026-0901">VUL-0: chromium: release 144.0.7559.59</issue>
+  <issue tracker="cve" id="2026-0902">VUL-0: chromium: release 144.0.7559.59</issue>
+  <issue tracker="cve" id="2026-0906">VUL-0: chromium: release 144.0.7559.59</issue>
+  <issue tracker="cve" id="2026-0903">VUL-0: chromium: release 144.0.7559.59</issue>
+  <issue tracker="cve" id="2026-0905">VUL-0: chromium: release 144.0.7559.59</issue>
+  <issue tracker="cve" id="2026-0900">VUL-0: chromium: release 144.0.7559.59</issue>
+  <issue tracker="cve" id="2026-0904">VUL-0: chromium: release 144.0.7559.59</issue>
+  <issue tracker="cve" id="2026-0899">VUL-0: chromium: release 144.0.7559.59</issue>
+  <issue tracker="bnc" id="1256614">VUL-0: chromium: release 144.0.7559.59</issue>
+  <packager>oertel</packager>
+  <rating>moderate</rating>
+  <category>security</category>
+  <summary>Security update for chromium</summary>
+  <description>This update for chromium fixes the following issues:
+
+Changes in chromium:
+
+- Chromium 144.0.7559.59 (boo#1256614)
+  * CVE-2026-0899: Out of bounds memory access in V8
+  * CVE-2026-0900: Inappropriate implementation in V8
+  * CVE-2026-0901: Inappropriate implementation in Blink
+  * CVE-2026-0902: Inappropriate implementation in V8
+  * CVE-2026-0903: Insufficient validation of untrusted input in Downloads
+  * CVE-2026-0904: Incorrect security UI in Digital Credentials
+  * CVE-2026-0905: Insufficient policy enforcement in Network
+  * CVE-2026-0906: Incorrect security UI
+  * CVE-2026-0907: Incorrect security UI in Split View
+  * CVE-2026-0908: Use after free in ANGLE
+- use noopenh264 where available
+</description>
+  <package>chromium</package>
+</patchinfo>

patchinfo.20260115100949201882.93181000773252/_patchinfo

@@ -0,0 +1,55 @@
+<patchinfo incident="packagehub-79">
+  <packager>os-autoinst-obs-workflow</packager>
+  <rating>moderate</rating>
+  <category>recommended</category>
+  <summary>Recommended update for openQA, os-autoinst, openQA-devel-container</summary>
+  <description>This update for openQA, os-autoinst, openQA-devel-container fixes the following issues:
+
+Changes in openQA:
+
+- Update to version 5.1768323619.9a70ab91:
+  * refactor: Extend tests of df-based cleanup
+  * fix: Avoid wrong deletion of archived jobs in df-based cleanup
+  * refactor: Move logic for validating percentage into helper
+  * refactor: Clarify wording in comment regarding job cleanup
+  * Use template literals in certain JavaScript code
+  * Retry delete_needles job on server restart
+  * Add test for _delete_needles
+  * feat(OpenQA::Git): Cleanup git dir in commit() on shutdown
+  * feat: Improve rendering results on the scheduled product page
+
+- Update to version 5.1768209690.f34c2973:
+  * feat(scheduled-products): Allow adding note to result data
+  * docs: Use node_modules target
+  * docs: Mention minimum PostgreSQL version
+  * ci: Update PostgreSQL in CI/packaging to at least 14
+  * Revert "Add MCP tool annotations for Claude connector compliance"
+
+- Update to version 5.1767868268.dacbd3f7:
+  * Add MCP tool annotations for Claude connector compliance
+
+Changes in os-autoinst:
+
+- Update to version 5.1768317525.86a9a7f:
+  * fix(dist): exclude unstable t/28-signalblocker.t in OBS checks
+  * Remove deprecated BIOS and UEFI_PFLASH variables
+  * Add documentation of APPEND variable
+  * Add undocumented KERNEL/INITRD to the supported variables
+  * os-autoinst-generate-needle-preview: Embed PNG
+
+Changes in openQA-devel-container:
+
+- Update to version 5.1768323619.9a70ab916:
+  * Update to latest openQA version
+</description>
+  <package>openQA</package>
+  <package>openQA:openQA-devel-test</package>
+  <package>openQA:openQA-test</package>
+  <package>openQA:openQA-worker-test</package>
+  <package>openQA:openQA-client-test</package>
+  <package>os-autoinst</package>
+  <package>os-autoinst:os-autoinst-test</package>
+  <package>os-autoinst:os-autoinst-devel-test</package>
+  <package>os-autoinst:os-autoinst-openvswitch-test</package>
+  <package>openQA-devel-container</package>
+</patchinfo>

