Update patchinfo incident numbers [skip actions]

PR: products/PackageHub!467

patchinfo.20260219152850183014.93181000773252/_patchinfo

@@ -0,0 +1,123 @@
+<patchinfo incident="packagehub-139">
+  <issue tracker="cve" id="2026-25547">VUL-0: CVE-2026-25547: TRACKERBUG: brace-expansion: unbounded brace range expansion can lead to excessive CPU and memory consumption and may crash a Nod</issue>
+  <issue tracker="bnc" id="1257852">VUL-0: CVE-2026-25547: openQA: brace-expansion: unbounded brace range expansion can lead to excessive CPU and memory consumption and may crash a Node.js process</issue>
+  <packager>os-autoinst-obs-workflow</packager>
+  <rating>important</rating>
+  <category>security</category>
+  <summary>Security update for openQA, os-autoinst, openQA-devel-container</summary>
+  <description>This update for openQA, os-autoinst, openQA-devel-container fixes the following issues:
+
+Changes in openQA:
+
+- Update to version 5.1771422749.560a3b26:
+  * fix(mcp): set navbar check expression to read-only
+  * feat: support inverted result filters in /tests/overview
+  * fix(test): Enable helm install-chart test again
+  * git subrepo pull (merge) --force external/os-autoinst-common
+  * feat: Make allowed hosts for SCENARIO_DEFINITIONS_YAML_FILE configurable
+  * test: Consider everything under `lib/OpenQA/Shared/` covered
+  * fix: Provide specific error message if job was removed `enqueue_…_track`
+  * refactor: Remove useless error message in `enqueue_and_keep_track`
+  * test: Cover case of successful executing in `enqueue_and_keep_track`
+  * refactor: Simplify error handling of `enqueue_and_keep_track`
+  * test: Cover error handling of `enqueue_and_keep_track`
+  * test: Consider shared session controller fully covered
+  * refactor: Avoid duplications in sessions controller
+  * refactor: Use signatures in session controller code
+  * test: Cover error handling in case of a bad CRSF token
+  * test: Cover test route for session
+  * fix(worker): reject jobs explicitly when worker is stopping
+  * feat: Remove workaround for codecov and gpg
+  * feat: Switch to Leap 16 in Helm charts
+  * feat: Switch to Leap 16.0 in openqa_data container
+  * feat: Replace all Leap 15.6 with 16.0 in docs and scripts
+  * test: Cover showing special image when backend has terminated
+  * fix: Use new apachectl command
+  * Update openQA containers to Leap 16.0
+  * test: Extend tests for controller handling live view
+  * refactor: Move throttling into its own function
+  * feat(throttling): throttle jobs resources based on parameters size
+  * refactor: Avoid repeated use of `$t-&gt;app-&gt;minion` in gru tasks tests
+  * feat: Allow archiving jobs with infinite important storage durations
+  * feat: Flag jobs without results as archived for consistency
+  * feat: Remove one corner case preventing jobs from being archived
+
+- Update to version 5.1770718745.ce2072d3:
+  * feat(ui): use clickable test overview summary counts for quick filtering
+  * build(Makefile): fix uninterruptable tests
+  * docs: Mention caveats of `…_cleanup_max_free_percentage` setting
+  * test(25-cache-service): fix race conditions
+  * test(ui/21-admin-needles): properly wait for modal dialog and deletion
+  * test(ui/13-admin): properly wait for API key deletion
+  * test(40-openqa-clone-job): properly isolate from system config
