From 6a5c5e254dab3c5bde0ef722cbf2fbc04a85e11ed235c29902957848dcbcd559 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Adrian=20Schr=C3=B6ter?= Date: Fri, 30 Aug 2024 15:33:11 +0200 Subject: [PATCH] Sync from SUSE:SLFO:Main python-gunicorn revision 5749ec172c8f3456624d12b009b2fcd6 --- gunicorn-20.1.0.tar.gz | 3 --- gunicorn-22.0.0.tar.gz | 3 +++ python-gunicorn.changes | 51 +++++++++++++++++++++++++++++++++++++ python-gunicorn.spec | 41 ++++++++++++++++------------- support-eventlet-30-3.patch | 50 ------------------------------------ 5 files changed, 78 insertions(+), 70 deletions(-) delete mode 100644 gunicorn-20.1.0.tar.gz create mode 100644 gunicorn-22.0.0.tar.gz delete mode 100644 support-eventlet-30-3.patch diff --git a/gunicorn-20.1.0.tar.gz b/gunicorn-20.1.0.tar.gz deleted file mode 100644 index 3a2065f..0000000 --- a/gunicorn-20.1.0.tar.gz +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:e0a968b5ba15f8a328fdfd7ab1fcb5af4470c28aaf7e55df02a99bc13138e6e8 -size 370601 diff --git a/gunicorn-22.0.0.tar.gz b/gunicorn-22.0.0.tar.gz new file mode 100644 index 0000000..4f4cf4e --- /dev/null +++ b/gunicorn-22.0.0.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:4a0b436239ff76fb33f11c07a16482c521a7e09c1ce3cc293c2330afe01bec63 +size 3639760 diff --git a/python-gunicorn.changes b/python-gunicorn.changes index 6f66a67..6ade59d 100644 --- a/python-gunicorn.changes +++ b/python-gunicorn.changes @@ -1,3 +1,54 @@ +------------------------------------------------------------------- +Wed Apr 17 12:43:25 UTC 2024 - Markéta Machová + +- Update to 22.0.0 + * use `utime` to notify workers liveness + * migrate setup to pyproject.toml + * fix numerous security vulnerabilities in HTTP parser (closing some + request smuggling vectors) + * parsing additional requests is no longer attempted past unsupported + request framing + * on HTTP versions < 1.1 support for chunked transfer is refused + * requests conflicting configured or passed SCRIPT_NAME now produce + a verbose error + * Trailer fields are no longer inspected for headers indicating secure + scheme + * support Python 3.12 +** Breaking changes ** + * minimum version is Python 3.7 + * the limitations on valid characters in the HTTP method have been bounded + to Internet Standards + * requests specifying unsupported transfer coding (order) are refused by + default (rare) + * HTTP methods are no longer casefolded by default (IANA method registry + contains none affected) + * HTTP methods containing the number sign (#) are no longer accepted by + default (rare) + * HTTP versions < 1.0 or >= 2.0 are no longer accepted by default (rare) + * HTTP versions consisting of multiple digits or containing a prefix/suffix + are no longer accepted + * HTTP header field names Gunicorn cannot safely map to variables are silently + dropped, as in other software + * HTTP headers with empty field name are refused by default + * requests with both Transfer-Encoding and Content-Length are refused by default + (such a message might indicate an attempt to perform request smuggling) + * empty transfer codings are no longer permitted +** SECURITY ** + * fix CVE-2024-1135 (bsc#1222950) + +------------------------------------------------------------------- +Mon Jan 8 23:05:51 UTC 2024 - Matej Cepl + +- Clean up the SPEC file + +------------------------------------------------------------------- +Mon Jan 8 09:03:41 UTC 2024 - Andreas Schneider + +- Update to version 21.2.0 + * See https://github.com/benoitc/gunicorn/blob/21.2.0/docs/source/news.rst + or the packaged news.rst +- Removed support-eventlet-30-3.patch + ------------------------------------------------------------------- Sun Apr 23 23:07:34 UTC 2023 - Matej Cepl diff --git a/python-gunicorn.spec b/python-gunicorn.spec index 9333d8a..0ca54b1 100644 --- a/python-gunicorn.spec +++ b/python-gunicorn.spec @@ -1,7 +1,7 @@ # -# spec file +# spec file for package python-gunicorn # -# Copyright (c) 2023 SUSE LLC +# Copyright (c) 2024 SUSE LLC # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -27,33 +27,39 @@ %define skip_python2 1 %{?sle15_python_module_pythons} Name: python-gunicorn%{psuffix} -Version: 20.1.0 +Version: 22.0.0 Release: 0 Summary: WSGI