chore(deps): refresh rpm lockfiles [SECURITY]

[red-hat-konflux-kflux-prd-rh02]

This PR contains the following updates:

File .konflux/rpms/rpms.in.yaml:

Package	Change
git	2.43.5-2.el8_10 -> 2.43.7-1.el8_10
git-core	2.43.5-2.el8_10 -> 2.43.7-1.el8_10
git-core-doc	2.43.5-2.el8_10 -> 2.43.7-1.el8_10
perl-Git	2.43.5-2.el8_10 -> 2.43.7-1.el8_10
openssh	8.0p1-25.el8_10 -> 8.0p1-27.el8_10
openssh-clients	8.0p1-25.el8_10 -> 8.0p1-27.el8_10

---

openssh: OpenSSH: Control characters in usernames can lead to code execution via ProxyCommand

CVE-2025-61984

More information

Details

A flaw was found in OpenSSH where control characters in usernames were not properly validated when sourced from untrusted inputs like the command line or configuration expansion. If a ProxyCommand is used, these control characters could modify command behavior, potentially leading to code execution.

Severity

Moderate

References

• https://access.redhat.com/security/cve/CVE-2025-61984
• https://bugzilla.redhat.com/show_bug.cgi?id=2401960
• https://www.cve.org/CVERecord?id=CVE-2025-61984
• https://nvd.nist.gov/vuln/detail/CVE-2025-61984
• https://marc.info/?l=openssh-unix-dev&m=175974522032149&w=2
• https://www.openssh.com/releasenotes.html#10.1p1
• https://www.openwall.com/lists/oss-security/2025/10/06/1

---

openssh: OpenSSH: Null character in ssh:// URI can lead to code execution via ProxyCommand

CVE-2025-61985

More information

Details

A flaw was found in OpenSSH where the SSH client accepted \0 (null) characters in ssh:// URIs. When a ProxyCommand is configured, these characters could alter how the command is parsed, potentially leading to code execution depending on how the proxy is set up.

Severity

Moderate

References

• https://access.redhat.com/security/cve/CVE-2025-61985
• https://bugzilla.redhat.com/show_bug.cgi?id=2401962
• https://www.cve.org/CVERecord?id=CVE-2025-61985
• https://nvd.nist.gov/vuln/detail/CVE-2025-61985
• https://marc.info/?l=openssh-unix-dev&m=175974522032149&w=2
• https://www.openssh.com/releasenotes.html#10.1p1
• https://www.openwall.com/lists/oss-security/2025/10/06/1

🔧 This Pull Request updates lock files to use the latest dependency versions.

---

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

---

• If you want to rebase/retry this PR, check this box

---

To execute skipped test pipelines write comment /ok-to-test.

---

Documentation

Find out how to configure dependency updates in MintMaker documentation or see all available configuration options in Renovate documentation.

[openshift-ci]

[APPROVALNOTIFIER] This PR is APPROVED

Approval requirements bypassed by manually added approval.

This pull-request has been approved by: red-hat-konflux-kflux-prd-rh02[bot]

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[openshift-ci]

[APPROVALNOTIFIER] This PR is APPROVED

Approval requirements bypassed by manually added approval.

This pull-request has been approved by: red-hat-konflux-kflux-prd-rh02[bot]

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[openshift-ci]

Hi @red-hat-konflux-kflux-prd-rh02[bot]. Thanks for your PR.

I'm waiting for a openshift-pipelines member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

[openshift-ci]

New changes are detected. LGTM label has been removed.