GHSA-7h65-4p22-39j6: github.com/crossplane/crossplane: Unexpected behavior from Is methods for IPv4-mapped IPv6 addresses

A critical vulnerability was reported in the versions of golang that Crossplane depends on. Details of the golang vulnerability are included below. Crossplane does not directly use the vulnerable functions from the net/netip package, but the version of golang libraries, runtime, and build tools have still been updated as part of this security advisory nonetheless.

Critical Vulnerabilities
Vulnerability: CVE-2024-24790, golang: net/netip: Unexpected behavior from Is methods for IPv4-mapped IPv6 addresses
Description: The various Is methods (IsPrivate, IsLoopback, etc) did not work as expected for IPv4-mapped IPv6 addresses, returning false for addresses which would return true in their traditional IPv4 forms.

Affected versions: 1.17.1,1.16.2,1.15.5

See screenshot for more details

Fixed versions: 1.17.2,1.16.3,1.15.6

Release notes:

• https://github.com/crossplane/crossplane/releases/tag/v1.17.2
• https://github.com/crossplane/crossplane/releases/tag/v1.16.3
• https://github.com/crossplane/crossplane/releases/tag/v1.15.6

References

• GHSA-7h65-4p22-39j6