patchinfo.20260115101101937926.93181000773252/_patchinfo

@@ -0,0 +1,22 @@
+<patchinfo incident="packagehub-83">
+  <issue tracker="jsc" id="PED-1942">feature request for adding ipvlan support to wicked for SLES15</issue>
+  <packager>cfconrad</packager>
+  <rating>moderate</rating>
+  <category>recommended</category>
+  <summary>Recommended update for wicked</summary>
+  <description>This update for wicked fixes the following issues:
+
+Changes in wicked:
+
+- Update to version 0.6.78
+  - man: small fixes in wireless manpage (gh#opensuse/wicked#1053)
+  - rtnetlink: fix RTM_NEWLINK name resolution in debug (gh#opensuse/wicked#1052)
+  - Add support for IPVLAN/IPVTAP (jsc#PED-1942, gh#opensuse/wicked#1050, gh#opensuse/wicked#1051)
+  - fsm: remove children reference array from worker (gh#opensuse/wicked#1049)
+  - ifxml: migrate and generate lower configs/policies (gh#opensuse/wicked#1048)
+  - fsm: use refcount and array macros in worker and policy (gh#opensuse/wicked#1047)
+  - route: use refcounted array and fix error leaks (gh#opensuse/wicked#1046)
+  - utils: add support for refcounted objects in generic array (gh#openSUSE/wicked#1045)
+</description>
+  <package>wicked</package>
+</patchinfo>

patchinfo.20260115101600453573.93181000773252/_patchinfo

@@ -0,0 +1,14 @@
+<patchinfo incident="packagehub-75">
+  <packager>jengelh</packager>
+  <rating>moderate</rating>
+  <category>recommended</category>
+  <summary>Recommended update for flint</summary>
+  <description>This update for flint fixes the following issues:
+
+Changes in flint:
+
+- Fixed a compile error for downstream users when using -std=c23 or
+  a newer GCC which defaults to such.
+</description>
+  <package>flint</package>
+</patchinfo>

patchinfo.20260115114750488113.93181000773252/_patchinfo

@@ -0,0 +1,11 @@
+<patchinfo incident="packagehub-76">
+  <packager>pgajdos</packager>
+  <rating>moderate</rating>
+  <category>optional</category>
+  <summary>Optional update for dehydrated</summary>
+  <description>This update for dehydrated fixes the following issues:
+
+Adds dehydrated to PackageHub / Leap 16.0.
+</description>
+  <package>dehydrated</package>
+</patchinfo>

patchinfo.20260115143001930772.93181000773252/_patchinfo

@@ -0,0 +1,41 @@
+<patchinfo incident="packagehub-77">
+  <issue tracker="bnc" id="1256453">polymake-devel unusable</issue>
+  <packager>jengelh</packager>
+  <rating>moderate</rating>
+  <category>recommended</category>
+  <summary>Recommended update for polymake, cddlib</summary>
+  <description>This update for polymake, cddlib fixes the following issues:
+
+Changes in polymake:
+
+- Enable polydb for Tumbleweed / suse_version &gt;=1690
+
+- Reenable callable library mode [boo#1256453]
+
+- Update to release 4.15
+  * graph: graphviz: use PDF instead of PS
+  * polytope: MILP: allow non-rational coordinates
+  * Some bugfixes
+
+- Update to release 4.14
+  * tropical: cone: refactoring and fixes for DOME, COVECTORs and
+    PSEUDOVERTICES
+  * tropical: polytope: fix vertices computation
+  * tropical: hypersurface: fixes for monomials and binomials
+
+- Update to release 4.13
+  * Support for Perl 5.40 and -std=c++20 builds
+
+Changes in cddlib:
+
+- Update to release 0.94n
+  * Fixed a potential dd_MatrixCanonicalize segfault.
+  * cddlib.pc file now points to the non-GMP version, and
+    cddgmp.pc has been added for the GMP version.
+  * Copy certificate and handle errors correctly in dd_SRedundant
+    for the V-representation code path.
+  * cddlib is now thread-safe.
+</description>
+  <package>polymake</package>
+  <package>cddlib</package>
+</patchinfo>

