Resolve CVE-2023-44487

[ahrtr]

What would you like to be added?

Refer to GHSA-qppj-fm5r-hxr3

Bump golang.org/x/net:

• 0.17.0 for 3.4/3.5/main
  • bump golang.org/x/net to v0.17.0, google.golang.org/grpc to v1.58.3 #16739
  • [3.5] Bump golang.org/x/net to v0.17.0 #16743
  • [3.4] Bump golang.org/x/net to v0.17.0 #16746

Bump golang:

• 1.21.3 for main: Bump go to 1.21.3 #16741
• 1.20.10 for 3.4/3.5
  • [3.5] Bump go to v1.20.10 #16745
  • [3.4] bump golang version to 1.20.10 #16744

Bump grpc-go:

• 1.58.3 for main: bump golang.org/x/net to v0.17.0, google.golang.org/grpc to v1.58.3 #16739
• 1.56.3 or 1.57.1 or 1.58.3 for 3.4/3.5.
  • [3.5] Bump grpc-go to1.47 (and fix the connection-string format) #16625
  • [3.5] Upgrade gRPC-go to v1.52.0 #16781
  • [3.5] Upgrade gRPC-go to 1.58.3 #16790
  • [3.4] Upgrade grpc-go to 1.29.1 and Backport "Introduce grpc-1.30+ compatible client/v3/naming API." #16795
  • [3.4] Backport clientv3 naming implementation #16800
  • [3.4] Backport clientv3:get AuthToken gracefully without dialing gRPC with balancer API to get extra connection #16826
  • [3.4] Backport clientv3: Replace balancer with upstream grpc solution #16827
    • Backport [3.4] clientV3: simplify grpc dialer usage. Remove workaround #11184 after bumping grpc to 1.26.0. #16842
    • [3.4] Backport #12671 clientv3: Replace balancer with upstream grpc solution #16844
    • [3.4] backport client: call .Endpoints() in dial() in client/v3/client.go instead of accessing cfg.Endpoints directly #16857
    • [3.4] backport #13359 Fix http2 authority header in single endpoint scenario #16988
  • [3.4] Upgrade grpc to 1.52.0 #16997
  • [3.4] Upgrade grpc 1.58.3 #16999

Clarification

• https://github.com/grpc/grpc-go/pull/6706/files#r1354612788

Why is this needed?

resolve CVE

[tjungblu]

The fix in apiserver seems a little bit more involved than just bumping dependencies:
https://github.com/kubernetes/kubernetes/pull/121120/files

@ahrtr already wrote it down on the OP - sorry!