[release-v0.14] Update golang.org/x/crypto to v0.31.0

[adambkaplan]

Changes

Update golang.org/x/crypto to mitigate CVE-2024-45337. This has a severity grade of "Important" from Red Hat.

Cherry-pick of #1752

/kind dependency-change

Submitter Checklist

• Includes tests if functionality changed/was added
• Includes docs if changes are user-facing
• Set a kind label on this PR
• Release notes block has been filled in, or marked NONE

See the contributor guide
for details on coding conventions, github and prow interactions, and the code review process.

Release Notes

Update golang.org/x/crypto to v0.31.0, to mitigate CVE-2024-45337

[adambkaplan]

@SaschaSchwarze0 @qu1queee I more or less cherry-picked #1752 to mitigate this vulnerability. Do we want to merge this and release a v0.14.1?

[SaschaSchwarze0]

@adambkaplan

To get a green PR, you need to cherry-pick #1731 first (edit: did that, #1757).

We can release v0.14.1, but unless you have time pressure, we can then also get #1751 reviewed and let the automation create the release automatically. Though, it would actually NOT create a release because of the crypto vulnerability because that is not relevant to our code base (I know why one would still want to bump it, the scanning tools ...), but there are other vulnerabilities that it can mitigate. (edit: just noticed that it lists the vulnerability, just not in all images)

Another reason to wait for tomorrow is to pick up the ubi9-minimal update from today and let the next base image build pick that up.

[SaschaSchwarze0]

/approve
/lgtm

[openshift-ci]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: SaschaSchwarze0

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

• OWNERS [SaschaSchwarze0]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment