CPBR-3749: upgrade cp-base-new to Python 3.14 + bump docker-utils v0.0.170 (CVE-2026-25645)

[Nitin Singh (nitsingh-ui)]

Summary

Fix CVE-2026-25645 in cp-base-new (and downstream cp-jmxterm) on the FedRAMP 8.0.2-cp7 branch.

The CVE fix is in requests==2.33.0, which requires Python ≥ 3.10. cp-base-new on 8.0.2-cp7 currently ships Python 3.9.25, so a docker-utils-only bump to v0.0.170 (PR #1654) failed at the pip install step:

ERROR: Could not find a version that satisfies the requirement requests~=2.33.0
       (from versions: …, 2.32.4, 2.32.5)

This PR ports the Python 3.14 from-source build (sigstore-verified) from active development branch 8.0.x (and 8.1.x, which are identical for these files) onto 8.0.2-cp7, while preserving cp7's FedRAMP-specific FIPS bits (OPENSSL_LIBS_VERSION arg + microdnf reinstall -y openssl-libs + update-crypto-policies --set FIPS + openssl-fips.cnf).

Changes

• pom.xml
  • Add <python-runtime.3-14.version>3.14.4</…> (matches 8.0.x / 8.1.x / master)
  • Bump <git-repo.confluent-docker-utils.tag> v0.0.169 → v0.0.170 (carries requests~=2.33.0)
• base/pom.xml
  • Swap PYTHON39_VERSION → PYTHON314_VERSION build arg (using ${python-runtime.3-14.version}) in both dockerfile-maven-plugin and fabric8/docker-maven-plugin blocks
  • Remove PYTHON_PIP_VERSION build arg (Python 3.14 source compile bundles pip)
• base/Dockerfile.ubi9
  • Replace microdnf install python3 + python3-pip with Python 3.14 source compile + sigstore tarball verification
  • Set update-alternatives for python/python3/pip/pip3 → /usr/local/bin/python3.14
  • Preserve FIPS bits: OPENSSL_LIBS_VERSION arg, openssl-libs install, microdnf reinstall -y openssl-libs, update-crypto-policies --set FIPS, COPY openssl-fips.cnf

Reference

• confluent-docker-utils [ci skip] Migrate from confluent-log4j to reload4j for 7.1.x #222 — bumped requests~=2.33.0, tag v0.0.170 published
• common-docker CPBR-3030 | Upgrade python to 3.14 #1280 (CPBR-3030) — original Python 3.14 source build for Dockerfile.ubi8 on 7.4.x
• common-docker merge commit 2119e4d7 — adapted Python 3.14 to Dockerfile.ubi9 on 8.0.x
• This PR replaces CPBR-3749: bump confluent-docker-utils to v0.0.170 (CVE-2026-25645) #1654 (which only bumped the docker-utils tag and was blocked by Python 3.9 floor)

JIRA: https://confluentinc.atlassian.net/browse/CPBR-3749

⚠️ First Python upgrade ever applied to a -cp* FedRAMP hotfix branch in this repo. Survey of all -cp / -post / -hotfix branches shows none have moved off Python 3.9 before. Recommend FedRAMP/security review.