chore(deps): refresh rpm lockfiles [SECURITY]

[konflux-internal-p02]

This PR contains the following updates:

File rpms.in.yaml:

Package	Change
coreutils	8.30-15.el8 -> 8.30-16.el8_10
coreutils-common	8.30-15.el8 -> 8.30-16.el8_10
curl	7.61.1-34.el8_10.8 -> 7.61.1-34.el8_10.9
dracut	049-237.git20250603.el8_10 -> 049-239.git20251127.el8_10
findutils	1:4.6.0-23.el8_10 -> 1:4.6.0-24.el8_10
glibc	2.28-251.el8_10.25 -> 2.28-251.el8_10.27
glibc-all-langpacks	2.28-251.el8_10.25 -> 2.28-251.el8_10.27
glibc-common	2.28-251.el8_10.25 -> 2.28-251.el8_10.27
glibc-gconv-extra	2.28-251.el8_10.25 -> 2.28-251.el8_10.27
libblkid	2.32.1-46.el8 -> 2.32.1-47.el8_10
libcurl	7.61.1-34.el8_10.8 -> 7.61.1-34.el8_10.9
libfdisk	2.32.1-46.el8 -> 2.32.1-47.el8_10
libmount	2.32.1-46.el8 -> 2.32.1-47.el8_10
libsmartcols	2.32.1-46.el8 -> 2.32.1-47.el8_10
libuuid	2.32.1-46.el8 -> 2.32.1-47.el8_10
pam	1.3.1-38.el8_10 -> 1.3.1-39.el8_10
shadow-utils	2:4.6-22.el8 -> 2:4.6-23.el8_10
tzdata	2025b-1.el8 -> 2025c-1.el8
util-linux	2.32.1-46.el8 -> 2.32.1-47.el8_10

---

curl: libcurl: Curl out of bounds read for cookie path

CVE-2025-9086

More information

Details

1. A cookie is set using the secure keyword for https://target
2. curl is redirected to or otherwise made to speak with http://target (same
   hostname, but using clear text HTTP) using the same cookie set
3. The same cookie name is set - but with just a slash as path (path='/').
   Since this site is not secure, the cookie should just be ignored.
4. A bug in the path comparison logic makes curl read outside a heap buffer
   boundary

The bug either causes a crash or it potentially makes the comparison come to
the wrong conclusion and lets the clear-text site override the contents of the
secure cookie, contrary to expectations and depending on the memory contents
immediately following the single-byte allocation that holds the path.

The presumed and correct behavior would be to plainly ignore the second set of
the cookie since it was already set as secure on a secure host so overriding
it on an insecure host should not be okay.

Severity

Moderate

References

• https://access.redhat.com/security/cve/CVE-2025-9086
• https://bugzilla.redhat.com/show_bug.cgi?id=2394750
• https://www.cve.org/CVERecord?id=CVE-2025-9086
• https://nvd.nist.gov/vuln/detail/CVE-2025-9086
• https://curl.se/docs/CVE-2025-9086.html
• https://curl.se/docs/CVE-2025-9086.json
• https://github.com/curl/curl/commit/c6ae07c6a541e0e96d0040afb6
• https://hackerone.com/reports/3294999

🔧 This Pull Request updates lock files to use the latest dependency versions.

---

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

---

• If you want to rebase/retry this PR, check this box

---

To execute skipped test pipelines write comment /ok-to-test.

---

Documentation

Find out how to configure dependency updates in MintMaker documentation or see all available configuration options in Renovate documentation.