chore(deps): refresh rpm lockfiles [SECURITY]

[red-hat-konflux-kflux-prd-rh02]

This PR contains the following updates:

File .konflux/rpms/rpms.in.yaml:

Package	Change
git	2.43.5-2.el8_10 -> 2.43.7-1.el8_10
git-core	2.43.5-2.el8_10 -> 2.43.7-1.el8_10
git-core-doc	2.43.5-2.el8_10 -> 2.43.7-1.el8_10
perl-Git	2.43.5-2.el8_10 -> 2.43.7-1.el8_10
openssh	8.0p1-25.el8_10 -> 8.0p1-27.el8_10
openssh-clients	8.0p1-25.el8_10 -> 8.0p1-27.el8_10

---

openssh: Machine-in-the-middle attack if VerifyHostKeyDNS is enabled

CVE-2025-26465

More information

Details

A vulnerability was found in OpenSSH when the VerifyHostKeyDNS option is enabled. A machine-in-the-middle attack can be performed by a malicious machine impersonating a legit server. This issue occurs due to how OpenSSH mishandles error codes in specific conditions when verifying the host key. For an attack to be considered successful, the attacker needs to manage to exhaust the client's memory resource first, turning the attack complexity high.

Severity

Moderate

References

• https://access.redhat.com/security/cve/CVE-2025-26465
• https://bugzilla.redhat.com/show_bug.cgi?id=2344780
• https://www.cve.org/CVERecord?id=CVE-2025-26465
• https://nvd.nist.gov/vuln/detail/CVE-2025-26465
• https://access.redhat.com/solutions/7109879
• https://seclists.org/oss-sec/2025/q1/144

---

openssh: OpenSSH: Null character in ssh:// URI can lead to code execution via ProxyCommand

CVE-2025-61985

More information

Details

ssh in OpenSSH before 10.1 allows the '\0' character in an ssh:// URI, potentially leading to code execution when a ProxyCommand is used.

Severity

Moderate

References

• https://access.redhat.com/security/cve/CVE-2025-61985
• https://bugzilla.redhat.com/show_bug.cgi?id=2401962
• https://www.cve.org/CVERecord?id=CVE-2025-61985
• https://nvd.nist.gov/vuln/detail/CVE-2025-61985
• https://marc.info/?l=openssh-unix-dev&m=175974522032149&w=2
• https://www.openssh.com/releasenotes.html#10.1p1
• https://www.openwall.com/lists/oss-security/2025/10/06/1

---

openssh: OpenSSH: Control characters in usernames can lead to code execution via ProxyCommand

CVE-2025-61984

More information

Details

ssh in OpenSSH before 10.1 allows control characters in usernames that originate from certain possibly untrusted sources, potentially leading to code execution when a ProxyCommand is used. The untrusted sources are the command line and %-sequence expansion of a configuration file. (A configuration file that provides a complete literal username is not categorized as an untrusted source.)

Severity

Moderate

References

• https://access.redhat.com/security/cve/CVE-2025-61984
• https://bugzilla.redhat.com/show_bug.cgi?id=2401960
• https://www.cve.org/CVERecord?id=CVE-2025-61984
• https://nvd.nist.gov/vuln/detail/CVE-2025-61984
• https://marc.info/?l=openssh-unix-dev&m=175974522032149&w=2
• https://www.openssh.com/releasenotes.html#10.1p1
• https://www.openwall.com/lists/oss-security/2025/10/06/1

🔧 This Pull Request updates lock files to use the latest dependency versions.

---

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

---

• If you want to rebase/retry this PR, check this box

---

To execute skipped test pipelines write comment /ok-to-test.

---

Documentation

Find out how to configure dependency updates in MintMaker documentation or see all available configuration options in Renovate documentation.

[openshift-ci]

[APPROVALNOTIFIER] This PR is APPROVED

Approval requirements bypassed by manually added approval.

This pull-request has been approved by: red-hat-konflux-kflux-prd-rh02[bot]

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[openshift-ci]

[APPROVALNOTIFIER] This PR is APPROVED

Approval requirements bypassed by manually added approval.

This pull-request has been approved by: red-hat-konflux-kflux-prd-rh02[bot]

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[openshift-ci]

[APPROVALNOTIFIER] This PR is APPROVED

Approval requirements bypassed by manually added approval.

This pull-request has been approved by: red-hat-konflux-kflux-prd-rh02[bot]

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[openshift-ci]

Hi @red-hat-konflux-kflux-prd-rh02[bot]. Thanks for your PR.

I'm waiting for a github.com member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

[openshift-ci]

New changes are detected. LGTM label has been removed.