Backport of security: bump go, x/net and envoy versions into release/1.15.x
* Bump go version
* Bump x/net
* Bump envoy version
* Add changelog
---------
Co-authored-by: Michael Zalimeni <michael.zalimeni@hashicorp.com>
Bump google.golang.org/grpc to 1.56.3
This resolves [CVE-2023-44487](https://nvd.nist.gov/vuln/detail/CVE-2023-44487).
Also includes various fixes from later release versions required for
tests and linters to pass. See 77f44fa878
for the majority of these changes.
Co-authored-by: Chris Thain <chris.m.thain@gmail.com>
Backport of [NET-4865] Bump golang.org/x/net to 0.12.0 into release/1.16.x (#18189)
Bump golang.org/x/net to 0.12.0
While not necessary to directly address CVE-2023-29406 (which should be
handled by using a patched version of Go when building), an
accompanying change to HTTP/2 error handling does impact agent code.
See https://go-review.googlesource.com/c/net/+/506995 for the HTTP/2
change.
Bump this dependency across our submodules as well for the sake of
potential indirect consumers of `x/net/http`.
Manual backport of 84cbf09185.
* Protobuf Modernization
Remove direct usage of golang/protobuf in favor of google.golang.org/protobuf
Marshallers (protobuf and json) needed some changes to account for different APIs.
Moved to using the google.golang.org/protobuf/types/known/* for the well known types including replacing some custom Struct manipulation with whats available in the structpb well known type package.
This also updates our devtools script to install protoc-gen-go from the right location so that files it generates conform to the correct interfaces.
* Fix go-mod-tidy make target to work on all modules
Our original intention was for projects to consume and generate their
own Go code for these protobuf packages using Buf. While this is still
the best route for many projects, it causes some headaches when using
a library (e.g. consul-server-connection-manager) that pulls in the
same protobuf package as your project, as Go's protobuf implementation
only allows for a package/namespace to be registered once.
In such cases, projects can depend on this Go module instead, as a
single place where these protobuf packages are registered.
Deniz Onur Duzgun