NO-ISSUE: Refresh RPM lockfiles RPM lockfile refresh [SECURITY]

[red-hat-konflux]

This PR contains the following updates:

Update	Change
lockFileMaintenance	All locks refreshed

🔧 This Pull Request updates lock files to use the latest dependency versions.

---

Configuration

📅 Schedule: (UTC)

• Branch creation
  • At any time (no schedule defined)
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

---

• If you want to rebase/retry this PR, check this box

---

To execute skipped test pipelines write comment /ok-to-test.

---

Documentation

Find out how to configure dependency updates in MintMaker documentation or see all available configuration options in Renovate documentation.

[openshift-ci-robot]

@red-hat-konflux[bot]: This pull request explicitly references no jira issue.

Details

In response to this:

This PR contains the following updates:

File rpm-prefetching/assisted-installer-controller/rpms.in.yaml:

Package	Change
rsync	3.2.5-3.el9_7.2 -> 3.2.5-7.el9_8.2
tar	2:1.34-9.el9_7 -> 2:1.34-11.el9

---

rsync: rsync server leaks arbitrary client files

CVE-2024-12086

More information

Details

A flaw was found in rsync. It could allow a server to enumerate the contents of an arbitrary file from the client's machine. This issue occurs when files are being copied from a client to a server. During this process, the rsync server will send checksums of local data to the client to compare with in order to determine what data needs to be sent to the server. By sending specially constructed checksum values for arbitrary files, an attacker may be able to reconstruct the data of those files byte-by-byte based on the responses from the client.

Severity

Important

References

• https://access.redhat.com/security/cve/CVE-2024-12086
• https://bugzilla.redhat.com/show_bug.cgi?id=2330577
• https://www.cve.org/CVERecord?id=CVE-2024-12086
• https://nvd.nist.gov/vuln/detail/CVE-2024-12086
• https://kb.cert.org/vuls/id/952657

---

rsync: Rsync: Use-after-free vulnerability in extended attribute handling

CVE-2026-41035

More information

Details

A flaw was found in rsync. When rsync is configured to handle extended attributes (using the -X or --xattrs option), a remote attacker can exploit a use-after-free vulnerability. This occurs because the receive_xattr function incorrectly processes an untrusted length value during a sorting operation, leading to memory corruption. Successful exploitation can result in a denial of service, causing the rsync process to crash, and may potentially allow for arbitrary code execution.

Severity

Important

References

• https://access.redhat.com/security/cve/CVE-2026-41035
• https://bugzilla.redhat.com/show_bug.cgi?id=2458898
• https://www.cve.org/CVERecord?id=CVE-2026-41035
• https://nvd.nist.gov/vuln/detail/CVE-2026-41035
• https://github.com/RsyncProject/rsync/issues/871
• https://github.com/RsyncProject/rsync/releases
• https://www.openwall.com/lists/oss-security/2026/04/16/2

---

rsync: TOCTOU symlink race condition allowing local privilege escalation in daemon mode without chroot.

CVE-2026-29518

More information

Details

A flaw was found in rsync. An rsync daemon configured with "use chroot = no" is exposed
to a time-of-check / time-of-use race on parent path components. A local
attacker with write access to a module can replace a parent directory
component with a symlink between the receiver's check and its open(),
redirecting reads (basis-file disclosure) and writes (file overwrite)
outside the module. Under elevated daemon privilege this allows privilege
escalation. Default "use chroot = yes" is not exposed.
Reach: local attacker on the daemon host, write access to a module path,
daemon configured with use chroot = no.

Severity

Important

References

• https://access.redhat.com/security/cve/CVE-2026-29518
• https://bugzilla.redhat.com/show_bug.cgi?id=2469055
• https://www.cve.org/CVERecord?id=CVE-2026-29518
• https://nvd.nist.gov/vuln/detail/CVE-2026-29518

---

rsync: rsync: Remote memory disclosure via integer overflow in compressed-token decoding

CVE-2026-43618

More information

Details

A flaw was found in rsync. An authenticated daemon peer can exploit an integer overflow vulnerability in the compressed-token decoder. By carefully manipulating the compressed-token, a malicious sender can trigger an overflow, leading to remote memory disclosure. This allows an attacker to leak sensitive process memory contents, including environment variables, passwords, and memory pointers, which significantly weakens Address Space Layout Randomization (ASLR) and can facilitate further exploitation.

Severity

Important

References

• https://access.redhat.com/security/cve/CVE-2026-43618
• https://bugzilla.redhat.com/show_bug.cgi?id=2469054
• https://www.cve.org/CVERecord?id=CVE-2026-43618
• https://nvd.nist.gov/vuln/detail/CVE-2026-43618

🔧 This Pull Request updates lock files to use the latest dependency versions.

---

Configuration

📅 Schedule: (UTC)

• Branch creation
• At any time (no schedule defined)
• Automerge
• At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

---

• If you want to rebase/retry this PR, check this box

---

To execute skipped test pipelines write comment /ok-to-test.

---

Documentation

Find out how to configure dependency updates in MintMaker documentation or see all available configuration options in Renovate documentation.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[coderabbitai]

Important

Review skipped

Auto reviews are disabled on base/target branches other than the default branch.

Please check the settings in the CodeRabbit UI or the .coderabbit.yaml file in this repository. To trigger a single review, invoke the @coderabbitai review command.

⚙️ Run configuration

Configuration used: Repository: openshift/coderabbit/.coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: ef47066d-d409-43b0-994b-16691fa5d7be

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Use the checkbox below for a quick retry:

• 🔍 Trigger review

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch konflux/mintmaker/v2.52/lock-file-maintenance-rpm-lockfile-refresh-vulnerability

---

_{Comment @coderabbitai help to get the list of available commands.}

[openshift-ci]

[APPROVALNOTIFIER] This PR is APPROVED

Approval requirements bypassed by manually added approval.

This pull-request has been approved by: red-hat-konflux[bot]

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[openshift-ci]

[APPROVALNOTIFIER] This PR is APPROVED

Approval requirements bypassed by manually added approval.

This pull-request has been approved by: red-hat-konflux[bot]

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
⚠️ Please upload report for BASE (v2.52@69f596a). Learn more about missing BASE report.

Additional details and impacted files

@@           Coverage Diff            @@
##             v2.52    #2191   +/-   ##
========================================
  Coverage         ?   48.82%           
========================================
  Files            ?       20           
  Lines            ?     4397           
  Branches         ?        0           
========================================
  Hits             ?     2147           
  Misses           ?     2026           
  Partials         ?      224           

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

[openshift-merge-bot]

/retest-required

Remaining retests: 0 against base HEAD 69f596a and 2 for PR HEAD 40ececd in total

[openshift-ci]

@red-hat-konflux[bot]: The following test failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name	Commit	Details	Required	Rerun command
ci/prow/lint	40ececd	link	true	/test lint

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.