Update patchinfo incident numbers [skip actions]

PR: products/PackageHub!308

0Backports/Backports.changes

@@ -1,3 +1,10 @@
+-------------------------------------------------------------------
+Mon Jan  5 10:38:32 UTC 2026 - Wolfgang Engel <wolfgang.engel@suse.com>
+
+- Backports.productcompose:
+  + add to backports_unneeded, remove xen related packages (bsc#1253226)
+      xen-tools-xendomains-wait-disk
+
 -------------------------------------------------------------------
 Fri Oct 10 07:19:41 UTC 2025 - Wolfgang Engel <wolfgang.engel@suse.com>
 

0Backports/Backports.productcompose

@@ -281,6 +281,7 @@ packagesets:
   - xen-doc-html
   - xen-tools
   - xen-tools-domU
+  - xen-tools-xendomains-wait-disk
   - yum-utils
 
 # TODO: unneeded Leap package per architecture
@@ -701,6 +702,9 @@ packagesets:
   - cargo-packaging
   - cargo1.87
   - cargo1.88
+  - cargo1.89
+  - cargo1.90
+  - cargo1.91
   - catatonit
   - cblas-devel
   - cblas-devel-static
@@ -1408,7 +1412,6 @@ packagesets:
   - gobject-introspection-devel
   - golang-github-cpuguy83-go-md2man
   - golang-github-google-jsonnet
-  - golang-github-prometheus-prometheus
   - golang-github-prometheus-promu
   - golang-packaging
   - google-errorprone-annotation
@@ -6796,6 +6799,9 @@ packagesets:
   - rhino-engine
   - rhino-javadoc
   - rhino-runtime
+  - rmt-server
+  - rmt-server-config
+  - rmt-server-pubcloud
   - rollback-helper
   - rootlesskit
   - rp-pppoe
@@ -6852,6 +6858,9 @@ packagesets:
   - rust-keylime
   - rust1.87
   - rust1.88
+  - rust1.89
+  - rust1.90
+  - rust1.91
   - samba
   - samba-ad-dc
   - samba-ad-dc-libs
@@ -7080,7 +7089,6 @@ packagesets:
   - system-user-news
   - system-user-nobody
   - system-user-ntp
-  - system-user-prometheus
   - system-user-pulse
   - system-user-qemu
   - system-user-root

_config

@@ -168,7 +168,7 @@ Macros:
 
 # Leap specific package list, the same list with excludebuild must add to Backports project
 # Most of package should be built in Backports
-%if "%_project" == "openSUSE:Backports:SLE-16.0"
+%if 0%{?_is_in_project}
 # we build ffado:ffado-mixer for openSUSE, the main one is built in SLFO
 BuildFlags: excludebuild:ffado
 # build gpgme:qt flavor for qt5 support

patchinfo.20251208143300643166.187004354831441/_patchinfo

@@ -0,0 +1,63 @@
+<patchinfo incident="packagehub-61">
+  <packager>bigironman</packager>
+  <rating>moderate</rating>
+  <category>recommended</category>
+  <summary>Recommended update for icinga-php-thirdparty, icinga-php-library, icingaweb2</summary>
+  <description>This update for icinga-php-thirdparty, icinga-php-library, icingaweb2 fixes the following issues:
+
+Changes in icinga-php-thirdparty:
+
+- Update to 0.13.1
+
+  - No changelog from upstream.
+
+- Update to 0.12.1
+
+  - No changelog from upstream.
+
+Changes in icinga-php-library:
+
+- Update to 1.17.0
+
+  - No changelog from upstream.
+
+Changes in icingaweb2:
+
+- Update to 2.12.6
+
+  - Search box shows many magnifying glasses for some community themes #5395
+  - Authentication hooks are not called with external backends #5415
+  - Improve Minimal layout #5386
+
+- Update to 2.12.5
+
+  * PHP 8.4 Support
+    We're again a little behind schedule, but now we support PHP 8.4!
+    This means that installations on Ubuntu 25.04 and Fedora 42+ can
+    now install Icinga Web without worrying about PHP related
+    incompatibilities. Icinga packages will be available in the
+    next few days.
+  * Good Things Take Time
+    There's only a single (notable) recent issue that is fixed
+    with this release. All the others are a bit older.
+    - External URLs set up as dashlets are not embedded the same
+      as navigation items #5346
+  * But the team sat together a few weeks ago and fixed a bug here
+    and there. And of course, also in Icinga Web!
+    - Users who are not allowed to change the theme, cannot change
+      the theme mode either #5385
+    - Improved compatibility with several SSO authentication
+      providers #5000, #5227
+    - Filtering for older-than events with relative time does not
+      work #5263
+    - Empty values are NULL in CSV exports #5350
+  * Breaking, Somewhat
+    This is mainly for developers.
+    With the support of PHP 8.4, we introduced a new environment
+    variable, ICINGAWEB_ENVIRONMENT. Unless set to dev, Icinga Web
+    will not show nor log deprecation notices anymore.
+</description>
+  <package>icinga-php-thirdparty</package>
+  <package>icinga-php-library</package>
+  <package>icingaweb2</package>
+</patchinfo>