patchinfo.20260115164300444802.93181000773252/_patchinfo

@@ -0,0 +1,25 @@
+<patchinfo incident="packagehub-78">
+  <packager>mmamula</packager>
+  <rating>moderate</rating>
+  <category>recommended</category>
+  <summary>Recommended update for ansible-sap-launchpad</summary>
+  <description>This update for ansible-sap-launchpad fixes the following issues:
+
+Changes in ansible-sap-launchpad:
+
+- Refactor Ansible Modules and adjust for ansible-core 2.19.
+
+- 1.3.1
+  - Bugfixes:
+    - collection: Add ansible-test sanity workflow and fix sanity errors
+
+- 1.3.0
+  - Changes:
+    - collection: Refactor all Ansible Modules
+    - sap_software_download: Update for ansible-core 2.19
+  - Bugfixes:
+    - sap_software_download: Fix for failed checksums not correctly retrying
+
+</description>
+  <package>ansible-sap-launchpad</package>
+</patchinfo>

patchinfo.20260116150132416590.93181000773252/_patchinfo

@@ -0,0 +1,95 @@
+<patchinfo incident="packagehub-82">
+  <issue tracker="cve" id="2025-58190"/>
+  <issue tracker="bnc" id="1241814">VUL-0: CVE-2025-22872: go-sendxmpp: golang.org/x/net/html: incorrectly interpreted tags can cause content to be placed wrong scope during DOM construction</issue>
+  <issue tracker="cve" id="2025-22872">VUL-0: CVE-2025-22872: TRACKERBUG: golang.org/x/net/html: tags incorrectly interpreted by tokenizer can lead to content being placed in the wrong scope during</issue>
+  <issue tracker="bnc" id="1251677">VUL-0: CVE-2025-58190: go-sendxmpp: golang.org/x/net/html: excessive memory consumption by `html.ParseFragment` when processing specially crafted input</issue>
+  <issue tracker="bnc" id="1251461">VUL-0: CVE-2025-47911: go-sendxmpp: golang.org/x/net/html: various algorithms with quadratic complexity when parsing HTML documents</issue>
+  <issue tracker="cve" id="2025-47911">VUL-0: CVE-2025-47911: TRACKERBUG: golang.org/x/net/html: various algorithms with quadratic complexity when parsing HTML documents</issue>
+  <packager>fstrba</packager>
+  <rating>moderate</rating>
+  <category>security</category>
+  <summary>Security update for go-sendxmpp</summary>
+  <description>This update for go-sendxmpp fixes the following issues:
+
+Changes in go-sendxmpp:
+
+- Update to 0.15.1:
+  Added
+  * Add XEP-0359 Origin-ID to messages (requires go-xmpp &gt;= v0.2.18).
+  Changed
+  * HTTP upload: Ignore timeouts on disco IQs as some components do
+    not reply.
+- Upgrades the embedded golang.org/x/net to 0.46.0
+  * Fixes: bsc#1251461, CVE-2025-47911: various algorithms with
+    quadratic complexity when parsing HTML documents
+  * Fixes: bsc#1251677, CVE-2025-58190: excessive memory consumption
+    by 'html.ParseFragment' when processing specially crafted input
+
+- Update to 0.15.0:
+  Added:
+  * Add flag --verbose to show debug information.
+  * Add flag --recipients to specify recipients by file.
+  * Add flag --retry-connect to try after a waiting time if the connection fails.
+  * Add flag --retry-connect-max to specify the amount of retry attempts.
+  * Add flag --legacy-pgp for using XEP-0027 PGP encryption with Ox keys.
+  * Add support for punycode domains.
+  Changed:
+  * Update gopenpgp library to v3.
+  * Improve error detection for MUC joins.
+  * Don't try to connect to other SRV record targets if error contains 'auth-failure'.
+  * Remove support for old SSDP version (via go-xmpp v0.2.15).
+  * Http-upload: Stop checking other disco items after finding upload component.
+  * Increase default TLS version to 1.3.
+- bsc#1241814 (CVE-2025-22872): This update includes golang.org/x/net/html 0.43.0
+
+- Update to 0.14.1:
+  * Use prettier date format for error messages.
+  * Update XEP-0474 to version 0.4.0 (requires go-xmpp &gt;= 0.2.10).
+
+- Update to 0.14.0:
+  Added:
+  * Add --fast-invalidate to allow invalidating the FAST token.
+  Changed:
+  * Don't create legacy Ox private key directory in ~/.local/share/go-sendxmpp/oxprivkeys.
+  * Delete legacy Ox private key directory if it's empty.
+  * Show proper error if saved FAST mechanism isn't usable with current TLS version (requires go-xmpp &gt;= 0.2.9).
+  * Print debug output to stdout, not stderr (requires go-xmpp &gt;= 0.2.9).
+  * Show RECV: and SEND: prefix for debug output (requires go-xmpp &gt;= 0.2.9).
+  * Delete stored fast token if --fast-invalidate and --fast-off are set.
+  * Show error when FAST creds are stored but non-FAST mechanism is requested.
+
+- Update to 0.13.0:
+  Added:
+  * Add --anonymous to support anonymous authentication (requires go-xmpp &gt;= 0.2.8).
+  * Add XEP-0480: SASL Upgrade Tasks support (requires go-xmpp &gt;= 0.2.8).
+  * Add support for see-other-host stream error (requires go-xmpp &gt;= 0.2.8).
+  Changed:
+  * Don't automatically try other auth mechanisms if FAST authentication fails.
+
+- Update to 0.12.1:
+  Changed:
+  * Print error instead of quitting if a message of type error is received.
+  * Allow upload of multiple files.
+  Added:
+  * Add flag --suppress-root-warning to suppress the warning when go-sendxmpp is used by the root user.
+
+- Update to 0.12.0:
+  Added:
+  * Add possibility to look up direct TLS connection endpoint via hostmeta2 (requires xmppsrv &gt;= 0.3.3).
+  * Add flag --allow-plain to allow PLAIN authentication (requires go-xmpp &gt;= 0.2.5).
+  Changed:
+  * Disable PLAIN authentication per default.
+  * Disable PLAIN authentication after first use of a SCRAM auth mechanism (overrides --allow-plain) (requires
+    go-xmpp &gt;= 0.2.5).
+
+- Update to 0.11.4:
+  * Fix bug in SCRAM-SHA-256-PLUS (via go-xmpp &gt;= 0.2.4).
+
+- Update to 0.11.3:
+  * Add go-xmpp library version to --version output (requires go-xmpp &gt;= 0.2.2).
+  * Fix XEP-0474: SASL SCRAM Downgrade Protection hash calculation bug (via go-xmpp &gt;= v0.2.3).
+  * [gocritic]: Improve code quality.
+</description>
+  <package>go-sendxmpp</package>
+  <seperate_build_arch/>
+</patchinfo>

