[release-branch.go1.11-security] net/http: update bundled http2 to im…

…port security fix

Apply the following unpublished golang.org/x/net commit.

    commit b1cc14aba47abf96f96818003fa4caad3a4b4e86
    Author: Filippo Valsorda <filippo@golang.org>
    Date:   Sun Aug 11 02:12:18 2019 -0400

    [release-branch.go1.11] http2: limit number of control frames in server send queue

    An attacker could cause servers to queue an unlimited number of PING
    ACKs or RST_STREAM frames by soliciting them and not reading them, until
    the program runs out of memory.

    Limit control frames in the queue to a few thousands (matching the limit
    imposed by other vendors) by counting as they enter and exit the scheduler,
    so the protection will work with any WriteScheduler.

    Once the limit is exceeded, close the connection, as we have no way to
    communicate with the peer.

    Change-Id: I842968fc6ed3eac654b497ade8cea86f7267886b
    Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/525552
    Reviewed-by: Brad Fitzpatrick <bradfitz@google.com>
    (cherry picked from commit 589ad6cc5321fb68a90370348a241a5da0a2cc80)
    Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/526070
    Reviewed-by: Dmitri Shuralyov <dmitshur@google.com>

Fixes CVE-2019-9512 and CVE-2019-9514
Updates #33606

Change-Id: Iecedf1cc63ec7a1cd75661ec591d91ebc911cc64
Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/526072
Reviewed-by: Dmitri Shuralyov <dmitshur@google.com>