patchinfo.20251217091639760898.93181000773252/_patchinfo

@@ -0,0 +1,65 @@
+<patchinfo incident="packagehub-59">
+  <issue tracker="cve" id="2025-21614">CVE-2025-21614 go-git: go-git clients vulnerable to DoS via maliciously crafted Git server replies</issue>
+  <issue tracker="bnc" id="1247629">VUL-0: CVE-2025-21613: cheat: github.com/go-git/go-git/v5: argument injection via the URL field</issue>
+  <issue tracker="cve" id="2025-58181">VUL-0: CVE-2025-58181: TRACKERBUG: golang.org/x/crypto/ssh: invalidated number of mechanisms can cause unbounded memory consumption</issue>
+  <issue tracker="cve" id="2025-21613">VUL-0: CVE-2025-21613: TRACKERBUG: github.com/go-git/go-git/v5: argument injection via the URL field</issue>
+  <issue tracker="cve" id="2025-47913">VUL-0: CVE-2025-47913: TRACKERBUG: golang.org/x/crypto/ssh/agent: client process termination when receiving an unexpected message type in response to a key listing or</issue>
+  <issue tracker="bnc" id="1253922">VUL-0: CVE-2025-58181: cheat: golang.org/x/crypto/ssh: invalidated number of mechanisms can cause unbounded memory consumption</issue>
+  <issue tracker="cve" id="2025-47914">VUL-0: CVE-2025-47914: TRACKERBUG: golang.org/x/crypto/ssh/agent: non validated message size can cause a panic due to an out of bounds read</issue>
+  <issue tracker="cve" id="2025-22870">VUL-0: CVE-2025-22870: TRACKERBUG: golang.org/net/http, golang.org/x/net/proxy, golang.org/x/net/http/httpproxy: proxy bypass using IPv6 zone IDs</issue>
+  <issue tracker="cve" id="2023-48795">VUL-0: CVE-2023-48795: openssh: prefix truncation breaking ssh channel integrity aka Terrapin Attack</issue>
+  <issue tracker="bnc" id="1254051">VUL-0: CVE-2025-47914: cheat: golang.org/x/crypto/ssh/agent: non validated message size can cause a panic due to an out of bounds read</issue>
+  <issue tracker="bnc" id="1253593">VUL-0: CVE-2025-47913: cheat: golang.org/x/crypto/ssh/agent: client process termination when receiving an unexpected message type in response to a key listing or signing request</issue>
+  <issue tracker="cve" id="2025-22869">VUL-0: CVE-2025-22869: TRACKERBUG: golang.org/x/crypto/ssh: Denial of Service in the Key Exchange of golang.org/x/crypto/ssh</issue>
+  <packager>witekbedyk</packager>
+  <rating>important</rating>
+  <category>security</category>
+  <summary>Security update for cheat</summary>
+  <description>This update for cheat fixes the following issues:
+
+- Security:
+  * CVE-2025-47913: Fix client process termination (bsc#1253593)
+  * CVE-2025-58181: Fix potential unbounded memory consumption (bsc#1253922)
+  * CVE-2025-47914: Fix panic due to an out of bounds read (bsc#1254051)
+  * Replace golang.org/x/crypto=golang.org/x/crypto@v0.45.0
+  * Replace golang.org/x/net=golang.org/x/net@v0.47.0
+  * Replace golang.org/x/sys=golang.org/x/sys@v0.38.0
+
+- Packaging improvements:
+  * Drop Requires: golang-packaging. The recommended Go toolchain
+    dependency expression is BuildRequires: golang(API) &gt;= 1.x or
+    optionally the metapackage BuildRequires: go
+  * Use BuildRequires: golang(API) &gt;= 1.19 matching go.mod
+  * Build PIE with pattern that may become recommended procedure:
+    %%ifnarch ppc64 GOFLAGS="-buildmode=pie" %%endif go build
+    A go toolchain buildmode default config would be preferable
+    but none exist at this time.
+  * Drop mod=vendor, go1.14+ will detect vendor dir and auto-enable
+  * Remove go build -o output binary location and name. Default
+    binary has the same name as package of func main() and is
+    placed in the top level of the build directory.
+  * Add basic %check to execute binary --help
+
+- Packaging improvements:
+  * Service go_modules replace dependencies with CVEs
+  * Replace github.com/cloudflare/circl=github.com/cloudflare/circl@v1.6.1
+    Fix GO-2025-3754 GHSA-2x5j-vhc8-9cwm
+  * Replace golang.org/x/net=golang.org/x/net@v0.36.0
+    Fixes GO-2025-3503 CVE-2025-22870
+  * Replace golang.org/x/crypto=golang.org/x/crypto@v0.35.0
+    Fixes GO-2023-2402 CVE-2023-48795 GHSA-45x7-px36-x8w8
+    Fixes GO-2025-3487 CVE-2025-22869
+  * Replace github.com/go-git/go-git/v5=github.com/go-git/go-git/v5@v5.13.0
+    Fixes GO-2025-3367 CVE-2025-21614 GHSA-r9px-m959-cxf4
+    Fixes GO-2025-3368 CVE-2025-21613 GHSA-v725-9546-7q7m
+  * Service tar_scm set mode manual from disabled
+  * Service tar_scm create archive from git so we can exclude
+    vendor directory upstream committed to git. Committed vendor
+    directory contents have build issues even after go mod tidy.
+  * Service tar_scm exclude dir vendor
+  * Service set_version set mode manual from disabled
+  * Service set_version remove param basename not needed
+</description>
+  <package>cheat</package>
+  <seperate_build_arch/>
+</patchinfo>

