Skip to content

Commit

Permalink
bump to 22.0
Browse files Browse the repository at this point in the history
  • Loading branch information
benoitc committed Apr 16, 2024
1 parent 4ac81e0 commit f63d59e
Show file tree
Hide file tree
Showing 4 changed files with 34 additions and 26 deletions.
2 changes: 1 addition & 1 deletion docs/site/index.html
Original file line number Diff line number Diff line change
Expand Up @@ -16,7 +16,7 @@
<div class="logo-div">
<div class="latest">
Latest version: <strong><a
href="https://docs.gunicorn.org/en/stable/">21.2.0</a></strong>
href="https://docs.gunicorn.org/en/stable/">22.0.0</a></strong>
</div>

<div class="logo"><img src="images/logo.jpg" ></div>
Expand Down
24 changes: 0 additions & 24 deletions docs/source/2023-news.rst
Original file line number Diff line number Diff line change
Expand Up @@ -2,30 +2,6 @@
Changelog - 2023
================

22.0.0 - TBDTBDTBD
==================

- fix numerous security vulnerabilities in HTTP parser (closing some request smuggling vectors)
- parsing additional requests is no longer attempted past unsupported request framing
- on HTTP versions < 1.1 support for chunked transfer is refused (only used in exploits)
- requests conflicting configured or passed SCRIPT_NAME now produce a verbose error
- Trailer fields are no longer inspected for headers indicating secure scheme
- support Python 3.12

** Breaking changes **

- minimum version is Python 3.7
- the limitations on valid characters in the HTTP method have been bounded to Internet Standards
- requests specifying unsupported transfer coding (order) are refused by default (rare)
- HTTP methods are no longer casefolded by default (IANA method registry contains none affected)
- HTTP methods containing the number sign (#) are no longer accepted by default (rare)
- HTTP versions < 1.0 or >= 2.0 are no longer accepted by default (rare, only HTTP/1.1 is supported)
- HTTP versions consisting of multiple digits or containing a prefix/suffix are no longer accepted
- HTTP header field names Gunicorn cannot safely map to variables are silently dropped, as in other software
- HTTP headers with empty field name are refused by default (no legitimate use cases, used in exploits)
- requests with both Transfer-Encoding and Content-Length are refused by default (such a message might indicate an attempt to perform request smuggling)
- empty transfer codings are no longer permitted (reportedly seen with really old & broken proxies)

21.2.0 - 2023-07-19
===================

Expand Down
32 changes: 32 additions & 0 deletions docs/source/news.rst
Original file line number Diff line number Diff line change
Expand Up @@ -2,6 +2,37 @@
Changelog
=========

22.0.0 - 2024-04-17
===================

- use `utime` to notify workers liveness
- migrate setup to pyproject.toml
- fix numerous security vulnerabilities in HTTP parser (closing some request smuggling vectors)
- parsing additional requests is no longer attempted past unsupported request framing
- on HTTP versions < 1.1 support for chunked transfer is refused (only used in exploits)
- requests conflicting configured or passed SCRIPT_NAME now produce a verbose error
- Trailer fields are no longer inspected for headers indicating secure scheme
- support Python 3.12

** Breaking changes **

- minimum version is Python 3.7
- the limitations on valid characters in the HTTP method have been bounded to Internet Standards
- requests specifying unsupported transfer coding (order) are refused by default (rare)
- HTTP methods are no longer casefolded by default (IANA method registry contains none affected)
- HTTP methods containing the number sign (#) are no longer accepted by default (rare)
- HTTP versions < 1.0 or >= 2.0 are no longer accepted by default (rare, only HTTP/1.1 is supported)
- HTTP versions consisting of multiple digits or containing a prefix/suffix are no longer accepted
- HTTP header field names Gunicorn cannot safely map to variables are silently dropped, as in other software
- HTTP headers with empty field name are refused by default (no legitimate use cases, used in exploits)
- requests with both Transfer-Encoding and Content-Length are refused by default (such a message might indicate an attempt to perform request smuggling)
- empty transfer codings are no longer permitted (reportedly seen with really old & broken proxies)


** SECURITY **

- fix CVE-2024-1135

21.2.0 - 2023-07-19
===================

Expand Down Expand Up @@ -44,6 +75,7 @@ History
.. toctree::
:titlesonly:

2024-news
2023-news
2021-news
2020-news
Expand Down
2 changes: 1 addition & 1 deletion gunicorn/__init__.py
Original file line number Diff line number Diff line change
Expand Up @@ -3,7 +3,7 @@
# This file is part of gunicorn released under the MIT license.
# See the NOTICE for more information.

version_info = (21, 2, 0)
version_info = (22, 0, 0)
__version__ = ".".join([str(v) for v in version_info])
SERVER = "gunicorn"
SERVER_SOFTWARE = "%s/%s" % (SERVER, __version__)

0 comments on commit f63d59e

Please sign in to comment.