[20.10] Update to go1.20.10, golang/org/x/net v0.17.0

[corhere]

Update to go1.20.10

go1.20.10 (released 2023-10-10) includes a security fix to the net/http
package. See the Go 1.20.10 milestone on our issue tracker for details.

• https://github.com/golang/go/issues?q=milestone%3AGo1.20.10+label%3ACherryPickApproved
• full diff: golang/go@go1.19.12...go1.20.10

From the mailing list announcement:

[security] Go 1.21.3 and Go 1.20.10 are released

Hello gophers,

We have just released Go versions 1.21.3 and 1.20.10, minor point releases.

These minor releases include 1 security fixes following the security policy:

• net/http: rapid stream resets can cause excessive work

  A malicious HTTP/2 client which rapidly creates requests and
  immediately resets them can cause excessive server resource consumption.
  While the total number of requests is bounded to the
  http2.Server.MaxConcurrentStreams setting, resetting an in-progress
  request allows the attacker to create a new request while the existing
  one is still executing.

  HTTP/2 servers now bound the number of simultaneously executing
  handler goroutines to the stream concurrency limit. New requests
  arriving when at the limit (which can only happen after the client
  has reset an existing, in-flight request) will be queued until a
  handler exits. If the request queue grows too large, the server
  will terminate the connection.

  This issue is also fixed in golang.org/x/net/http2 v0.17.0,
  for users manually configuring HTTP/2.

  The default stream concurrency limit is 250 streams (requests)
  per HTTP/2 connection. This value may be adjusted using the
  golang.org/x/net/http2 package; see the Server.MaxConcurrentStreams
  setting and the ConfigureServer function.

  This is GHSA-4374-p667-p6c8 and Go issue https://go.dev/issue/63417.
  This is also tracked by GHSA-qppj-fm5r-hxr3.

View the release notes for more information:
https://go.dev/doc/devel/release#go1.21.3

vendor: golang.org/x/net v0.17.0

full diff: https://github.com/golang/net/compare/ab34263943818b32f575efc978

This fixes the same CVE as go1.21.3 and go1.20.10;

• net/http: rapid stream resets can cause excessive work

  A malicious HTTP/2 client which rapidly creates requests and
  immediately resets them can cause excessive server resource consumption.
  While the total number of requests is bounded to the
  http2.Server.MaxConcurrentStreams setting, resetting an in-progress
  request allows the attacker to create a new request while the existing
  one is still executing.

  HTTP/2 servers now bound the number of simultaneously executing
  handler goroutines to the stream concurrency limit. New requests
  arriving when at the limit (which can only happen after the client
  has reset an existing, in-flight request) will be queued until a
  handler exits. If the request queue grows too large, the server
  will terminate the connection.

  This issue is also fixed in golang.org/x/net/http2 v0.17.0,
  for users manually configuring HTTP/2.

  The default stream concurrency limit is 250 streams (requests)
  per HTTP/2 connection. This value may be adjusted using the
  golang.org/x/net/http2 package; see the Server.MaxConcurrentStreams
  setting and the ConfigureServer function.

  This is GHSA-4374-p667-p6c8 and Go issue https://go.dev/issue/63417.
  This is also tracked by GHSA-qppj-fm5r-hxr3.

Dependency full diffs:
a3d24e80b04bd7...v0.17.0
https://github.com/golang/sys/compare/33da011f77ade50ff5b6a6fb4a
9a1e6d6b285809...v0.13.0
golang/text@v0.3.3...v0.13.0
https://github.com/golang/crypto/compare/c1f2f97bffc9c53fc40a1a28a5
b460094c0050d9...v0.14.0

- Description for the changelog

Update Go to 1.20.10 and golang.org/x/net to v0.17.0

- A picture of a cute animal (not mandatory but encouraged)

[thaJeztah]

Any of the related changes for go1.19 -> go1.20 needed in this branch? #44620

[corhere]

• daemon: handle EISDIR error from runtime #45006 should be backported, though it probably should be done in its own PR as it fixes a regression related to runC being built with Go 1.20, not dockerd.

The rest of the prerequisites are for appeasing golangci-lint. I'm half-tempted to just remove the lint step from the Jenkinsfile as Mirantis Container Runtime 20.10 is EOL on December 10, less than eight weeks away.

• Unfortunately it looks like I have no choice but to backport Remove local fork of archive/tar package #43185.

vendor/archive/tar/common.go:16:2: use of internal package internal/godebug not allowed

I will also do that in a separate PR.

[thaJeztah]

LGTM if ci is happy

[thaJeztah]

Test-failures are those that were called out elsewhere to be expected on RS5 currently;

[2023-10-23T21:30:50.366Z] === FAIL: github.com/docker/docker/integration/container TestExecWithCloseStdin (14.58s)
[2023-10-23T21:30:50.366Z]     main_test.go:32: assertion failed: error is not nil: Error response from daemon: Could not kill running container 653b5f2cb110ebd33656311891d1f8582c8b929db5620b556824d38c47c727f1, cannot remove - tried to kill container, but did not receive an exit event: failed to remove 653b5f2cb110ebd33656311891d1f8582c8b929db5620b556824d38c47c727f1
[2023-10-23T21:30:50.366Z] 
[2023-10-23T21:30:50.366Z] === FAIL: github.com/docker/docker/integration/container TestExec (14.52s)
[2023-10-23T21:30:50.366Z]     main_test.go:32: assertion failed: error is not nil: Error response from daemon: Could not kill running container 0fa4c4387359bfce3ad130672e36abaefb80235e103f09b6a1c38af545c49f94, cannot remove - tried to kill container, but did not receive an exit event: failed to remove 0fa4c4387359bfce3ad130672e36abaefb80235e103f09b6a1c38af545c49f94
[2023-10-23T21:30:50.366Z] 
[2023-10-23T21:30:50.366Z] === FAIL: github.com/docker/docker/integration/container TestHealthCheckProcessKilled (14.62s)
[2023-10-23T21:30:50.366Z]     main_test.go:32: assertion failed: error is not nil: Error response from daemon: Could not kill running container c8e6c78f2d07365785652be4daa154abd668114953799c3d5068d2bbc34fb0db, cannot remove - tried to kill container, but did not receive an exit event: failed to remove c8e6c78f2d07365785652be4daa154abd668114953799c3d5068d2bbc34fb0db
[2023-10-23T21:30:50.366Z] 
[2023-10-23T21:30:50.366Z] === FAIL: github.com/docker/docker/integration/container TestRenameRunningContainerAndReuse (16.63s)
[2023-10-23T21:30:50.366Z]     main_test.go:32: assertion failed: error is not nil: Error response from daemon: Could not kill running container 57cc2c25ceac1ca35c9dc9a6a112eddba4cbedd04b1cfbf122bb1daf049c05cc, cannot remove - tried to kill container, but did not receive an exit event: failed to remove 57cc2c25ceac1ca35c9dc9a6a112eddba4cbedd04b1cfbf122bb1daf049c05cc