Security update for openQA, os-autoinst, openQA-devel-container SUSE Patch security@suse.de SUSE Security Team openSUSE-SU-2026:20261-1 Final 1 1 2026-02-23T19:35:27Z current 2026-02-23T19:35:27Z 2026-02-23T19:35:27Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for openQA, os-autoinst, openQA-devel-container This update for openQA, os-autoinst, openQA-devel-container fixes the following issues: Changes in openQA: - Update to version 5.1771422749.560a3b26: * fix(mcp): set navbar check expression to read-only * feat: support inverted result filters in /tests/overview * fix(test): Enable helm install-chart test again * git subrepo pull (merge) --force external/os-autoinst-common * feat: Make allowed hosts for SCENARIO_DEFINITIONS_YAML_FILE configurable * test: Consider everything under `lib/OpenQA/Shared/` covered * fix: Provide specific error message if job was removed `enqueue_…_track` * refactor: Remove useless error message in `enqueue_and_keep_track` * test: Cover case of successful executing in `enqueue_and_keep_track` * refactor: Simplify error handling of `enqueue_and_keep_track` * test: Cover error handling of `enqueue_and_keep_track` * test: Consider shared session controller fully covered * refactor: Avoid duplications in sessions controller * refactor: Use signatures in session controller code * test: Cover error handling in case of a bad CRSF token * test: Cover test route for session * fix(worker): reject jobs explicitly when worker is stopping * feat: Remove workaround for codecov and gpg * feat: Switch to Leap 16 in Helm charts * feat: Switch to Leap 16.0 in openqa_data container * feat: Replace all Leap 15.6 with 16.0 in docs and scripts * test: Cover showing special image when backend has terminated * fix: Use new apachectl command * Update openQA containers to Leap 16.0 * test: Extend tests for controller handling live view * refactor: Move throttling into its own function * feat(throttling): throttle jobs resources based on parameters size * refactor: Avoid repeated use of `$t->app->minion` in gru tasks tests * feat: Allow archiving jobs with infinite important storage durations * feat: Flag jobs without results as archived for consistency * feat: Remove one corner case preventing jobs from being archived - Update to version 5.1770718745.ce2072d3: * feat(ui): use clickable test overview summary counts for quick filtering * build(Makefile): fix uninterruptable tests * docs: Mention caveats of `…_cleanup_max_free_percentage` setting * test(25-cache-service): fix race conditions * test(ui/21-admin-needles): properly wait for modal dialog and deletion * test(ui/13-admin): properly wait for API key deletion * test(40-openqa-clone-job): properly isolate from system config * test(15-asset): bump timeout to current runtime * chore: fix CVE-2026-25547 (boo#1257852) by overriding minimatch * build(deps-dev): bump @eslint from 9.36.0 to 9.38.0 * fix(eslint): correct style to be eslint-9.38 compliant * build(deps-dev): bump @eslint-community/regexpp from 4.12.1 to 4.12.2 * build(deps-dev): bump @eslint/config-array from 0.21.0 to 0.21.1 * build(deps-dev): bump @eslint/object-schema from 2.1.6 to 2.1.7 * refactor: Improve variable names in function to determine expired jobs * test: Improve name of subtest for archiving * test: Verify that archiving works regardless of logs/results present * Dependency cron 2026-02-06 * Bump js-yaml from 4.1.0 to 4.1.1 * build(deps): bump ace-builds from 1.43.3 to 1.43.4 - Update to version 5.1770308102.12dfd0e4: * fix: Configure sudoers correctly in Leap 16 * Also use devel:openQA/16.0 in dependency bot workflow * test: Consider all controller code covered * refactor: Remove unused "group connect" endpoints * test: Cover `openqa_jobs_by_worker` field of InfluxDB endpoint * test: Cover all cases of search of audit log table * refactor: Simplify function to render audit log index page * test: Add test for `eventid` parameter of audit log page * test: Cover remaining lines of `Asset.pm` - Update to version 5.1769644379.ef069e9d: Changes in os-autoinst: - Update to version 5.1771353921.c8005c9: * git subrepo pull (merge) --force external/os-autoinst-common * style: Fix crop.py style issues * workaround: Remove "get_mempolicy" warning from qemu-img output * parse_extra_log: Allow passing additional args to upload_logs * refactor: Distinguish tests by the script path in `loadtest` * refactor: Simplify approach for avoiding redefine warnings - Update to version 5.1770715824.6a80a85: * style: Fix crop.py style issues * workaround: Remove "get_mempolicy" warning from qemu-img output * parse_extra_log: Allow passing additional args to upload_logs * refactor: Distinguish tests by the script path in `loadtest` * refactor: Simplify approach for avoiding redefine warnings * test: Allow running tests with `Test::Warnings<0.033` * test: Format test of `loadtestdir` in a more compact way - Update to version 5.1770127521.c249fe9: * refactor: Distinguish tests by the script path in `loadtest` * refactor: Simplify approach for avoiding redefine warnings * test: Allow running tests with `Test::Warnings<0.033` * test: Format test of `loadtestdir` in a more compact way * test: Use `ENABLE_MODERN_PERL_FEATURES=1` in test suite * feat: Allow enabling strict/warnings/signatures globally * fix: Improve wrong comment about enablement of modern Perl features Changes in openQA-devel-container: - Update to version 5.1771422749.560a3b26b: * Update to latest openQA version The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). openSUSE-Leap-16.0-packagehub-139 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://www.suse.com/support/security/rating/ SUSE Security Ratings https://bugzilla.suse.com/1257852 SUSE Bug 1257852 https://www.suse.com/security/cve/CVE-2026-25547/ SUSE CVE CVE-2026-25547 page openSUSE Leap 16.0 openQA-5.1771422749.560a3b26-bp160.1.1 openQA-auto-update-5.1771422749.560a3b26-bp160.1.1 openQA-bootstrap-5.1771422749.560a3b26-bp160.1.1 openQA-client-5.1771422749.560a3b26-bp160.1.1 openQA-common-5.1771422749.560a3b26-bp160.1.1 openQA-continuous-update-5.1771422749.560a3b26-bp160.1.1 openQA-devel-5.1771422749.560a3b26-bp160.1.1 openQA-doc-5.1771422749.560a3b26-bp160.1.1 openQA-local-db-5.1771422749.560a3b26-bp160.1.1 openQA-mcp-5.1771422749.560a3b26-bp160.1.1 openQA-munin-5.1771422749.560a3b26-bp160.1.1 openQA-python-scripts-5.1771422749.560a3b26-bp160.1.1 openQA-single-instance-5.1771422749.560a3b26-bp160.1.1 openQA-single-instance-nginx-5.1771422749.560a3b26-bp160.1.1 openQA-worker-5.1771422749.560a3b26-bp160.1.1 os-autoinst-5.1771353921.c8005c9-bp160.1.1 os-autoinst-devel-5.1771353921.c8005c9-bp160.1.1 os-autoinst-ipmi-deps-5.1771353921.c8005c9-bp160.1.1 os-autoinst-openvswitch-5.1771353921.c8005c9-bp160.1.1 os-autoinst-qemu-kvm-5.1771353921.c8005c9-bp160.1.1 os-autoinst-qemu-x86-5.1771353921.c8005c9-bp160.1.1 os-autoinst-s390-deps-5.1771353921.c8005c9-bp160.1.1 os-autoinst-swtpm-5.1771353921.c8005c9-bp160.1.1 openQA-5.1771422749.560a3b26-bp160.1.1 as a component of openSUSE Leap 16.0 openQA-auto-update-5.1771422749.560a3b26-bp160.1.1 as a component of openSUSE Leap 16.0 openQA-bootstrap-5.1771422749.560a3b26-bp160.1.1 as a component of openSUSE Leap 16.0 openQA-client-5.1771422749.560a3b26-bp160.1.1 as a component of openSUSE Leap 16.0 openQA-common-5.1771422749.560a3b26-bp160.1.1 as a component of openSUSE Leap 16.0 openQA-continuous-update-5.1771422749.560a3b26-bp160.1.1 as a component of openSUSE Leap 16.0 