🌱 Bump Crypto to v0.43.0 and Go to 1.24 to fix vulnerability

[Sunnatillo]

What this PR does / why we need it:

Uplifts Crypto to v0.43.0 and Go to 1.24 to fix vulnerability

Fixes #

Checklist:

• Documentation has been updated, if necessary.
• Unit tests have been added, if necessary.
• E2E tests have been added, if necessary.
• Integration tests have been added, if necessary.

[metal3-io-bot]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by:
Once this PR has been reviewed and has the lgtm label, please assign sunnatillo for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[Sunnatillo]

/test metal3-centos-e2e-integration-test-release-1-10

[Sunnatillo]

/test metal3-centos-e2e-integration-test-release-1-10

[Sunnatillo]

/test metal3-centos-e2e-integration-test-release-1-10

[lentzi90]

This is a minor go version bump. Can we really do it on a release branch?
I think we usually avoid that.

[Sunnatillo]

This is a minor go version bump. Can we really do it on a release branch? I think we usually avoid that.

Bump Crypto to v0.43.0 is a vulnerability fix. And it specifically requires v1.24.9 version. I was hesitant at first.
I am not sure. Should we uplift or not?

[Rozzii]

This is a minor go version bump. Can we really do it on a release branch? I think we usually avoid that.

Bump Crypto to v0.43.0 is a vulnerability fix. And it specifically requires v1.24.9 version. I was hesitant at first, because we use v1.24.9 in Dockerfile. I am not sure. Should we uplift or not?

Also the go.mod's go version bump is quite big for a patch release so we might need some discussion about it with the whole release team and maintainers.

[Rozzii]

This is a minor go version bump. Can we really do it on a release branch? I think we usually avoid that.

Bump Crypto to v0.43.0 is a vulnerability fix. And it specifically requires v1.24.9 version. I was hesitant at first, because we use v1.24.9 in Dockerfile. I am not sure. Should we uplift or not?

Also the go.mod's go version bump is quite big for a patch release so we might need some discussion about it with the whole release team and maintainers.

Let's wait until monday, My assesment is that although in my eyes fixing the CVE would justify the go.mod GO version bump, the CVE description tells me that we are not affected even do this is a 7,5 CVE as we are not using the effected lib to facilitate SSH connections. So at least IMO we don't need to hurry this let's wait with the patch release until Monday let's the actual security expert take a look.
vuln: GHSA-56w8-48fp-6mgv

[Rozzii]

/lgtm
/hold
Let's hold to evaluate the vuln.

[Rozzii]

@adilGhaffarDev noticed CVE is only affecting our e2e test code not he actual application so
/lgtm cancel
We can skip this bump.

[tuminoid]

Not really vulnerable, thus we don't bump the go.mod versioning to avoid breaking downstream users.

/close

[tuminoid]

We shouldn't do this in release branches

[metal3-io-bot]

@tuminoid: Closed this PR.

In response to this:

Not really vulnerable, thus we don't bump the go.mod versioning to avoid breaking downstream users.

/close

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.