Bump go to 1.19.4 and golang.org/x/net to v0.4.0 to address CVEs

[ahrtr]

See https://github.com/etcd-io/etcd/actions/runs/3652670138/jobs/6171319355

Also see the scan result below,

$ govulncheck ./...
govulncheck is an experimental tool. Share feedback at https://go.dev/s/govulncheck-feedback.

Scanning for dependencies with known vulnerabilities... Found 1 known vulnerability.

Vulnerability #1: GO-2022-1144
  An attacker can cause excessive memory growth in a Go server
  accepting HTTP/2 requests. HTTP/2 server connections contain a
  cache of HTTP header keys sent by the client. While the total
  number of entries in this cache is capped, an attacker sending
  very large keys can cause the server to allocate approximately
  64 MiB per open connection.

  Call stacks in your code:
      tools/etcd-dump-metrics/main.go:159:31: go.etcd.io/etcd/v3/tools/etcd-dump-metrics.main$4 calls go.etcd.io/etcd/server/v3/embed.StartEtcd, which eventually calls golang.org/x/net/http2.ConfigureServer$1

  Found in: golang.org/x/net/http2@v0.2.0
  Fixed in: golang.org/x/net/http2@v1.19.4
  More info: https://pkg.go.dev/vuln/GO-2022-1144

Vulnerability #2: GO-2022-1144
  An attacker can cause excessive memory growth in a Go server
  accepting HTTP/2 requests. HTTP/2 server connections contain a
  cache of HTTP header keys sent by the client. While the total
  number of entries in this cache is capped, an attacker sending
  very large keys can cause the server to allocate approximately
  64 MiB per open connection.

  Call stacks in your code:
      contrib/lock/storage/storage.go:106:28: go.etcd.io/etcd/v3/contrib/lock/storage.main calls net/http.ListenAndServe
      contrib/raftexample/httpapi.go:113:31: go.etcd.io/etcd/v3/contrib/raftexample.serveHTTPKVAPI$1 calls net/http.Server.ListenAndServe
      tools/etcd-dump-metrics/main.go:159:31: go.etcd.io/etcd/v3/tools/etcd-dump-metrics.main$4 calls go.etcd.io/etcd/server/v3/embed.StartEtcd, which eventually calls net/http.Serve
      tools/etcd-dump-metrics/main.go:159:31: go.etcd.io/etcd/v3/tools/etcd-dump-metrics.main$4 calls go.etcd.io/etcd/server/v3/embed.StartEtcd, which eventually calls net/http.Server.Serve

  Found in: net/http@go1.19.3
  Fixed in: net/http@go1.19.4
  More info: https://pkg.go.dev/vuln/GO-2022-1144

Signed-off-by: Benjamin Wang wachao@vmware.com

Please read https://github.com/etcd-io/etcd/blob/main/CONTRIBUTING.md#contribution-flow.

cc @spzala @serathius @ptabor

[ahrtr]

Bump golang.org/x/net to v0.4.0 to address CVEs.

https://github.com/etcd-io/etcd/actions/runs/3653065631/jobs/6172113466

Found 1 known vulnerability.

Vulnerability #1: GO-2022-1144
  An attacker can cause excessive memory growth in a Go server
  accepting HTTP/2 requests. HTTP/2 server connections contain a
  cache of HTTP header keys sent by the client. While the total
  number of entries in this cache is capped, an attacker sending
  very large keys can cause the server to allocate approximately
  64 MiB per open connection.

  Call stacks in your code:
Error:       tools/etcd-dump-metrics/main.go:158:5: go.etcd.io/etcd/v3/tools/etcd-dump-metrics.main calls go.etcd.io/etcd/server/v3/embed.StartEtcd, which eventually calls golang.org/x/net/http2.Server.ServeConn

  Found in: golang.org/x/net/http2@v0.2.0
  Fixed in: golang.org/x/net/http2@v0.4.0
  More info: https://pkg.go.dev/vuln/GO-2022-1144
Error: Process completed with exit code 3.

[ahrtr]

Note the Release workflow failure is because the PR #14860 hasn't been merged. While the failure in #14860 is because this PR hasn't been merged.

It's really annoying to see the Release failure again https://github.com/etcd-io/etcd/actions/runs/3653485901/jobs/6173006686 , and it's exactly the reason why I delivered the PR #14860.

There is a cyclic dependency. Anyway, We can merge this PR firstly.

[codecov-commenter]

Codecov Report

Merging #14916 (1ba246e) into main (dc9e422) will decrease coverage by 0.00%.
The diff coverage is n/a.

@@            Coverage Diff             @@
##             main   #14916      +/-   ##
==========================================
- Coverage   74.66%   74.65%   -0.01%     
==========================================
  Files         415      415              
  Lines       34338    34338              
==========================================
- Hits        25638    25635       -3     
+ Misses       7068     7063       -5     
- Partials     1632     1640       +8     

Flag	Coverage Δ
all	74.65% <ø> (-0.01%)	⬇️

Flags with carried forward coverage won't be shown. Click here to find out more.

Impacted Files	Coverage Δ
server/proxy/grpcproxy/watch.go	93.64% <0.00%> (-2.90%)	⬇️
client/v3/concurrency/election.go	79.68% <0.00%> (-2.35%)	⬇️
server/etcdserver/apply/apply_auth.go	86.00% <0.00%> (-2.00%)	⬇️
server/etcdserver/api/rafthttp/msgappv2_codec.go	71.30% <0.00%> (-1.74%)	⬇️
server/etcdserver/api/v3rpc/key.go	82.19% <0.00%> (-1.37%)	⬇️
pkg/schedule/schedule.go	80.45% <0.00%> (-1.15%)	⬇️
server/etcdserver/raft.go	88.63% <0.00%> (-1.14%)	⬇️
server/etcdserver/v3_server.go	77.31% <0.00%> (-0.53%)	⬇️
client/v3/watch.go	93.62% <0.00%> (-0.39%)	⬇️
server/etcdserver/server.go	85.49% <0.00%> (-0.31%)	⬇️
... and 9 more

📣 We’re building smart automated test selection to slash your CI/CD build times. Learn more

[ahrtr]

@spzala The pipeline is failing due to the CVEs fixed in this PR. Can we let this PR in soon, thx?