[release/2.8] vendor: golang.org/x/net v0.17.0

[thaJeztah]

• similar to Bump golang.org/x/net from 0.8.0 to 0.17.0 #4100
• relates to [release/2.8 backport] update to go1.20.10 #4117

full diff: golang/net@4876518...b225e7c

This fixes the same CVE as go1.21.3 and go1.20.10;

• net/http: rapid stream resets can cause excessive work

  A malicious HTTP/2 client which rapidly creates requests and
  immediately resets them can cause excessive server resource consumption.
  While the total number of requests is bounded to the
  http2.Server.MaxConcurrentStreams setting, resetting an in-progress
  request allows the attacker to create a new request while the existing
  one is still executing.

  HTTP/2 servers now bound the number of simultaneously executing
  handler goroutines to the stream concurrency limit. New requests
  arriving when at the limit (which can only happen after the client
  has reset an existing, in-flight request) will be queued until a
  handler exits. If the request queue grows too large, the server
  will terminate the connection.

  This issue is also fixed in golang.org/x/net/http2 v0.17.0,
  for users manually configuring HTTP/2.

  The default stream concurrency limit is 250 streams (requests)
  per HTTP/2 connection. This value may be adjusted using the
  golang.org/x/net/http2 package; see the Server.MaxConcurrentStreams
  setting and the ConfigureServer function.

  This is CVE-2023-39325 and Go issue https://go.dev/issue/63417.
  This is also tracked by CVE-2023-44487.

[thaJeztah]

Ah, fun; looks like golang.org/x/net/publicsuffix now uses go:embed, but the files it's embedding are pruned by vndr (as it considers them to be unrelated, and there's no go source-files in the directory); https://github.com/golang/net/tree/1e23797619c957fb2d0a7ed9ae1083fb31f592b8/publicsuffix/data

> [linux/amd64->arm/v6 build 1/1] RUN --mount=type=bind,target=/go/src/github.com/docker/distribution,rw     --mount=type=cache,target=/root/.cache/go-build     --mount=target=/go/pkg/mod,type=cache     --mount=type=bind,source=/tmp/.ldflags,target=/tmp/.ldflags,from=version       set -x ; xx-go build -tags "include_oss,include_gcs" -trimpath -ldflags "$(cat /tmp/.ldflags) -s -w" -o /usr/bin/registry ./cmd/registry       && xx-verify --static /usr/bin/registry:
0.349 + cat /tmp/.ldflags
0.362 + xx-go build -tags include_oss,include_gcs -trimpath -ldflags '-X github.com/docker/distribution/version.Version=2.8.3-6-g9a0b1948 -X github.com/docker/distribution/version.Revision=9a0b19483049cbf6fca55e09f1474f713260c1a5 -X github.com/docker/distribution/version.Package=github.com/docker/distribution -s -w' -o /usr/bin/registry ./cmd/registry
1.764 vendor/golang.org/x/net/publicsuffix/table.go:63:12: pattern data/children: no matching files found

[thaJeztah]

Looks like this works; add a -whitelist option to prevent vndr from pruning the files; we don't have a make vendor target, so when we update dependencies, we'll have to remember setting this option.

[milosgajdos]

I can't wait for the moment we won't have to maintain this cruft. Sooooon.