+  * test(15-asset): bump timeout to current runtime
+  * chore: fix CVE-2026-25547 (boo#1257852) by overriding minimatch
+  * build(deps-dev): bump @eslint from 9.36.0 to 9.38.0
+  * fix(eslint): correct style to be eslint-9.38 compliant
+  * build(deps-dev): bump @eslint-community/regexpp from 4.12.1 to 4.12.2
+  * build(deps-dev): bump @eslint/config-array from 0.21.0 to 0.21.1
+  * build(deps-dev): bump @eslint/object-schema from 2.1.6 to 2.1.7
+  * refactor: Improve variable names in function to determine expired jobs
+  * test: Improve name of subtest for archiving
+  * test: Verify that archiving works regardless of logs/results present
+  * Dependency cron 2026-02-06
+  * Bump js-yaml from 4.1.0 to 4.1.1
+  * build(deps): bump ace-builds from 1.43.3 to 1.43.4
+
+- Update to version 5.1770308102.12dfd0e4:
+  * fix: Configure sudoers correctly in Leap 16
+  * Also use devel:openQA/16.0 in dependency bot workflow
+  * test: Consider all controller code covered
+  * refactor: Remove unused "group connect" endpoints
+  * test: Cover `openqa_jobs_by_worker` field of InfluxDB endpoint
+  * test: Cover all cases of search of audit log table
+  * refactor: Simplify function to render audit log index page
+  * test: Add test for `eventid` parameter of audit log page
+  * test: Cover remaining lines of `Asset.pm`
+
+- Update to version 5.1769644379.ef069e9d:
+
+Changes in os-autoinst:
+
+- Update to version 5.1771353921.c8005c9:
+  * git subrepo pull (merge) --force external/os-autoinst-common
+  * style: Fix crop.py style issues
+  * workaround: Remove "get_mempolicy" warning from qemu-img output
+  * parse_extra_log: Allow passing additional args to upload_logs
+  * refactor: Distinguish tests by the script path in `loadtest`
+  * refactor: Simplify approach for avoiding redefine warnings
+
+- Update to version 5.1770715824.6a80a85:
+  * style: Fix crop.py style issues
+  * workaround: Remove "get_mempolicy" warning from qemu-img output
+  * parse_extra_log: Allow passing additional args to upload_logs
+  * refactor: Distinguish tests by the script path in `loadtest`
+  * refactor: Simplify approach for avoiding redefine warnings
+  * test: Allow running tests with `Test::Warnings&lt;0.033`
+  * test: Format test of `loadtestdir` in a more compact way
+
+- Update to version 5.1770127521.c249fe9:
+  * refactor: Distinguish tests by the script path in `loadtest`
+  * refactor: Simplify approach for avoiding redefine warnings
+  * test: Allow running tests with `Test::Warnings&lt;0.033`
+  * test: Format test of `loadtestdir` in a more compact way
+  * test: Use `ENABLE_MODERN_PERL_FEATURES=1` in test suite
+  * feat: Allow enabling strict/warnings/signatures globally
+  * fix: Improve wrong comment about enablement of modern Perl features
+
+Changes in openQA-devel-container:
+
+- Update to version 5.1771422749.560a3b26b:
+  * Update to latest openQA version
+</description>
+  <package>openQA</package>
+  <package>openQA:openQA-devel-test</package>
+  <package>openQA:openQA-test</package>
+  <package>openQA:openQA-worker-test</package>
+  <package>openQA:openQA-client-test</package>
+  <package>os-autoinst</package>
+  <package>os-autoinst:os-autoinst-test</package>
+  <package>os-autoinst:os-autoinst-devel-test</package>
+  <package>os-autoinst:os-autoinst-openvswitch-test</package>
+  <package>openQA-devel-container</package>
+</patchinfo>

