patch vendored go module quic-go for package coredns to address CVE-2023-49295

[mbykhovtsev-ms]

Merge Checklist

All boxes should be checked before merging the PR (just tick any boxes which don't apply to this PR)

• The toolchain has been rebuilt successfully (or no changes were made to it)
• The toolchain/worker package manifests are up-to-date
• Any updated packages successfully build (or no packages were changed)
• Packages depending on static components modified in this PR (Golang, *-static subpackages, etc.) have had their Release tag incremented.
• Package tests (%check section) have been verified with RUN_CHECK=y for existing SPEC files, or added to new SPEC files
• All package sources are available
• cgmanifest files are up-to-date and sorted (./cgmanifest.json, ./toolkit/scripts/toolchain/cgmanifest.json, .github/workflows/cgmanifest.json)
• LICENSE-MAP files are up-to-date (./SPECS/LICENSES-AND-NOTICES/data/licenses.json, ./SPECS/LICENSES-AND-NOTICES/LICENSES-MAP.md, ./SPECS/LICENSES-AND-NOTICES/LICENSE-EXCEPTIONS.PHOTON)
• All source files have up-to-date hashes in the *.signatures.json files
• sudo make go-tidy-all and sudo make go-test-coverage pass
• Documentation has been updated to match any changes to the build system
• Ready to merge

---

Summary

Added patch for a go module vendored dependency to address CVE-2023-49295

Change Log

• Added patch for a go module vendored dependency to address CVE-2023-49295
• Fixed patch application for CVE-2023-4487

Does this affect the toolchain?

NO

Links to CVEs

• https://nvd.nist.gov/vuln/detail/CVE-2023-49295

Test Methodology

• Pipeline build id: local build and https://dev.azure.com/mariner-org/mariner/_build/results?buildId=498025&view=results

[dmcilvaney]

FYI, going to be PR'ing a fix to fasttrack that will conflict with this. It will be bringing an updated vendor tar. This PR will just need release++, I think it should otherwise apply on top (although double check the patch still applies... my PR messes with the dependencies so the exact versions of packages might have changed).

[mbykhovtsev-ms]

FYI, going to be PR'ing a fix to fasttrack that will conflict with this. It will be bringing an updated vendor tar. This PR will just need release++, I think it should otherwise apply on top (although double check the patch still applies... my PR messes with the dependencies so the exact versions of packages might have changed).

Sure, no problem. Keep me posted, once your changes are in I will sync my branch and re-build to verify everything is fine.

[dmcilvaney]

#7524

[dmcilvaney]

@mbykhovtsev-ms PR is in, feel free to get changes and update as needed.