chore(deps): refresh rpm lockfiles [SECURITY]

[konflux-internal-p02]

This PR contains the following updates:

File rpms.in.yaml:

Package	Change
systemd-devel	252-55.el9_7.2 -> 252-55.el9_7.7
expat	2.5.0-5.el9_6 -> 2.5.0-5.el9_7.1
systemd	252-55.el9_7.2 -> 252-55.el9_7.7
systemd-libs	252-55.el9_7.2 -> 252-55.el9_7.7
systemd-pam	252-55.el9_7.2 -> 252-55.el9_7.7
systemd-rpm-macros	252-55.el9_7.2 -> 252-55.el9_7.7

---

Warning

Some dependencies could not be looked up. Check the warning logs for more information.

---

systemd-coredump: race condition that allows a local attacker to crash a SUID program and gain read access to the resulting core dump

CVE-2025-4598

More information

Details

A vulnerability was found in systemd-coredump. This flaw allows an attacker to force a SUID process to crash and replace it with a non-SUID binary to access the original's privileged process coredump, allowing the attacker to read sensitive data, such as /etc/shadow content, loaded by the original process.

A SUID binary or process has a special type of permission, which allows the process to run with the file owner's permissions, regardless of the user executing the binary. This allows the process to access more restricted data than unprivileged users or processes would be able to. An attacker can leverage this flaw by forcing a SUID process to crash and force the Linux kernel to recycle the process PID before systemd-coredump can analyze the /proc/pid/auxv file. If the attacker wins the race condition, they gain access to the original's SUID process coredump file. They can read sensitive content loaded into memory by the original binary, affecting data confidentiality.

Severity

Moderate

References

• https://access.redhat.com/security/cve/CVE-2025-4598
• https://bugzilla.redhat.com/show_bug.cgi?id=2369242
• https://www.cve.org/CVERecord?id=CVE-2025-4598
• https://nvd.nist.gov/vuln/detail/CVE-2025-4598
• https://www.openwall.com/lists/oss-security/2025/05/29/3

---

expat: libexpat in Expat allows attackers to trigger large dynamic memory allocations via a small document that is submitted for parsing

CVE-2025-59375

More information

Details

A memory amplification vulnerability in libexpat allows attackers to trigger excessive dynamic memory allocations by submitting specially crafted XML input. A small input (~250 KiB) can cause the parser to allocate hundreds of megabytes, leading to denial-of-service (DoS) through memory exhaustion.

Severity

Important

References

• https://access.redhat.com/security/cve/CVE-2025-59375
• https://bugzilla.redhat.com/show_bug.cgi?id=2395108
• https://www.cve.org/CVERecord?id=CVE-2025-59375
• https://nvd.nist.gov/vuln/detail/CVE-2025-59375
• https://github.com/libexpat/libexpat/blob/676a4c531ec768732fac215da9730b5f50fbd2bf/expat/Changes#L45-L74
• https://github.com/libexpat/libexpat/issues/1018
• https://github.com/libexpat/libexpat/pull/1034
• https://issues.oss-fuzz.com/issues/439133977

🔧 This Pull Request updates lock files to use the latest dependency versions.

---

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

---

• If you want to rebase/retry this PR, check this box

---

To execute skipped test pipelines write comment /ok-to-test.

---

Documentation

Find out how to configure dependency updates in MintMaker documentation or see all available configuration options in Renovate documentation.