We need to update our operators to use OCP 4.11 / kubernetes 1.24 libraries Bump k8s.io/*, client-go, library-go, openshift-api, operator-sdk, controller-runtime. Bump prometheus/client_golang for CVE-2022-21698 fixes. To fix CVE-2020-26160, add this to go.mod of all operators that import jwt-go: replace github.com/dgrijalva/jwt-go => github.com/golang-jwt/jwt v3.2.1+incompatible Repos to update: local-storage-operator alibaba-disk-csi-driver-operator aws-ebs-csi-driver-operator aws-efs-csi-driver-operator azure-disk-csi-driver-operator azure-file-csi-driver-operator cluster-csi-snapshot-controller-operator cluster-storage-operator gcp-pd-csi-driver-operator ibm-vpc-block-csi-driver-operator ovirt-csi-driver-operator vmware-vsphere-csi-driver-operator vsphere-problem-detector openstack-cinder-csi-driver-operator csi-driver-manila-operator Note: Most of these have a dependency on the library-go bump, which means we're dependent on https://github.com/openshift/library-go/pull/1356, and that PR is (I think) dependent on the 1.24 k8s rebase.
Some PR are verified in other BZ and will update status when all finished.
Checked regression test result looks okay. Also check oVirt and Manila ci looks okay. Update status to VERIFIED.
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (Important: OpenShift Container Platform 4.11.0 bug fix and security update), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHSA-2022:5069