chore(deps): refresh rpm lockfiles [SECURITY]

[red-hat-konflux-kflux-prd-rh03]

This PR contains the following updates:

Update	Change
lockFileMaintenance	All locks refreshed

---

Warning

Some dependencies could not be looked up. Check the warning logs for more information.

---

net/http: Request smuggling due to acceptance of invalid chunked data in net/http

CVE-2025-22871

More information

Details

A flaw was found in the net/http golang package. The net/http package incorrectly accepts messages that end with a line feed (LF) instead of the proper line ending. When used with another server that also misinterprets this, it can lead to request smuggling—where an attacker tricks the system to send hidden or unauthorized requests.

Severity

Moderate

References

• https://access.redhat.com/security/cve/CVE-2025-22871
• https://bugzilla.redhat.com/show_bug.cgi?id=2358493
• https://www.cve.org/CVERecord?id=CVE-2025-22871
• https://nvd.nist.gov/vuln/detail/CVE-2025-22871
• https://go.dev/cl/652998
• https://go.dev/issue/71988
• https://groups.google.com/g/golang-announce/c/Y2uBTVKjBQk
• https://pkg.go.dev/vuln/GO-2025-3563

---

cmd/go: Go VCS Command Execution Vulnerability

CVE-2025-4674

More information

Details

A flaw was found in cmd/go. The go command can execute arbitrary commands when processing untrusted version control system (VCS) repositories containing malicious configuration. This issue occurs because the command interprets VCS metadata, potentially leading to unintended command execution. This vulnerability allows a malicious actor to trigger this by providing a repository with a crafted VCS configuration, resulting in arbitrary code execution within the context of the go process.

Severity

Important

References

• https://access.redhat.com/security/cve/CVE-2025-4674
• https://bugzilla.redhat.com/show_bug.cgi?id=2384329
• https://www.cve.org/CVERecord?id=CVE-2025-4674
• https://nvd.nist.gov/vuln/detail/CVE-2025-4674
• https://go.dev/cl/686515
• https://go.dev/issue/74380
• https://groups.google.com/g/golang-announce/c/gTNJnDXmn34
• https://pkg.go.dev/vuln/GO-2025-3828

🔧 This Pull Request updates lock files to use the latest dependency versions.

---

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

---

• If you want to rebase/retry this PR, check this box

---

To execute skipped test pipelines write comment /ok-to-test.

This PR has been generated by MintMaker (powered by Renovate Bot).

[openshift-ci]

@red-hat-konflux-kflux-prd-rh03[bot]: The following test failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name	Commit	Details	Required	Rerun command
ci/prow/rhcos	0e4c4a6	link	true	/test rhcos

Full PR test history. Your PR dashboard.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.