Update github.com/hashicorp/serf and github.com/hashicorp/consul/api to fix CVE-2019-19794

[francogeller]

This PR update github.com/hashicorp/serf and github.com/hashicorp/consul/api in order to fully deprecate github.com/miekg/dns@v1.0.14 due to CVE-2019-19794 security vuln.
Issue #1249

[peterbourgon]

For the record, version bumps like this aren't necessary in intermediary Go projects like Go kit, because the version is determined by the downstream consumer. I'm happy to merge simple PRs like this one, but there is no security issue here, really.

[francogeller]

Hello, thank you very much for considering the PR. Particularly in our projects, the change would be convenient because the applications we have that search for code vulnerabilities mark kit as a vulnerable dependency because it has a transitive dependency with a vulnerable version of dns.
Maybe this will help others to comply with their security policies, if they have them. But I agree with you that it is not a security vulnerability, instead we can take it as an improvement with integrations.

[peterbourgon]

the change would be convenient because the applications we have that search for code vulnerabilities mark kit as a vulnerable dependency because it has a transitive dependency with a vulnerable version of dns.

Any tool which does this is incorrect 🤷

[ChrisHines]

It's also worth noting that changes like this don't propagate to a wide audience until Go kit tags a new release. Someone would have to run go get github.com/go-kit/kit/...@master or something similar. The ...@latest version will continue to get the newest tagged release, as will a basic go get when adding Go kit to a go.mod for the first time.