chore(deps): refresh rpm lockfiles [SECURITY]

[konflux-internal-p02]

This PR contains the following updates:

File rpms.in.yaml:

Package	Change
perl-Net-SSLeay	1.94-7.el10 -> 1.94-8.el10
audit-libs	4.0.3-1.el10 -> 4.0.3-4.el10
ca-certificates	2024.2.69_v8.0.303-102.3.el10 -> 2025.2.80_v9.0.305-102.el10_1
crypto-policies	20250214-1.gitfd9b9b9.el10_0.1 -> 20250905-2.gitc7eb7b2.el10_1
curl	8.9.1-5.el10 -> 8.12.1-2.el10
cyrus-sasl-lib	2.1.28-27.el10 -> 2.1.28-29.el10
dbus-broker	36-1.el10 -> 36-4.el10
device-mapper	10:1.02.202-6.el10 -> 10:1.02.206-3.el10
device-mapper-libs	10:1.02.202-6.el10 -> 10:1.02.206-3.el10
elfutils-debuginfod-client	0.192-6.el10_0 -> 0.193-1.el10
elfutils-default-yama-scope	0.192-6.el10_0 -> 0.193-1.el10
elfutils-libelf	0.192-6.el10_0 -> 0.193-1.el10
elfutils-libs	0.192-6.el10_0 -> 0.193-1.el10
expat	2.7.1-1.el10_0 -> 2.7.1-1.el10_1.3
file-libs	5.45-7.el10 -> 5.45-8.el10
filesystem	3.18-16.el10 -> 3.18-17.el10
glibc	2.39-46.el10_0 -> 2.39-58.el10_1.2
glibc-common	2.39-46.el10_0 -> 2.39-58.el10_1.2
glibc-gconv-extra	2.39-46.el10_0 -> 2.39-58.el10_1.2
glibc-minimal-langpack	2.39-46.el10_0 -> 2.39-58.el10_1.2
gmp	1:6.2.1-10.el10 -> 1:6.2.1-12.el10
iproute	6.11.0-1.el10 -> 6.14.0-2.el10
kmod-libs	31-11.el10 -> 31-12.el10
libblkid	2.40.2-10.el10 -> 2.40.2-13.el10
libbpf	2:1.5.0-4.el10 -> 2:1.6.0-3.el10
libcom_err	1.47.1-3.el10 -> 1.47.1-4.el10
libcurl	8.9.1-5.el10 -> 8.12.1-2.el10
libfdisk	2.40.2-10.el10 -> 2.40.2-13.el10
libffi	3.4.4-9.el10 -> 3.4.4-10.el10
libgcc	14.2.1-7.el10 -> 14.3.1-2.1.el10
libmount	2.40.2-10.el10 -> 2.40.2-13.el10
libnftnl	1.2.8-2.el10 -> 1.2.8-4.el10_1
libseccomp	2.5.3-10.el10 -> 2.5.6-1.el10
libselinux	3.8-2.el10_0 -> 3.9-1.el10
libsemanage	3.8.1-1.el10_0 -> 3.9-1.el10
libsepol	3.8-1.el10 -> 3.9-1.el10
libsmartcols	2.40.2-10.el10 -> 2.40.2-13.el10
libssh	0.11.1-1.el10 -> 0.11.1-4.el10_1
libssh-config	0.11.1-1.el10 -> 0.11.1-4.el10_1
libstdc++	14.2.1-7.el10 -> 14.3.1-2.1.el10
libuuid	2.40.2-10.el10 -> 2.40.2-13.el10
openldap	2.6.8-3.el10 -> 2.6.9-1.el10
openssl-fips-provider	3.0.7-6.el10 -> 3.0.7-8.el10
openssl-fips-provider-so	3.0.7-6.el10 -> 3.0.7-8.el10
openssl-libs	1:3.2.2-16.el10_0.4 -> 1:3.5.1-4.el10_1
pam-libs	1.6.1-7.el10 -> 1.6.1-8.el10
redhat-release	10.0-30.el10 -> 10.1-17.el10
redhat-release-eula	10.0-30.el10 -> 10.1-17.el10
rpm	4.19.1.1-12.el10 -> 4.19.1.1-20.el10
rpm-libs	4.19.1.1-12.el10 -> 4.19.1.1-20.el10
rpm-plugin-audit	4.19.1.1-12.el10 -> 4.19.1.1-20.el10
rpm-sequoia	1.6.0-6.el10 -> 1.9.0.3-1.el10_1
setup	2.14.5-4.el10 -> 2.14.5-7.el10
shadow-utils	2:4.15.0-5.el10 -> 2:4.15.0-8.el10
sqlite-libs	3.46.1-5.el10_0 -> 3.46.1-5.el10_1
systemd	257-9.el10_0.1 -> 257-13.el10
systemd-libs	257-9.el10_0.1 -> 257-13.el10
systemd-pam	257-9.el10_0.1 -> 257-13.el10
tzdata	2025b-1.el10 -> 2025b-2.el10
util-linux-core	2.40.2-10.el10 -> 2.40.2-13.el10
zlib-ng-compat	2.2.3-1.el10 -> 2.2.3-2.el10

