Vulnerabilty dependency x/net

[tulioncds]

CVE-2023-45288: https://osv.dev/vulnerability/GHSA-4v7x-pqxf-cx7m

Summary
net/http, x/net/http2: close connections when receiving too many headers

Details
An attacker may cause an HTTP/2 endpoint to read arbitrary amounts of header data by sending an excessive number of CONTINUATION frames. Maintaining HPACK state requires parsing and processing all HEADERS and CONTINUATION frames on a connection. When a request's headers exceed MaxHeaderBytes, no memory is allocated to store the excess headers, but they are still parsed. This permits an attacker to cause an HTTP/2 endpoint to read arbitrary amounts of header data, all associated with a request which is going to be rejected. These headers can include Huffman-encoded data which is significantly more expensive for the receiver to decode than for an attacker to send. The fix sets a limit on the amount of excess header frames we will process before closing a connection.

[shueybubbles]

@tulioncds thx for the PR. Missing a go mod tidy

Error: ../../../go/pkg/mod/github.com/!azure/azure-sdk-for-go/sdk/azcore@v1.9.1/runtime/transport_default_http_client.go:15:2: missing go.sum entry for module providing package golang.org/x/net/http2 (imported by github.com/Azure/azure-sdk-for-go/sdk/azcore/runtime); to add:
	go get github.com/Azure/azure-sdk-for-go/sdk/azcore/runtime@v1.9.1
Error: ../../../go/pkg/mod/github.com/jcmturner/rpc/v2@v2.0.3/mstypes/claims.go:10:2: missing go.sum entry for module providing package golang.org/x/net/http2/hpack (imported by github.com/jcmturner/rpc/v2/mstypes); to add:
	go get github.com/jcmturner/rpc/v2/mstypes@v2.0.3
Error: Process completed with exit code 1.

[tulioncds]

@tulioncds please read the following Contributor License Agreement(CLA). If you agree with the CLA, please reply with the following information.

@microsoft-github-policy-service agree [company="{your company}"]

Options:

• (default - no company specified) I have sole ownership of intellectual property rights to my Submissions and I am not making Submissions in the course of work for my employer.

@microsoft-github-policy-service agree

• (when company given) I am making Submissions in the course of work for my employer (or my employer has intellectual property rights in my Submissions by contract or applicable law). I have permission from my employer to make Submissions and enter into this Agreement on behalf of my employer. By signing below, the defined term “You” includes me and my employer.

@microsoft-github-policy-service agree company="Microsoft"

Contributor License Agreement

@microsoft-github-policy-service agree

[codecov-commenter]

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 74.74%. Comparing base (2395b78) to head (f820109).

Additional details and impacted files

@@           Coverage Diff           @@
##             main     #203   +/-   ##
=======================================
  Coverage   74.74%   74.74%           
=======================================
  Files          32       32           
  Lines        6379     6379           
=======================================
  Hits         4768     4768           
  Misses       1327     1327           
  Partials      284      284           

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.