Merge pull request #264 from Jooho/RHOAIENG-1836

Fixes CVE-2023-37788 github.com/elazarl/goproxy Denial of Service (DoS)

go.mod

@@ -134,13 +134,23 @@ require (
 )
 
 replace (
-  // Fixes CVE-2022-21698 and CVE-2023-45142
-  // this dependency comes from k8s.io/[email protected] and k8s.io/[email protected]
-  // before removing it make sure that the next version of the related k8s dependencies contains the fix
-  go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp => go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.44.0
+
+	// Fixes CVE-2022-21698 and CVE-2023-45142
+	// this dependency comes from k8s.io/[email protected] and k8s.io/[email protected]
+	// before removing it make sure that the next version of the related k8s dependencies contains the fix
+	go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp => go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.44.0
+	// The crypto is pulled from go/compute which is pulled by go/storage
+	// this replace can be removed when version 1.36.1 of go/storage is released.
+	// https://github.com/googleapis/google-cloud-go/tree/main/storage
+	// Fixes CVE-2023-48795 - golang.org/x/crypto Authentication Bypass by Capture-replay
+	golang.org/x/crypto => golang.org/x/crypto v0.17.0
 
 	// pin to 0.26.4 to avoid https://github.com/kubernetes-sigs/controller-runtime/issues/2302
 	k8s.io/api => k8s.io/api v0.26.4
+
+	// Fixes github.com/elazarl/goproxy Denial of Service (DoS), the dependency was removed in v0.27.0
+	// Remove below when upgrading to controller-runtime 0.15.x or apimachinery to 0.27.x
+	k8s.io/apimachinery => k8s.io/apimachinery v0.27.0
 	k8s.io/client-go => k8s.io/client-go v0.26.4
 	k8s.io/code-generator => k8s.io/code-generator v0.26.4
 )