HTTP Server for UNIX License: MIT Group: Development/Languages/Python URL: https://gunicorn.org Source: https://files.pythonhosted.org/packages/source/g/gunicorn/gunicorn-%{version}.tar.gz -Patch0: support-eventlet-30-3.patch +BuildRequires: %{python_module pip} BuildRequires: %{python_module setuptools >= 3.0} +BuildRequires: %{python_module wheel} BuildRequires: fdupes BuildRequires: python-rpm-macros -BuildRequires: python3-Sphinx -%if %{with test} -BuildRequires: %{python_module eventlet} -BuildRequires: %{python_module gevent >= 1.4} -BuildRequires: %{python_module gunicorn} -BuildRequires: %{python_module pytest} -%endif -Requires: python-setuptools >= 3.0 Requires(post): update-alternatives -Requires(postun):update-alternatives +Requires(postun): update-alternatives Suggests: python-evenlet Suggests: python-gevent Suggests: python-gthread Suggests: python-setproctitle Suggests: python-tornado BuildArch: noarch +%if 0%{?sle_version} >= 150500 +# Fixes the build on Leap +BuildRequires: %{python_module Sphinx} +%else +BuildRequires: python3-Sphinx +%endif +%if %{with test} +BuildRequires: %{python_module eventlet} +BuildRequires: %{python_module gevent >= 1.4} +BuildRequires: %{python_module gunicorn} +BuildRequires: %{python_module pytest-cov} +BuildRequires: %{python_module pytest} +%endif %python_subpackages %description @@ -91,11 +97,11 @@ sed -i -e 's/--cov[^ ]*//' -e 's/--cov-report[^ ]*//' setup.cfg %else # without test %build -%python_build +%pyproject_wheel sphinx-build -b html -d docs/build/doctrees docs/source docs/build/html %install -%python_install +%pyproject_install %python_clone -a %{buildroot}%{_bindir}/gunicorn %python_expand %fdupes %{buildroot}%{$python_sitelib} @@ -108,13 +114,14 @@ sphinx-build -b html -d docs/build/doctrees docs/source docs/build/html %files %{python_files} %license LICENSE %python_alternative %{_bindir}/gunicorn -%{python_sitelib}/* +%{python_sitelib}/gunicorn +%{python_sitelib}/gunicorn-%{version}*-info %if 0%{?suse_version} > 1500 %files -n python-gunicorn-doc %license LICENSE %endif -%doc README.rst NOTICE THANKS docs/build/html +%doc README.rst NOTICE THANKS docs/build/html docs/source/news.rst %endif %changelog diff --git a/support-eventlet-30-3.patch b/support-eventlet-30-3.patch deleted file mode 100644 index af35610..0000000 --- a/support-eventlet-30-3.patch +++ /dev/null @@ -1,50 +0,0 @@ -From 6a8ebb4844b2f28596ffe7421eb9f7d08c8dc4d8 Mon Sep 17 00:00:00 2001 -From: Sergey Shepelev -Date: Thu, 6 May 2021 12:54:06 +0300 -Subject: [PATCH] eventlet worker: ALREADY_HANDLED -> WSGI_LOCAL - -Eventlet v0.30.3+ removed wsgi.ALREADY_HANDLED in favor of -`wsgi.WSGI_LOCAL.already_handled: bool` - -Sorry, this breaking change happened during only patch -version increase 0.30.2 -> 0.30.3 - -https://github.com/eventlet/eventlet/issues/543 -https://github.com/eventlet/eventlet/pull/544 ---- - gunicorn/workers/geventlet.py | 11 ++++++++++- - 1 file changed, 10 insertions(+), 1 deletion(-) - -diff --git a/gunicorn/workers/geventlet.py b/gunicorn/workers/geventlet.py -index ffdb206c0..ea82f3d62 100644 ---- a/gunicorn/workers/geventlet.py -+++ b/gunicorn/workers/geventlet.py -@@ -17,11 +17,16 @@ - - from eventlet import hubs, greenthread - from eventlet.greenio import GreenSocket --from eventlet.wsgi import ALREADY_HANDLED as EVENTLET_ALREADY_HANDLED -+import eventlet.wsgi - import greenlet - - from gunicorn.workers.base_async import AsyncWorker - -+# ALREADY_HANDLED is removed in 0.30.3+ now it's `WSGI_LOCAL.already_handled: bool` -+# https://github.com/eventlet/eventlet/pull/544 -+EVENTLET_WSGI_LOCAL = getattr(eventlet.wsgi, "WSGI_LOCAL", None) -+EVENTLET_ALREADY_HANDLED = getattr(eventlet.wsgi, "ALREADY_HANDLED", None) -+ - - def _eventlet_socket_sendfile(self, file, offset=0, count=None): - # Based on the implementation in gevent which in turn is slightly -@@ -125,6 +130,10 @@ def patch(self): - patch_sendfile() - - def is_already_handled(self, respiter): -+ # eventlet >= 0.30.3 -+ if getattr(EVENTLET_WSGI_LOCAL, "already_handled", None): -+ raise StopIteration() -+ # eventlet < 0.30.3 - if respiter == EVENTLET_ALREADY_HANDLED: - raise StopIteration() - return super().is_already_handled(respiter)