NO-ISSUE: Refresh RPM lockfiles [SECURITY]

[red-hat-konflux]

This PR contains the following updates:

File rpm-prefetching/assisted-service-rhel9/rpms.in.yaml:

Package	Change
openshift-clients	4.17.0-202511252115.p2.gd76df14.assembly.stream.el9 -> 4.17.0-202602172042.p2.gd76df14.assembly.stream.el9
crun	1.23.1-2.el9_7 -> 1.26-1.el9_7
kernel-headers	5.14.0-611.35.1.el9_7 -> 5.14.0-611.38.1.el9_7

---

runc: opencontainers/selinux: container escape and denial of service due to arbitrary write gadgets and procfs write redirects

CVE-2025-52881

More information

Details

A flaw was found in runc. This attack is a more sophisticated variant of CVE-2019-16884, which was a flaw that allowed an attacker to trick runc into writing the LSM process labels for a container process into a dummy tmpfs file and thus not apply the correct LSM labels to the container process. The mitigation applied for CVE-2019-16884 was fairly limited and effectively only caused runc to verify that when we write LSM labels that those labels are actual procfs files.

Severity

Important

References

• https://access.redhat.com/security/cve/CVE-2025-52881
• https://bugzilla.redhat.com/show_bug.cgi?id=2404715
• https://www.cve.org/CVERecord?id=CVE-2025-52881
• https://nvd.nist.gov/vuln/detail/CVE-2025-52881
• https://github.com/opencontainers/selinux/pull/237

---

golang: net/url: Memory exhaustion in query parameter parsing in net/url

CVE-2025-61726

More information

Details

A flaw was found in the net/url package in the Go standard library. The package does not enforce a limit on the number of unique query parameters it parses. A Go application using the net/http.Request.ParseForm method will try to process all parameters provided in the request. A specially crafted HTTP request containing a massive number of query parameters will cause the application to consume an excessive amount of memory, eventually causing the application to crash or become unresponsive, resulting in a denial of service.

Severity

Important

References

• https://access.redhat.com/security/cve/CVE-2025-61726
• https://bugzilla.redhat.com/show_bug.cgi?id=2434432
• https://www.cve.org/CVERecord?id=CVE-2025-61726
• https://nvd.nist.gov/vuln/detail/CVE-2025-61726
• https://go.dev/cl/736712
• https://go.dev/issue/77101
• https://groups.google.com/g/golang-announce/c/Vd2tYVM8eUc
• https://pkg.go.dev/vuln/GO-2026-4341

🔧 This Pull Request updates lock files to use the latest dependency versions.

---

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

---

• If you want to rebase/retry this PR, check this box

---

To execute skipped test pipelines write comment /ok-to-test.

---

Documentation

Find out how to configure dependency updates in MintMaker documentation or see all available configuration options in Renovate documentation.

[openshift-ci-robot]

@red-hat-konflux[bot]: This pull request explicitly references no jira issue.

Details

In response to this:

This PR contains the following updates:

File rpm-prefetching/assisted-service-rhel9/rpms.in.yaml:

Package	Change
openshift-clients	4.17.0-202511252115.p2.gd76df14.assembly.stream.el9 -> 4.17.0-202602172042.p2.gd76df14.assembly.stream.el9
kernel-headers	5.14.0-611.35.1.el9_7 -> 5.14.0-611.36.1.el9_7

---

golang: net/url: Memory exhaustion in query parameter parsing in net/url

CVE-2025-61726

More information

Details

A flaw was found in the net/url package in the Go standard library. The package does not enforce a limit on the number of unique query parameters it parses. A Go application using the net/http.Request.ParseForm method will try to process all parameters provided in the request. A specially crafted HTTP request containing a massive number of query parameters will cause the application to consume an excessive amount of memory, eventually causing the application to crash or become unresponsive, resulting in a denial of service.