openQA-devel-5.1771422749.560a3b26-bp160.1.1 as a component of openSUSE Leap 16.0 openQA-doc-5.1771422749.560a3b26-bp160.1.1 as a component of openSUSE Leap 16.0 openQA-local-db-5.1771422749.560a3b26-bp160.1.1 as a component of openSUSE Leap 16.0 openQA-mcp-5.1771422749.560a3b26-bp160.1.1 as a component of openSUSE Leap 16.0 openQA-munin-5.1771422749.560a3b26-bp160.1.1 as a component of openSUSE Leap 16.0 openQA-python-scripts-5.1771422749.560a3b26-bp160.1.1 as a component of openSUSE Leap 16.0 openQA-single-instance-5.1771422749.560a3b26-bp160.1.1 as a component of openSUSE Leap 16.0 openQA-single-instance-nginx-5.1771422749.560a3b26-bp160.1.1 as a component of openSUSE Leap 16.0 openQA-worker-5.1771422749.560a3b26-bp160.1.1 as a component of openSUSE Leap 16.0 os-autoinst-5.1771353921.c8005c9-bp160.1.1 as a component of openSUSE Leap 16.0 os-autoinst-devel-5.1771353921.c8005c9-bp160.1.1 as a component of openSUSE Leap 16.0 os-autoinst-ipmi-deps-5.1771353921.c8005c9-bp160.1.1 as a component of openSUSE Leap 16.0 os-autoinst-openvswitch-5.1771353921.c8005c9-bp160.1.1 as a component of openSUSE Leap 16.0 os-autoinst-qemu-kvm-5.1771353921.c8005c9-bp160.1.1 as a component of openSUSE Leap 16.0 os-autoinst-qemu-x86-5.1771353921.c8005c9-bp160.1.1 as a component of openSUSE Leap 16.0 os-autoinst-s390-deps-5.1771353921.c8005c9-bp160.1.1 as a component of openSUSE Leap 16.0 os-autoinst-swtpm-5.1771353921.c8005c9-bp160.1.1 as a component of openSUSE Leap 16.0 @isaacs/brace-expansion is a hybrid CJS/ESM TypeScript fork of brace-expansion. Prior to version 5.0.1, @isaacs/brace-expansion is vulnerable to a denial of service (DoS) issue caused by unbounded brace range expansion. When an attacker provides a pattern containing repeated numeric brace ranges, the library attempts to eagerly generate every possible combination synchronously. Because the expansion grows exponentially, even a small input can consume excessive CPU and memory and may crash the Node.js process. This issue has been patched in version 5.0.1. CVE-2026-25547 openSUSE Leap 16.0:openQA-5.1771422749.560a3b26-bp160.1.1 openSUSE Leap 16.0:openQA-auto-update-5.1771422749.560a3b26-bp160.1.1 openSUSE Leap 16.0:openQA-bootstrap-5.1771422749.560a3b26-bp160.1.1 openSUSE Leap 16.0:openQA-client-5.1771422749.560a3b26-bp160.1.1 openSUSE Leap 16.0:openQA-common-5.1771422749.560a3b26-bp160.1.1 openSUSE Leap 16.0:openQA-continuous-update-5.1771422749.560a3b26-bp160.1.1 openSUSE Leap 16.0:openQA-devel-5.1771422749.560a3b26-bp160.1.1 openSUSE Leap 16.0:openQA-doc-5.1771422749.560a3b26-bp160.1.1 openSUSE Leap 16.0:openQA-local-db-5.1771422749.560a3b26-bp160.1.1 openSUSE Leap 16.0:openQA-mcp-5.1771422749.560a3b26-bp160.1.1 openSUSE Leap 16.0:openQA-munin-5.1771422749.560a3b26-bp160.1.1 openSUSE Leap 16.0:openQA-python-scripts-5.1771422749.560a3b26-bp160.1.1 openSUSE Leap 16.0:openQA-single-instance-5.1771422749.560a3b26-bp160.1.1 openSUSE Leap 16.0:openQA-single-instance-nginx-5.1771422749.560a3b26-bp160.1.1 openSUSE Leap 16.0:openQA-worker-5.1771422749.560a3b26-bp160.1.1 openSUSE Leap 16.0:os-autoinst-5.1771353921.c8005c9-bp160.1.1 openSUSE Leap 16.0:os-autoinst-devel-5.1771353921.c8005c9-bp160.1.1 openSUSE Leap 16.0:os-autoinst-ipmi-deps-5.1771353921.c8005c9-bp160.1.1 openSUSE Leap 16.0:os-autoinst-openvswitch-5.1771353921.c8005c9-bp160.1.1 openSUSE Leap 16.0:os-autoinst-qemu-kvm-5.1771353921.c8005c9-bp160.1.1 openSUSE Leap 16.0:os-autoinst-qemu-x86-5.1771353921.c8005c9-bp160.1.1 openSUSE Leap 16.0:os-autoinst-s390-deps-5.1771353921.c8005c9-bp160.1.1 openSUSE Leap 16.0:os-autoinst-swtpm-5.1771353921.c8005c9-bp160.1.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2026-25547.html CVE-2026-25547 https://bugzilla.suse.com/1257834 SUSE Bug 1257834