Update packages to fix CVEs in RHEL STIG images

[almaslennikov]

CVE-2025-15467, CVE-2025-66418, CVE-2026-21441: python3-urllib3 -> 1.26.5-6.el9_7.1
CVE-2025-66471, CVE-2025-69421: openssl, openssl-libs -> 1:3.5.1-7.el9_7

[greptile-apps]

Greptile Overview

Greptile Summary

This PR implements a targeted security patch mechanism for RHEL STIG images by adding a CVE_UPDATES_RHEL build argument that allows selective package updates during image builds. The changes update openssl and python3-urllib3 packages to address five CVEs.

• Introduces CVE_UPDATES_RHEL variable in GitLab CI containing the list of packages to update
• Adds conditional dnf update step in both operator and daemon STIG Dockerfiles
• Update runs after MFT installation, ensuring dependencies are also patched
• Approach is clean and maintainable for future CVE remediation

Confidence Score: 5/5

• This PR is safe to merge with minimal risk
• The implementation is straightforward and follows best practices: adds a centralized CI variable for vulnerable packages, uses conditional package updates in Dockerfiles, and positions updates after dependency installations to ensure comprehensive patching. No logic changes or breaking modifications.
• No files require special attention

Important Files Changed

Filename	Overview
.gitlab-ci.yml	Added CVE_UPDATES_RHEL variable and passed it to RHEL STIG image builds to enable targeted package updates
Dockerfile.daemon.stig-rhel	Added conditional package update step after MFT installation to patch CVEs in openssl and python3-urllib3
Dockerfile.operator.stig-rhel	Added conditional package update step after MFT installation to patch CVEs in openssl and python3-urllib3

_{Last reviewed commit: c96595e}

[greptile-apps]

_{3 files reviewed, no comments}

_{Edit Code Review Agent Settings | Greptile}