---

expat: libexpat in Expat allows attackers to trigger large dynamic memory allocations via a small document that is submitted for parsing

CVE-2025-59375

More information

Details

A memory amplification vulnerability in libexpat allows attackers to trigger excessive dynamic memory allocations by submitting specially crafted XML input. A small input (~250 KiB) can cause the parser to allocate hundreds of megabytes, leading to denial-of-service (DoS) through memory exhaustion.

Severity

Important

References

• https://access.redhat.com/security/cve/CVE-2025-59375
• https://bugzilla.redhat.com/show_bug.cgi?id=2395108
• https://www.cve.org/CVERecord?id=CVE-2025-59375
• https://nvd.nist.gov/vuln/detail/CVE-2025-59375
• https://github.com/libexpat/libexpat/blob/676a4c531ec768732fac215da9730b5f50fbd2bf/expat/Changes#L45-L74
• https://github.com/libexpat/libexpat/issues/1018
• https://github.com/libexpat/libexpat/pull/1034
• https://issues.oss-fuzz.com/issues/439133977

---

libssh: out-of-bounds read in sftp_handle()

CVE-2025-5318

More information

Details

A flaw was found in the libssh library in versions less than 0.11.2. An out-of-bounds read can be triggered in the sftp_handle function due to an incorrect comparison check that permits the function to access memory beyond the valid handle list and to return an invalid pointer, which is used in further processing. This vulnerability allows an authenticated remote attacker to potentially read unintended memory regions, exposing sensitive information or affect service behavior.

Severity

Moderate

References

• https://access.redhat.com/security/cve/CVE-2025-5318
• https://bugzilla.redhat.com/show_bug.cgi?id=2369131
• https://www.cve.org/CVERecord?id=CVE-2025-5318
• https://nvd.nist.gov/vuln/detail/CVE-2025-5318
• https://www.libssh.org/security/advisories/CVE-2025-5318.txt

---

linux-pam: Linux-pam directory Traversal

CVE-2025-6020

More information

Details

A flaw was found in linux-pam. The module pam_namespace may use access user-controlled paths without proper protection, allowing local users to elevate their privileges to root via multiple symlink attacks and race conditions.

Severity

Important

References

• https://access.redhat.com/security/cve/CVE-2025-6020
• https://bugzilla.redhat.com/show_bug.cgi?id=2372512
• https://www.cve.org/CVERecord?id=CVE-2025-6020
• https://nvd.nist.gov/vuln/detail/CVE-2025-6020

🔧 This Pull Request updates lock files to use the latest dependency versions.

---

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

---

• If you want to rebase/retry this PR, check this box

---

To execute skipped test pipelines write comment /ok-to-test.

---

Documentation

Find out how to configure dependency updates in MintMaker documentation or see all available configuration options in Renovate documentation.