Severity

Important

References

• https://access.redhat.com/security/cve/CVE-2025-61726
• https://bugzilla.redhat.com/show_bug.cgi?id=2434432
• https://www.cve.org/CVERecord?id=CVE-2025-61726
• https://nvd.nist.gov/vuln/detail/CVE-2025-61726
• https://go.dev/cl/736712
• https://go.dev/issue/77101
• https://groups.google.com/g/golang-announce/c/Vd2tYVM8eUc
• https://pkg.go.dev/vuln/GO-2026-4341

---

runc: opencontainers/selinux: container escape and denial of service due to arbitrary write gadgets and procfs write redirects

CVE-2025-52881

More information

Details

A flaw was found in runc. This attack is a more sophisticated variant of CVE-2019-16884, which was a flaw that allowed an attacker to trick runc into writing the LSM process labels for a container process into a dummy tmpfs file and thus not apply the correct LSM labels to the container process. The mitigation applied for CVE-2019-16884 was fairly limited and effectively only caused runc to verify that when we write LSM labels that those labels are actual procfs files.

Severity

Important

References

• https://access.redhat.com/security/cve/CVE-2025-52881
• https://bugzilla.redhat.com/show_bug.cgi?id=2404715
• https://www.cve.org/CVERecord?id=CVE-2025-52881
• https://nvd.nist.gov/vuln/detail/CVE-2025-52881
• https://github.com/opencontainers/selinux/pull/237

🔧 This Pull Request updates lock files to use the latest dependency versions.

---

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

---

• If you want to rebase/retry this PR, check this box

---

To execute skipped test pipelines write comment /ok-to-test.

---

Documentation

Find out how to configure dependency updates in MintMaker documentation or see all available configuration options in Renovate documentation.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[coderabbitai]

Note

Reviews paused

It looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the reviews.auto_review.auto_pause_after_reviewed_commits setting.

Use the following commands to manage reviews:

• @coderabbitai resume to resume automatic reviews.
• @coderabbitai review to trigger a single review.

Use the checkboxes below for quick actions:

• ▶️ Resume reviews
• 🔍 Trigger review

Walkthrough

Updated RPM entries in rpm-prefetching/assisted-service-rhel9/rpms.lock.yaml for all architectures to reference newer 4.17.0-202602172042.p2.gd76df14.assembly.stream.el9 package builds, updating URLs, sizes, checksums, EVR and sourcerpm metadata.

Changes

Cohort / File(s)	Summary
RPM Lockfile Update rpm-prefetching/assisted-service-rhel9/rpms.lock.yaml	Replaced multiple RPM asset entries across aarch64, ppc64le, s390x, and x86_64 with updated package URLs and metadata (size, checksum, evr, sourcerpm) pointing to 4.17.0-202602172042.p2.gd76df14.assembly.stream.el9 builds (notably openshift-clients and kernel-headers).

Sequence Diagram(s)

(omitted)

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Description check	⚠️ Warning	The PR description lacks required template sections including issue association, change type selection, environment impact checkbox, and testing methodology.	Add missing template sections: select relevant change type (e.g., Enhancement for security updates), indicate testing approach (likely 'No tests needed' for lock file updates), and include issue references or security advisory details in structured format per template guidelines.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title 'NO-ISSUE: Refresh RPM lockfiles [SECURITY]' directly relates to the PR's main objective of updating RPM lockfiles to address security vulnerabilities.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Stable And Deterministic Test Names	✅ Passed	This PR only modifies rpm-prefetching/assisted-service-rhel9/rpms.lock.yaml, not Ginkgo test files, so the test name check is not applicable.
Test Structure And Quality	✅ Passed	This PR only modifies RPM lockfile configuration (rpms.lock.yaml) with package version updates, containing no Ginkgo test code or test files.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch konflux/mintmaker/master/rpm-lockfile-refresh-vulnerability

📝 Coding Plan

• Generate coding plan for human review comments

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 44.08%. Comparing base (7b05e33) to head (6fda2ec).

Additional details and impacted files

@@            Coverage Diff             @@
##           master    #9970      +/-   ##
==========================================
- Coverage   44.09%   44.08%   -0.01%     
==========================================
  Files         415      415              
  Lines       72258    72258              
==========================================
- Hits        31860    31856       -4     
- Misses      37518    37520       +2     
- Partials     2880     2882       +2     

see 2 files with indirect coverage changes

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

[openshift-ci]

New changes are detected. LGTM label has been removed.

[openshift-ci]

[APPROVALNOTIFIER] This PR is APPROVED

Approval requirements bypassed by manually added approval.

This pull-request has been approved by: red-hat-konflux[bot]

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[openshift-ci]

@red-hat-konflux[bot]: all tests passed!

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.