patchinfo.20251218074156387460.187004354831441/_patchinfo

@@ -0,0 +1,21 @@
+<patchinfo incident="packagehub-60">
+  <issue tracker="cve" id="2025-14766">VUL-0: chromium: release 143.0.7499.146</issue>
+  <issue tracker="cve" id="2025-14174">Google Chrome: chromium: Out of bounds memory access via crafted HTML page</issue>
+  <issue tracker="bnc" id="1255115">VUL-0: chromium: release 143.0.7499.146</issue>
+  <issue tracker="cve" id="2025-14765">VUL-0: chromium: release 143.0.7499.146</issue>
+  <packager>oertel</packager>
+  <rating>important</rating>
+  <category>security</category>
+  <summary>Security update for chromium</summary>
+  <description>This update for chromium fixes the following issues:
+
+Changes in chromium:
+
+Chromium 143.0.7499.146 (boo#1255115):
+
+  * CVE-2025-14765: Use after free in WebGPU
+  * CVE-2025-14766: Out of bounds read and write in V8
+  * CVE-2025-14174: Out of bounds memory access in ANGLE
+</description>
+  <package>chromium</package>
+</patchinfo>

patchinfo.20251218142204589141.93181000773252/_patchinfo

@@ -0,0 +1,123 @@
+<patchinfo incident="packagehub-62">
+  <packager>os-autoinst-obs-workflow</packager>
+  <rating>moderate</rating>
+  <category>recommended</category>
+  <summary>Recommended update for openQA, os-autoinst, openQA-devel-container</summary>
+  <description>This update for openQA, os-autoinst, openQA-devel-container fixes the following issues:
+
+Changes in openQA:
+
+Thu Dec 18 03:54:10 UTC 2025 - okurz@suse.com
+
+- Update to version 5.1766014013.377e64fe:
+  * feat(Needle::Save): Adapt to new error handling
+  * feat(OpenQA::Git): Make error handling more flexible with exceptions
+
+- Update to version 5.1765887110.8fc02990:
+  * Avoid partial deletion of a screenshot if Minion job is aborted
+  * Add `SignalBlocker` to delay signal handling during critical sections
+
+- Update to version 5.1765805960.2112d43d:
+  * fix(codecov): Fix wrong casing for 'fully_covered' entries
+
+- Update to version 5.1765535865.b566a24c:
+  * fix(codecov): Be strict about coverage thresholds
+  * Show jobs that have been cloned when `t` parameter is used on overview
+
+- Update to version 5.1765469360.5c0525b5:
+  * worker: Add coverage for OVS DBus checks
+  * Fix overview when filtering by test and module result at the same time
+  * Return signal as part of run_cmd result
+  * Add scanner for untracked screenshots
+  * KTAP: Properly hide details of a skipped subtest
+  * docs: Restory logic of the sentence about NFT vs firewalld
+  * docs: Clarify DHCP/RA availability on MM networks
+  * feat: Allow to configure key+secret with env variables
+
+- Update to version 5.1765286149.3debb8ea:
+  * KTAP: Don't increment parsed_lines_count in "SKIP" lines
+  * KTAP: Define unparsed_lines and parsed_lines_count
+
+- Update to version 5.1765217707.d6e697fd:
+  * Test commenting on overview page together with TODO filter
+  * Fix job IDs that are considered for mass-commenting on overview page
+
+- Update to version 5.1765009312.be30f6e0:
+  * README: Remove left-over empty badge reference
+
+Changes in os-autoinst:
+
+- Update to version 5.1767623406.688dd0e:
+  * os-autoinst-generate-needle-preview: Embed PNG
+  * Tweak curl call not to hang
+  * Fix opencv dependency due to upstream changes
+  * Restore package  builds on older openSUSE versions
+  * Remove `ShellCheck` from devel dependencies on s390x
+
+- Update to version 5.1766037062.44c7d2a:
+  * Tweak curl call not to hang
+  * Fix opencv dependency due to upstream changes
+  * Restore package  builds on older openSUSE versions
+  * Remove `ShellCheck` from devel dependencies on s390x
+  * Remove obsolete 'bin/' folder
+
+- Update to version 5.1765976654.0026f92:
+  * Fix opencv dependency due to upstream changes
+  * Restore package  builds on older openSUSE versions
+  * Remove `ShellCheck` from devel dependencies on s390x
+  * Remove obsolete 'bin/' folder
+  * Improve documentation strings for get/check_var
+
+- Update to version 5.1765808557.b89e9b4:
+  * Restore package  builds on older openSUSE versions
+  * Remove `ShellCheck` from devel dependencies on s390x
+  * Remove obsolete 'bin/' folder
+  * Simplify the code to increment the counter
+  * audio: Allow for multiple audio recordings per test
+
+- Update to version 5.1765804109.1e7c99a:
+  * Remove `ShellCheck` from devel dependencies on s390x
+  * Remove obsolete 'bin/' folder
+  * Simplify the code to increment the counter
+  * audio: Allow for multiple audio recordings per test
+  * Improve documentation strings for get/check_var
+
+- Update to version 5.1765533145.a82864c:
+  * Remove obsolete 'bin/' folder
+  * Simplify the code to increment the counter
+  * audio: Allow for multiple audio recordings per test
+  * Improve documentation strings for get/check_var
+  * Add port forwarding example for NICTYPE_USER_OPTIONS
+
+- Update to version 5.1765450253.f16e6ac:
+  * Simplify the code to increment the counter
+  * audio: Allow for multiple audio recordings per test
+  * Improve documentation strings for get/check_var
+  * Add port forwarding example for NICTYPE_USER_OPTIONS
+  * Fix regression from abcaa66b by disabling virtio-keyboard by default
+  * distribution: Add "disable_key_repeat"
+  * Use 'virtio-keyboard' by default to allow fixing key repetition errors
+
+- Update to version 5.1765311639.7e3a762:
+  * Simplify the code to increment the counter
+  * audio: Allow for multiple audio recordings per test
+  * Add port forwarding example for NICTYPE_USER_OPTIONS
+  * Fix regression from abcaa66b by disabling virtio-keyboard by default
+  * Add IPv6 support for multi machine tests
+
+Changes in openQA-devel-container:
+
+- Update to version 5.1766014013.377e64fe9:
+  * Update to latest openQA version
+</description>
+  <package>openQA</package>
+  <package>openQA:openQA-devel-test</package>
+  <package>openQA:openQA-test</package>
+  <package>openQA:openQA-worker-test</package>
+  <package>openQA:openQA-client-test</package>
+  <package>os-autoinst</package>
+  <package>os-autoinst:os-autoinst-test</package>
+  <package>os-autoinst:os-autoinst-devel-test</package>
+  <package>os-autoinst:os-autoinst-openvswitch-test</package>
+  <package>openQA-devel-container</package>
+</patchinfo>

