This addresses the same CVE as is patched in go1.19.6. From that announcement:
> net/http: avoid quadratic complexity in HPACK decoding
>
> A maliciously crafted HTTP/2 stream could cause excessive CPU consumption
> in the HPACK decoder, sufficient to cause a denial of service from a small
> number of small requests.
>
> This issue is also fixed in golang.org/x/net/http2 v0.7.0, for users manually
> configuring HTTP/2.
>
> This is CVE-2022-41723 and Go issue https://go.dev/issue/57855.
full diff: https://github.com/golang/net/compare/v0.5.0...v0.7.0
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
(cherry picked from commit a36286cf89)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
The primary need for this is x/net/context now is just a type alias to
the stdlib context package.
This makes issues with conflicts between "golang.org/x/net/context" and
the stdib "context" go away (primarily a concern in interface
definitions/implementations).
Signed-off-by: Brian Goff <cpuguy83@gmail.com>
and update some dependent packages.
We would like to keep moby/moby and swarmkit somewhat in sync here and
https://github.com/docker/swarmkit/pull/2229 proposes a similar bump to
swarmkit, needed due to https://github.com/docker/swarmkit/pull/1965 which
pulls in containerd which uses some newer features of the grpc package.
Signed-off-by: Ian Campbell <ian.campbell@docker.com>
