Fix security vulnerabilities reported in v1.27.4

[sindhusri16]

There are some vulnerabilities found in the released version of flannel v1.27.4. These are details of them, as far as I see some of them are fixed in the master branch already. Could you please let us know about a release timeframe with these security fixes?

📦 Module: flannel-io/flannel
📊 Dependencies: 131

🚨 VULNERABILITY DETECTED
Module: golang.org/x/crypto
Version: v0.36.0
ID: GO-2025-4116, CVE-2025-47913
Summary: Potential denial of service in golang.org/x/crypto/ssh/agent
Fixed: 0.43.0

🚨 VULNERABILITY DETECTED
Module: golang.org/x/crypto
Version: v0.36.0
ID: GO-2025-4134, CVE-2025-58181, GHSA-j5w8-q4qc-rx2x
Summary: Unbounded memory consumption in golang.org/x/crypto/ssh
Fixed: 0.45.0

🚨 VULNERABILITY DETECTED
Module: golang.org/x/crypto
Version: v0.36.0
ID: GO-2025-4135, CVE-2025-47914, GHSA-f6x5-jh6r-wrfv
Summary: Malformed constraint may cause denial of service in golang.org/x/crypto/ssh/agent
Fixed: 0.45.0

⚠️ EOL PROJECT DETECTED
Module: github.com/pkg/errors
Version: v0.9.1
Status: This project is End-of-Life (repository is archived)

⚠️ EOL PROJECT DETECTED
Module: github.com/google/btree
Version: v1.1.3
Status: This project is End-of-Life (repository is archived)

⚠️ EOL PROJECT DETECTED
Module: gopkg.in/yaml.v3
Version: v3.0.1
Status: This project is End-of-Life and should be replaced or it will need to be supported by the requesting team
Comment: See github.com/yaml/go-yaml/tree/v3 for a maintained fork

⚠️ EOL PROJECT DETECTED
Module: github.com/davecgh/go-spew
Version: v1.1.2-0.20180830191138-d8f796af33cc
Status: This project is End-of-Life and should be replaced or it will need to be supported by the requesting team

⚠️ EOL PROJECT DETECTED
Module: github.com/google/gofuzz
Version: v1.2.0
Status: This project is End-of-Life and should be replaced or it will need to be supported by the requesting team
Comment: Go supports fuzzing in its standard toolchain beginning in Go 1.18. See https://go.dev/doc/security/fuzz/

⚠️ EOL PROJECT DETECTED
Module: gopkg.in/yaml.v2
Version: v2.4.0
Status: This project is End-of-Life and should be replaced or it will need to be supported by the requesting team
Comment: See github.com/yaml/go-yaml/tree/v2 for a maintained fork

⚠️ POSSIBLY EOL PROJECT DETECTED
Module: github.com/beorn7/perks
Version: v1.0.1
Last Commit: 2019-08-15
Status: No commits in over 3 years

⚠️ POSSIBLY EOL PROJECT DETECTED
Module: github.com/go-logr/stdr
Version: v1.2.2
Last Commit: 2022-07-14
Status: No commits in over 3 years

⚠️ POSSIBLY EOL PROJECT DETECTED
Module: github.com/inconshreveable/mousetrap
Version: v1.1.0
Last Commit: 2022-11-29
Status: No commits in over 3 years

⚠️ POSSIBLY EOL PROJECT DETECTED
Module: github.com/xiang90/probing
Version: v0.0.0-20190116061207-43a291ad63a2
Last Commit: 2022-11-25
Status: No commits in over 3 years

⚠️ POSSIBLY EOL PROJECT DETECTED
Module: github.com/modern-go/concurrent
Version: v0.0.0-20180306012644-bacd9c7ef1dd
Last Commit: 2019-08-09
Status: No commits in over 3 years

🔐 POSSIBLE FIPS 140 COMPLIANCE ISSUE
Module: github.com/cespare/xxhash/v2
Version: v2.3.0
Status: Module name contains crypto-related term(s): hash

🔐 POSSIBLE FIPS 140 COMPLIANCE ISSUE
Module: github.com/x448/float16
Version: v0.8.4
Status: Module name contains crypto-related term(s): x448

PS: I couldn't find a proper way of reporting security issues, so creating an issue here. Please feel free to change it or tag it as you wish.

[manuelbuil]

Thanks! There was a new Flannel version released yesterday. Crypto, among others, is updated. Could you please have a look?

[sindhusri16]

The vulnerabilities are fixed, but the possible EOL go modules and FIPS 140 compliance issues still remain right. Are there any chances of looking into these EOL issues before we take this new release.