chore(deps): refresh rpm lockfiles [SECURITY]

[red-hat-konflux]

This PR contains the following updates:

File rpms.in.yaml:

Package	Change
aardvark-dns	2:1.14.0-1.el9 -> 2:1.16.0-1.el9
buildah	2:1.39.4-2.el9_6 -> 2:1.41.4-3.el9_7
containers-common	2:1-117.el9_6 -> 4:1-135.el9_7
containers-common-extra	2:1-117.el9_6 -> 4:1-135.el9_7
criu	3.19-1.2.el9_6 -> 3.19-3.el9
criu-libs	3.19-1.2.el9_6 -> 3.19-3.el9
crun	1.23.1-2.el9_6 -> 1.23.1-2.el9_7
fuse-overlayfs	1.14-1.el9 -> 1.15-1.el9
netavark	2:1.14.1-1.el9_6 -> 2:1.16.0-1.el9
passt	0^20250217.ga1e48a0-13.el9_6 -> 0^20250512.g8ec1341-2.el9
python3.11	3.11.11-2.el9_6.2 -> 3.11.13-3.el9
python3.11-libs	3.11.11-2.el9_6.2 -> 3.11.13-3.el9
python3.11-pip	22.3.1-5.el9 -> 22.3.1-6.el9
python3.11-pip-wheel	22.3.1-5.el9 -> 22.3.1-6.el9
python3.11-setuptools	65.5.1-4.el9_6 -> 65.5.1-5.el9
python3.11-setuptools-wheel	65.5.1-4.el9_6 -> 65.5.1-5.el9
slirp4netns	1.3.2-1.el9 -> 1.3.3-1.el9
kmod	28-10.el9 -> 28-11.el9
nftables	1:1.0.9-4.el9_6 -> 1:1.0.9-5.el9_7
shadow-utils-subid	2:4.9-12.el9 -> 2:4.9-15.el9

---

cpython: Cpython infinite loop when parsing a tarfile

CVE-2025-8194

More information

Details

A flaw was found in the Python tarfile module. Processing a specially crafted tar archive, specifically an archive with negative offsets, can cause an infinite loop and deadlock. This issue results in a denial of service in the Python application using the tarfile module.

Severity

Moderate

References

• https://access.redhat.com/security/cve/CVE-2025-8194
• https://bugzilla.redhat.com/show_bug.cgi?id=2384043
• https://www.cve.org/CVERecord?id=CVE-2025-8194
• https://nvd.nist.gov/vuln/detail/CVE-2025-8194
• https://github.com/python/cpython/issues/130577
• https://github.com/python/cpython/pull/137027
• https://mail.python.org/archives/list/[email protected]/thread/ZULLF3IZ726XP5EY7XJ7YIN3K5MDYR2D/

🔧 This Pull Request updates lock files to use the latest dependency versions.

---

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

---

• If you want to rebase/retry this PR, check this box

---

To execute skipped test pipelines write comment /ok-to-test.

---

Documentation

Find out how to configure dependency updates in MintMaker documentation or see all available configuration options in Renovate documentation.

[syedriko]

/retest
/lgtm
/approve
/override ci/prow/images

[openshift-ci]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: syedriko

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

• OWNERS [syedriko]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[openshift-ci]

@syedriko: Overrode contexts on behalf of syedriko: ci/prow/images

In response to this:

/retest
/lgtm
/approve
/override ci/prow/images

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

[openshift-ci]

New changes are detected. LGTM label has been removed.