patchinfo.20260106100749431638.93181000773252/_patchinfo

@@ -0,0 +1,24 @@
+<patchinfo incident="packagehub-63">
+  <issue tracker="cve" id="2025-58181"/>
+  <issue tracker="cve" id="2025-47913"/>
+  <issue tracker="cve" id="2025-58190"/>
+  <issue tracker="cve" id="2025-47914"/>
+  <issue tracker="cve" id="2025-47911"/>
+  <issue tracker="bnc" id="1253512">VUL-0: CVE-2025-47913: trivy: golang.org/x/crypto/ssh/agent: client process termination when receiving an unexpected message type in response to a key listing or signing request</issue>
+  <issue tracker="bnc" id="1253977">VUL-0: CVE-2025-47914: trivy: golang.org/x/crypto/ssh/agent: non validated message size can cause a panic due to an out of bounds read</issue>
+  <issue tracker="bnc" id="1251547">VUL-0: CVE-2025-58190: trivy: golang.org/x/net/html: excessive memory consumption by `html.ParseFragment` when processing specially crafted input</issue>
+  <issue tracker="bnc" id="1251363">VUL-0: CVE-2025-47911: trivy: golang.org/x/net/html: various algorithms with quadratic complexity when parsing HTML documents</issue>
+  <issue tracker="bnc" id="1253786">VUL-0: CVE-2025-58181: trivy: golang.org/x/crypto/ssh: invalidated number of mechanisms can cause unbounded memory consumption</issue>
+  <packager>dirkmueller</packager>
+  <rating>moderate</rating>
+  <category>recommended</category>
+  <summary>Recommended update for trivy</summary>
+  <description>This update for trivy fixes the following issues:
+
+- Update to version 0.68.2:
+  * release: v0.68.2 [release/v0.68] (#9950)
+  * fix(deps): bump alpine from `3.22.1` to `3.23.0` [backport: release/v0.68] (#9949)
+  * ci: enable `check-latest` for `setup-go` [backport: release/v0.68] (#9946)
+</description>
+  <package>trivy</package>
+</patchinfo>

patchinfo.20260108114750488113.93181000773252/_patchinfo

@@ -0,0 +1,19 @@
+<patchinfo incident="packagehub-64">
+  <issue tracker="cve" id="2026-0628">VUL-0: CVE-2026-0628: chromium: Insufficient policy enforcement in WebView tag fixed in 143.0.7499.192</issue>
+  <issue tracker="bnc" id="1256067">VUL-0: CVE-2026-0628: chromium: Insufficient policy enforcement in WebView tag fixed in 143.0.7499.192</issue>
+  <packager>AndreasStieger</packager>
+  <rating>important</rating>
+  <category>security</category>
+  <summary>Security update for chromium</summary>
+  <description>This update for chromium fixes the following issues:
+
+Changes in chromium:
+
+- Chromium 143.0.7499.192 (boo#1256067):
+  * CVE-2026-0628: Insufficient policy enforcement in WebView tag
+
+- Chromium 143.0.7499.169 (stable released 2025-12-18)
+  * no cve listed yet
+</description>
+  <package>chromium</package>
+</patchinfo>