patchinfo.20260119100234029640.93181000773252/_patchinfo

@@ -0,0 +1,13 @@
+<patchinfo incident="packagehub-84">
+  <issue tracker="cve" id="2025-63757"/>
+  <issue tracker="bnc" id="1255392">VUL-0: CVE-2025-63757: ffmpeg,ffmpeg-4: ffmpeg: accumulation of filtered pixel values can lead to an integer overflow</issue>
+  <packager>jonathankang</packager>
+  <rating>important</rating>
+  <category>security</category>
+  <summary>Security update for ffmpeg-4</summary>
+  <description>This update for ffmpeg-4 fixes the following issues:
+
+- CVE-2025-63757: Fixed swscale/output: Fix integer overflow in yuv2ya16_X_c_template() (bsc#1255392).
+</description>
+  <package>ffmpeg-4</package>
+</patchinfo>

patchinfo.20260120143234408409.93181000773252/_patchinfo

@@ -0,0 +1,15 @@
+<patchinfo incident="packagehub-86">
+  <issue tracker="cve" id="2025-68616">VUL-0: CVE-2025-68616: python-weasyprint: server-side request forgery (SSRF) protection bypass via HTTP redirects allows access to internal network resources</issue>
+  <issue tracker="bnc" id="1256936">VUL-0: CVE-2025-68616: python-weasyprint: server-side request forgery (SSRF) protection bypass via HTTP redirects allows access to internal network resources</issue>
+  <packager>dgarcia</packager>
+  <rating>important</rating>
+  <category>security</category>
+  <summary>Security update for python-weasyprint</summary>
+  <description>This update for python-weasyprint fixes the following issues:
+
+Changes in python-weasyprint:
+
+- CVE-2025-68616: Fixed a server-side request forgery in default fetcher (boo#1256936).
+</description>
+  <package>python-weasyprint</package>
+</patchinfo>

workflow.config

@@ -65,6 +65,7 @@
         "mschnitzer",
         "msmeissn",
         "openqa-maintenance",
+        "rfrohl",
         "foursixnine-openqa",
         "szarate"
         ],