[release-4.12] OCPBUGS-46236: CVE-2024-45337, CVE-2025-22869 Update golang.org/x/crypto to patched OpenShift fork

[aman4433]

To address GHSA-v778-237x-gjrc, update golang.org/x/crypto/ssh to version v0.31.0 or later. This fixes an authorization bypass in ServerConfig.PublicKeyCallback that could allow unauthorized SSH access. Users should apply the update and rebuild affected applications immediately.

We are using the OpenShift fork of golang.org/x/crypto (tagged v0.35.0-openshift) to avoid introducing an implicit Go version upgrade, which the upstream v0.35.0 module enforces.

[openshift-ci-robot]

@aman4433: This pull request references Jira Issue OCPBUGS-46236, which is invalid:

• expected dependent Jira Issue OCPBUGS-46235 to be in one of the following states: VERIFIED, RELEASE PENDING, CLOSED (ERRATA), CLOSED (CURRENT RELEASE), CLOSED (DONE), CLOSED (DONE-ERRATA), but it is POST instead

Comment /jira refresh to re-evaluate validity if changes to the Jira bug are made, or edit the title of this pull request to link to a different bug.

The bug has been updated to refer to the pull request using the external bug tracker.

Details

In response to this:

To address GHSA-v778-237x-gjrc, update golang.org/x/crypto/ssh to version v0.31.0 or later. This fixes an authorization bypass in ServerConfig.PublicKeyCallback that could allow unauthorized SSH access. Users should apply the update and rebuild affected applications immediately.

We are using the OpenShift fork of golang.org/x/crypto (tagged v0.35.0-openshift) to avoid introducing an implicit Go version upgrade, which the upstream v0.35.0 module enforces.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[openshift-ci]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by:
Once this PR has been reviewed and has the lgtm label, please assign mkumatag for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[openshift-ci]

@aman4433: all tests passed!

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

[openshift-bot]

Issues go stale after 90d of inactivity.

Mark the issue as fresh by commenting /remove-lifecycle stale.
Stale issues rot after an additional 30d of inactivity and eventually close.
Exclude this issue from closing by commenting /lifecycle frozen.

If this issue is safe to close now please do so with /close.

/lifecycle stale

[openshift-bot]

Stale issues rot after 30d of inactivity.

Mark the issue as fresh by commenting /remove-lifecycle rotten.
Rotten issues close after an additional 30d of inactivity.
Exclude this issue from closing by commenting /lifecycle frozen.

If this issue is safe to close now please do so with /close.

/lifecycle rotten
/remove-lifecycle stale

[openshift-bot]

Rotten issues close after 30d of inactivity.

Reopen the issue by commenting /reopen.
Mark the issue as fresh by commenting /remove-lifecycle rotten.
Exclude this issue from closing again by commenting /lifecycle frozen.

/close

[openshift-ci]

@openshift-bot: Closed this PR.

Details

In response to this:

Rotten issues close after 30d of inactivity.

Reopen the issue by commenting /reopen.
Mark the issue as fresh by commenting /remove-lifecycle rotten.
Exclude this issue from closing again by commenting /lifecycle frozen.

/close

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

[openshift-ci-robot]

@aman4433: This pull request references Jira Issue OCPBUGS-46236. The bug has been updated to no longer refer to the pull request using the external bug tracker. All external bug links have been closed. The bug has been moved to the NEW state.

Details

In response to this:

To address GHSA-v778-237x-gjrc, update golang.org/x/crypto/ssh to version v0.31.0 or later. This fixes an authorization bypass in ServerConfig.PublicKeyCallback that could allow unauthorized SSH access. Users should apply the update and rebuild affected applications immediately.

We are using the OpenShift fork of golang.org/x/crypto (tagged v0.35.0-openshift) to avoid introducing an implicit Go version upgrade, which the upstream v0.35.0 module enforces.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.