Skip to content

chore(deps): refresh rpm lockfiles [SECURITY] #62

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
konflux-internal-p02 wants to merge 1 commit into
base: release-6.1
Choose a base branch
from
Open

chore(deps): refresh rpm lockfiles [SECURITY] #62

konflux-internal-p02 wants to merge 1 commit into from

Conversation

@konflux-internal-p02
Copy link

@konflux-internal-p02 konflux-internal-p02 bot commented Nov 26, 2025
edited
Loading

This PR contains the following updates:

File rpms.in.yaml:

Package Change
audit-libs 3.1.5-4.el9 -> 3.1.5-7.el9
ca-certificates 2024.2.69_v8.0.303-91.4.el9_4 -> 2025.2.80_v9.0.305-91.el9
crypto-policies 20250128-1.git5269e22.el9 -> 20250905-1.git377cc42.el9_7
expat 2.5.0-5.el9_6 -> 2.5.0-5.el9_7.1
glibc 2.34-168.el9_6.23 -> 2.34-231.el9_7.2
glibc-common 2.34-168.el9_6.23 -> 2.34-231.el9_7.2
glibc-gconv-extra 2.34-168.el9_6.23 -> 2.34-231.el9_7.2
glibc-minimal-langpack 2.34-168.el9_6.23 -> 2.34-231.el9_7.2
kmod-libs 28-10.el9 -> 28-11.el9
libcap 2.48-9.el9_2 -> 2.48-10.el9
libgcc 11.5.0-5.el9_5 -> 11.5.0-11.el9
libsepol 3.6-2.el9 -> 3.6-3.el9
ncurses-base 6.2-10.20210508.el9_6.2 -> 6.2-12.20210508.el9
ncurses-libs 6.2-10.20210508.el9_6.2 -> 6.2-12.20210508.el9
openssl 1:3.2.2-6.el9_5.1 -> 1:3.5.1-4.el9_7
openssl-fips-provider 3.0.7-6.el9_5 -> 3.0.7-8.el9
openssl-fips-provider-so 3.0.7-6.el9_5 -> 3.0.7-8.el9
openssl-libs 1:3.2.2-6.el9_5.1 -> 1:3.5.1-4.el9_7
redhat-release 9.6-0.1.el9 -> 9.7-0.7.el9
redhat-release-eula 9.6-0.1.el9 -> 9.7-0.7.el9
shadow-utils 2:4.9-12.el9 -> 2:4.9-15.el9
systemd 252-51.el9_6.2 -> 252-55.el9_7.7
systemd-libs 252-51.el9_6.2 -> 252-55.el9_7.7
systemd-pam 252-51.el9_6.2 -> 252-55.el9_7.7
systemd-rpm-macros 252-51.el9_6.2 -> 252-55.el9_7.7
tzdata 2025b-1.el9 -> 2025b-2.el9
qatengine 1.7.0-1.el9 -> 1.9.0-1.el9
hwdata 0.348-9.18.el9 -> 0.348-9.20.el9
numactl-libs 2.0.19-1.el9 -> 2.0.19-3.el9

expat: libexpat in Expat allows attackers to trigger large dynamic memory allocations via a small document that is submitted for parsing

CVE-2025-59375

More information

Details

A memory amplification vulnerability in libexpat allows attackers to trigger excessive dynamic memory allocations by submitting specially crafted XML input. A small input (~250 KiB) can cause the parser to allocate hundreds of megabytes, leading to denial-of-service (DoS) through memory exhaustion.

Severity

Important

References

systemd-coredump: race condition that allows a local attacker to crash a SUID program and gain read access to the resulting core dump

CVE-2025-4598

More information

Details

A vulnerability was found in systemd-coredump. This flaw allows an attacker to force a SUID process to crash and replace it with a non-SUID binary to access the original's privileged process coredump, allowing the attacker to read sensitive data, such as /etc/shadow content, loaded by the original process.

A SUID binary or process has a special type of permission, which allows the process to run with the file owner's permissions, regardless of the user executing the binary. This allows the process to access more restricted data than unprivileged users or processes would be able to. An attacker can leverage this flaw by forcing a SUID process to crash and force the Linux kernel to recycle the process PID before systemd-coredump can analyze the /proc/pid/auxv file. If the attacker wins the race condition, they gain access to the original's SUID process coredump file. They can read sensitive content loaded into memory by the original binary, affecting data confidentiality.

Severity

Moderate

References

🔧 This Pull Request updates lock files to use the latest dependency versions.

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

  • If you want to rebase/retry this PR, check this box

To execute skipped test pipelines write comment /ok-to-test.

Documentation

Find out how to configure dependency updates in MintMaker documentation or see all available configuration options in Renovate documentation.

@konflux-internal-p02
chore(deps): refresh rpm lockfiles [SECURITY]
eaf2674 
Signed-off-by: konflux-internal-p02 <170854209+konflux-internal-p02[bot]@users.noreply.github.com>
@konflux-internal-p02 konflux-internal-p02 bot force-pushed the konflux/mintmaker/release-6.1/lock-file-maintenance-vulnerability branch from ac8b6fd to eaf2674 Compare December 3, 2025 12:15
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant