Bump x/crypto and x/net to address CVEs

[chaptersix]

Summary

Bumps Go module dependencies to address known CVEs found via govulncheck on the v1.29.x release branch.

Bumped

Module	Previous	Updated	CVEs Addressed
golang.org/x/crypto	v0.37.0	v0.45.0	GO-2025-4116 (ssh/agent DoS), GO-2025-4134 (ssh unbounded memory), GO-2025-4135 (ssh/agent malformed constraint DoS)
golang.org/x/net	v0.39.0	v0.47.0	GO-2026-4440 (html quadratic parsing), GO-2026-4441 (infinite parsing loop)
golang.org/x/sync	v0.13.0	v0.18.0	transitive (required by x/crypto)
golang.org/x/sys	v0.32.0	v0.38.0	transitive (required by x/crypto)
golang.org/x/text	v0.24.0	v0.31.0	transitive (required by x/crypto)
go directive	1.25.0	1.25.7	Standard library CVEs in crypto/tls, crypto/x509, archive/zip

Not bumped (with rationale)

Module	CVE	Reason
go.opentelemetry.io/otel/sdk v1.34.0	GO-2026-4394 (PATH hijacking, CVSS 7.0 High)	Fix requires v1.40.0 which introduces breaking Prometheus behavioral changes (metric naming, scrape error handling, translation strategy defaults). The vulnerability is macOS/Darwin only (exploits the ioreg binary) and requires local filesystem write access to PATH. Not applicable to Linux server deployments. Inappropriate risk for a patch release.
filippo.io/edwards25519 v1.1.0	GO-2026-4503 (invalid result/undefined behavior in MultiScalarMult)	The upstream advisory explicitly states: "if you only depend on filippo.io/edwards25519 via github.com/go-sql-driver/mysql, you are not affected." This module is an indirect dependency pulled in solely through go-sql-driver/mysql (confirmed via go mod graph), so we are not affected.
github.com/aws/aws-sdk-go v1.55.6	GO-2022-0646, GO-2022-0635 (S3 Crypto SDK issues)	No fix available (aws-sdk-go v1 is in maintenance mode). Vulnerabilities are in the S3 Crypto SDK which this project does not use.

[chaptersix]

govulncheck report (pre-fix baseline)

Run against release build targets (./cmd/server/... ./cmd/tools/...) at parent commit ca6536a (v1.29.3):

Scanned: go1.25.3 standard library + 153 modules

=== Symbol Results (called in code) ===

Vulnerability #1: GO-2026-4394
    OpenTelemetry Go SDK Vulnerable to Arbitrary Code Execution via PATH Hijacking
    Module: go.opentelemetry.io/otel/sdk
    Found in: v1.34.0 | Fixed in: v1.40.0
    -> NOT BUMPED (macOS-only, requires local PATH write access, fix brings breaking changes)

Vulnerability #2: GO-2026-4337
    Unexpected session resumption in crypto/tls
    Found in: go1.25.3 | Fixed in: go1.25.7
    -> FIXED (go directive bumped to 1.25.7)

Vulnerability #3: GO-2026-4336
    Denial of service in crypto/tls
    Found in: go1.25.3 | Fixed in: go1.25.7
    -> FIXED (go directive bumped to 1.25.7)

Vulnerability #4: GO-2025-4175
    Improper application of excluded DNS name constraints in crypto/x509
    Found in: go1.25.3 | Fixed in: go1.25.5
    -> FIXED (go directive bumped to 1.25.7)

Vulnerability #5: GO-2025-4155
    Excessive resource consumption in crypto/x509 error string
    Found in: go1.25.3 | Fixed in: go1.25.5
    -> FIXED (go directive bumped to 1.25.7)

Vulnerability #6: GO-2025-4154
    Denial of service via crafted TLS certificate in crypto/tls
    Found in: go1.25.3 | Fixed in: go1.25.5
    -> FIXED (go directive bumped to 1.25.7)

=== Package Results (imported but not directly called) ===

Vulnerability #1: GO-2026-4503
    Invalid result or undefined behavior in filippo.io/edwards25519
    Found in: v1.1.0 | Fixed in: v1.1.1
    -> NOT BUMPED (transitive dep of go-sql-driver/mysql, not directly used)

=== Module Results (in dependency tree) ===

Vulnerability #1: GO-2026-4441
    Infinite parsing loop in golang.org/x/net
    Found in: v0.39.0 | Fixed in: v0.45.0
    -> FIXED (bumped to v0.47.0)

Vulnerability #2: GO-2026-4440
    Quadratic parsing complexity in golang.org/x/net/html
    Found in: v0.39.0 | Fixed in: v0.45.0
    -> FIXED (bumped to v0.47.0)

Vulnerability #3: GO-2026-4342
    Excessive CPU consumption in archive/zip
    Found in: go1.25.3 | Fixed in: go1.25.6
    -> FIXED (go directive bumped to 1.25.7)

Vulnerability #4: GO-2025-4135
    Malformed constraint DoS in golang.org/x/crypto/ssh/agent
    Found in: v0.37.0 | Fixed in: v0.45.0
    -> FIXED (bumped to v0.45.0)

Vulnerability #5: GO-2025-4134
    Unbounded memory consumption in golang.org/x/crypto/ssh
    Found in: v0.37.0 | Fixed in: v0.45.0
    -> FIXED (bumped to v0.45.0)

Vulnerability #6: GO-2025-4116
    Potential denial of service in golang.org/x/crypto/ssh/agent
    Found in: v0.37.0 | Fixed in: v0.43.0
    -> FIXED (bumped to v0.45.0)

Vulnerability #7: GO-2022-0646
    CBC padding oracle issue in AWS S3 Crypto SDK
    Found in: github.com/aws/aws-sdk-go@v1.55.6 | Fixed in: N/A
    -> NOT BUMPED (no fix available, S3 Crypto SDK not used by this project)

Vulnerability #8: GO-2022-0635
    In-band key negotiation issue in AWS S3 Crypto SDK
    Found in: github.com/aws/aws-sdk-go@v1.55.6 | Fixed in: N/A
    -> NOT BUMPED (no fix available, S3 Crypto SDK not used by this project)

Result after this PR: 12 of 15 vulnerabilities resolved. 3 remaining have no applicable fix or are not relevant to production Linux deployments.