File _patchinfo of Package patchinfo.19303

<patchinfo incident="19303">
  <issue tracker="cve" id="2025-69195"/>
  <issue id="1255729" tracker="bnc">VUL-0: CVE-2025-69195: wget2: memory corruption and crash via filename sanitization logic with attacker-controlled URLs</issue>
  <issue tracker="cve" id="2025-69194"/>
  <issue id="1255728" tracker="bnc">VUL-0: CVE-2025-69194: wget2: arbitrary file write via Metalink path traversal</issue>
  <packager>jengelh</packager>
  <rating>important</rating>
  <category>security</category>
  <summary>Security update for wget2</summary>
  <description>This update for wget2 fixes the following issues:

- Update to release 2.2.1
  * Fix file overwrite issue with metalink [CVE-2025-69194 bsc#1255728]
  * Fix remote buffer overflow in get_local_filename_real()
    [CVE-2025-69195 bsc#1255729]
  * Fix a redirect/mirror regression from 400713ca
  * Use the local system timestamp when requested via
    --no-use-server-timestamps
  * Prevent file truncation with --no-clobber
  * Improve messages about why URLs are not being followed
  * Fix metalink with -O/--output-document
  * Fix sorting of metalink mirrors by priority
  * Add --show-progress to improve backwards compatibility to wget
  * Fix buffer overflow in wget_iri_clone() after
    wget_iri_set_scheme()
  * Allow 'no_' prefix in config options
  * Use libnghttp2 for HTTP/2 testing
  * Set exit status to 8 on 403 response code
  * Fix convert-links
  * Fix --server-response for HTTP/1.1

- Update to release 2.2.0
  * Don't truncate file when -c and -O are combined
  * Don't log URI userinfo to logs
  * Fix downloading multiple files via HTTP/2
  * Support connecting with HTTP/1.0 proxies
  * Ignore 1xx HTTP responses for HTTP/1.1
  * Disable TCP Fast Open by default
  * Fix segfault when OCSP response is missing
  * Add libproxy support
</description>
</patchinfo>