[release-4.13] OCPBUGS-46235: CVE-2024-45337, CVE-2025-22869 Update golang.org/x/crypto to patched OpenShift fork

[aman4433]

To address CVE-2024-45337, update golang.org/x/crypto/ssh to version v0.31.0 or later. This fixes an authorization bypass in ServerConfig.PublicKeyCallback that could allow unauthorized SSH access. Users should apply the update and rebuild affected applications immediately.

We are using the OpenShift fork of golang.org/x/crypto (tagged v0.35.0-openshift) to avoid introducing an implicit Go version upgrade, which the upstream v0.35.0 module enforces.

[openshift-ci-robot]

@aman4433: This pull request references Jira Issue OCPBUGS-46235, which is valid. The bug has been moved to the POST state.

7 validation(s) were run on this bug

• bug is open, matching expected state (open)
• bug target version (4.13.z) matches configured target version for branch (4.13.z)
• bug is in the state New, which is one of the valid states (NEW, ASSIGNED, POST)
• release note text is set and does not match the template
• dependent bug Jira Issue OCPBUGS-46233 is in the state Verified, which is one of the valid states (VERIFIED, RELEASE PENDING, CLOSED (ERRATA), CLOSED (CURRENT RELEASE), CLOSED (DONE), CLOSED (DONE-ERRATA))
• dependent Jira Issue OCPBUGS-46233 targets the "4.14.z" version, which is one of the valid target versions: 4.14.0, 4.14.z
• bug has dependents

Requesting review from QA contact:
/cc @sunzhaohua2

The bug has been updated to refer to the pull request using the external bug tracker.

In response to this:

To address CVE-2024-45337, update golang.org/x/crypto/ssh to version v0.31.0 or later. This fixes an authorization bypass in ServerConfig.PublicKeyCallback that could allow unauthorized SSH access. Users should apply the update and rebuild affected applications immediately.

We are using the OpenShift fork of golang.org/x/crypto (tagged v0.35.0-openshift) to avoid introducing an implicit Go version upgrade, which the upstream v0.35.0 module enforces.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[openshift-ci]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by:
Once this PR has been reviewed and has the lgtm label, please assign damdo for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[aman4433]

/retest-required

[openshift-ci]

@aman4433: The following tests failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name	Commit	Details	Required	Rerun command
ci/prow/images	6c888ad	link	true	/test images
ci/prow/unit	6c888ad	link	true	/test unit
ci/prow/govet	6c888ad	link	true	/test govet

Full PR test history. Your PR dashboard.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

[aman4433]

Hi @damdo / @sunzhaohua2,
the pull-ci-openshift-cluster-api-provider-ibmcloud-release-4.13-unit job fails during go vet with Go 1.20-only symbols (bytes.Clone, subtle.XORBytes) from the updated crypto fork, while 4.12 passes. Could you please advise how we should move forward here? or skip this update for older branches?