[NET-8946 NET-8947 NET-8948] security: bump go, x/net and envoy versions

[dduzgun-security]

Description

Upgrade to use Go 1.21.9. This resolves CVEs
CVE-2023-45288 (http2).

Upgrade to support Envoy 1.26.8, 1.27.4 and 1.28.2. This resolves CVEs
CVE-2024-27919 (http2).

Upgrade to use golang.org/x/net v0.24.0. This resolves CVEs
CVE-2023-45288 (x/net).

PR Checklist

• updated test coverage
• external facing docs updated
• appropriate backport labels added
• not a security concern

[zalimeni]

LGTM except for the Envoy 1.29 upgrade - which we should do before 1.19 RC, but doesn't need to be part of this fix IMO.

The cherry pick for the x/net may succeed, but will likely fail, at least on 1.15. Fixup should be as simple as running make go-mod-get again as you did here after resolving conflicts (you can just accept changes from the target branch, bc everything will be updated again for you).

The Envoy changes will need manual fixing in backports since the versions are distinct across branches.

Thank you for tackling this @dduzgun-security !

cc @david-yu

[zalimeni]

One small fix to the changelog, otherwise LGTM - thank you @dduzgun-security !

And just to clarify (fixed my message above): the backports for Envoy will need manual fixing no matter what, bc the version ranges are different per release line. Since the backport label is more of a formality here, you could also consider removing it to avoid the failed automated backports entirely. If you use labels, Backport Checker will notify you of missing backports until you merge them, and they'll require a special "Overview of commits" section in the PR description (added by BPA to automated backport PRs) to satisfy the check. If you decide to use backport labels and get failed backport PRs, you can copy that section to the new manual PR.

This PR is an example of a manual one-off PR to "backport" an upgrade to a release branch (the original did not have backport labels): #18303