Bump go version to 1.21.9 in go mod

[songy23]

Component(s)

No response

Describe the issue you're reporting

#32160 bumps the go version to 1.21.9 in CI. This is a follow-up to bump the minimum supported Go version in go mods.

Go 1.21.9 fixed the following security vulnerability:

These minor releases include 1 security fixes following the security policy:

http2: close connections when receiving too many headers

Maintaining HPACK state requires that we parse and process all HEADERS and CONTINUATION frames on a connection. When a request's headers exceed MaxHeaderBytes, we don't allocate memory to store the excess headers but we do parse them. This permits an attacker to cause an HTTP/2 endpoint to read arbitrary amounts of header data, all associated with a request which is going to be rejected. These headers can include Huffman-encoded data which is significantly more expensive for the receiver to decode than for an attacker to send.

Set a limit on the amount of excess header frames we will process before closing a connection.

This is CVE-2023-45288 and Go issue https://go.dev/issue/65051.

Core counterpart: open-telemetry/opentelemetry-collector#9956

[AkhigbeEromo]

Hello @songy23 , can i work on this?

[atoulme]

In go.mod files? Where would we do that?

[crobert-1]

Related PR: #32451
Related discussion on dependency whose go.mod version is resulting in this change: cilium/ebpf#1438

[songy23]

Superseded by #32451