chore(deps): refresh rpm lockfiles [SECURITY]

[red-hat-konflux]

This PR contains the following updates:

File rpms.in.yaml:

Package	Change
python-unversioned-command	3.9.25-3.el9_7 -> 3.9.25-3.el9_7.1
python3	3.9.25-3.el9_7 -> 3.9.25-3.el9_7.1
python3-libs	3.9.25-3.el9_7 -> 3.9.25-3.el9_7.1

---

cpython: IMAP command injection in user-controlled commands

CVE-2025-15366

More information

Details

A flaw was found in the imaplib module in the Python standard library. The imaplib module does not reject control characters, such as newlines, in user-controlled input passed to IMAP commands. This issue allows an attacker to inject additional commands to be executed in the IMAP server.

Severity

Moderate

References

• https://access.redhat.com/security/cve/CVE-2025-15366
• https://bugzilla.redhat.com/show_bug.cgi?id=2431368
• https://www.cve.org/CVERecord?id=CVE-2025-15366
• https://nvd.nist.gov/vuln/detail/CVE-2025-15366
• https://github.com/python/cpython/issues/143921
• https://github.com/python/cpython/pull/143922
• https://mail.python.org/archives/list/security-announce@python.org/thread/DD7C7JZJYTBXMDOWKCEIEBJLBRU64OMR/

---

cpython: email header injection due to unquoted newlines

CVE-2026-1299

More information

Details

A flaw was found in the email module in the Python standard library. When serializing an email message, the BytesGenerator class fails to properly quote newline characters for email headers. This issue is exploitable when the LiteralHeader class is used as it does not respect email folding rules, allowing an attacker to inject email headers and potentially modify message recipients or the email body, and spoof sender information.

Severity

Moderate

References

• https://access.redhat.com/security/cve/CVE-2026-1299
• https://bugzilla.redhat.com/show_bug.cgi?id=2432437
• https://www.cve.org/CVERecord?id=CVE-2026-1299
• https://nvd.nist.gov/vuln/detail/CVE-2026-1299
• https://cve.org/CVERecord?id=CVE-2024-6923
• https://github.com/python/cpython/commit/052e55e7d44718fe46cbba0ca995cb8fcc359413
• https://github.com/python/cpython/issues/144125
• https://github.com/python/cpython/pull/144126
• https://mail.python.org/archives/list/security-announce@python.org/thread/6ZZULGALJTITEAGEXLDJE2C6FORDXPBT/

---

cpython: POP3 command injection in user-controlled commands

CVE-2025-15367

More information

Details

A flaw was found in the poplib module in the Python standard library. The poplib module does not reject control characters, such as newlines, in user-controlled input passed to POP3 commands. This issue allows an attacker to inject additional commands to be executed in the POP3 server.

Severity

Moderate

References

• https://access.redhat.com/security/cve/CVE-2025-15367
• https://bugzilla.redhat.com/show_bug.cgi?id=2431373
• https://www.cve.org/CVERecord?id=CVE-2025-15367
• https://nvd.nist.gov/vuln/detail/CVE-2025-15367
• https://github.com/python/cpython/issues/143923
• https://github.com/python/cpython/pull/143924
• https://mail.python.org/archives/list/security-announce@python.org/thread/CBFBOWVGGUJFSGITQCCBZS4GEYYZ7ZNE/

🔧 This Pull Request updates lock files to use the latest dependency versions.

---

Configuration

📅 Schedule: Branch creation - "" in timezone Etc/UTC, Automerge - At any time (no schedule defined).

🚦 Automerge: Enabled.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

---

• If you want to rebase/retry this PR, check this box

---

To execute skipped test pipelines write comment /ok-to-test.

---

Documentation

Find out how to configure dependency updates in MintMaker documentation or see all available configuration options in Renovate documentation.

[rhacs-bot]

Auto-approved by automation.