patchinfo.20260223091213884795.93181000773252/_patchinfo

@@ -0,0 +1,88 @@
+<patchinfo incident="packagehub-138">
+  <issue tracker="bnc" id="1258671">Mosquitto versions &gt; 2.0.11 and &lt; 2.0.23 have a data loss bug</issue>
+  <issue tracker="cve" id="2024-3935">VUL-0: CVE-2024-3935: mosquitto: double free and subsequent crash when running under bridge mode and processing remote connections</issue>
+  <issue tracker="bnc" id="1232636">VUL-0: CVE-2024-10525: mosquitto: out-of-bounds memory access when acting in an on_subscribe callback for a crafted SUBACK packet with no reason codes</issue>
+  <issue tracker="bnc" id="1232635">VUL-0: CVE-2024-3935: mosquitto: double free and subsequent crash when running under bridge mode and processing remote connections</issue>
+  <issue tracker="cve" id="2024-10525">VUL-0: CVE-2024-10525: mosquitto: out-of-bounds memory access when acting in an on_subscribe callback for a crafted SUBACK packet with no reason codes</issue>
+  <packager>AndreasStieger</packager>
+  <rating>critical</rating>
+  <category>security</category>
+  <summary>Security update for mosquitto</summary>
+  <description>This update for mosquitto fixes the following issues:
+
+Changes in mosquitto:
+
+- update to 2.0.23 (boo#1258671)
+  * Fix handling of disconnected sessions for `per_listener_settings
+    true`
+  * Check return values of openssl *_get_ex_data() and
+    *_set_ex_data() to prevent possible crash. This could occur only
+    in extremely unlikely situations
+  * Check return value of openssl ASN1_string_[get0_]data()
+    functions for NULL. This prevents a crash in case of incorrect
+    certificate handling in openssl
+  * Fix potential crash on startup if a malicious/corrupt
+    persistence file from mosquitto 1.5 or earlier is loaded
+  * Limit auto_id_prefix to 50 characters
+
+- Update to version 2.0.22
+  Broker
+  * Bridge: Fix idle_timeout never occurring for lazy bridges.
+  * Fix case where max_queued_messages = 0 was not treated as
+    unlimited.
+  * Fix --version exit code and output.
+  * Fix crash on receiving a $CONTROL message over a bridge, if
+    per_listener_settings is set true and the bridge is carrying
+    out topic remapping.
+  * Fix incorrect reference clock being selected on startup on
+    Linux. Closes #3238.
+  * Fix reporting of client disconnections being incorrectly
+    attributed to "out of memory".
+  * Fix compilation when using WITH_OLD_KEEPALIVE.
+  * Fix problems with secure websockets.
+  * Fix crash on exit when using WITH_EPOLL=no.
+  * Fix clients being incorrectly expired when they have
+    keepalive == max_keepalive. Closes #3226, #3286.
+  Dynamic security plugin
+  * Fix mismatch memory free when saving config which caused
+    memory tracking to be incorrect.
+  Client library
+  * Fix C++ symbols being removed when compiled with link time
+    optimisation.
+  * TLS error handling was incorrectly setting a protocol error
+    for non-TLS errors. This would cause the mosquitto_loop_start()
+    thread to exit if no broker was available on the first
+    connection attempt. This has been fixed. Closes #3258.
+  * Fix linker errors on some architectures using cmake.
+
+- Update to version 2.0.21
+  Broker
+  * Fix clients sending a RESERVED packet not being quickly
+    disconnected.
+  * Fix bind_interface producing an error when used with an
+    interface that has an IPv6 link-local address and no other
+    IPv6 addresses.
+  * Fix mismatched wrapped/unwrapped memory alloc/free in
+    properties.
+  * Fix allow_anonymous false not being applied in local only mode.
+  * Add retain_expiry_interval option to fix expired retained
+    message not being removed from memory if they are not
+    subscribed to.
+  * Produce an error if invalid combinations of
+    cafile/capath/certfile/keyfile are used.
+  * Backport keepalive checking from develop to fix problems in
+    current implementation.
+  Client library
+  * Fix potential deadlock in mosquitto_sub if -W is used.
+  Apps
+  * mosquitto_ctrl dynsec now also allows -i to specify a clientid
+    as well as -c. This matches the documentation which states -i.
+  Tests
+  * Fix 08-ssl-connect-cert-auth-expired and
+    08-ssl-connect-cert-auth-revoked tests when under load.
+
+- systemd service: Wait till the network got setup to avoid
+  startup failure.
+</description>
+  <package>mosquitto</package>
+</patchinfo>

patchinfo.20260223091318219985.93181000773252/_patchinfo

@@ -1,4 +1,4 @@
-<patchinfo>
+<patchinfo incident="packagehub-137">
   <packager>gcomes.obs</packager>
   <rating>moderate</rating>
   <category>recommended</category>
@@ -23,4 +23,4 @@ Changes in python-qtwebengine-qt5:
   <package>python-qt5</package>
   <package>python-qt5:nonring-extras</package>
   <package>python-qtwebengine-qt5</package>
-</patchinfo>
+</patchinfo>