forked from pool/python-gunicorn
Accepting request 1168546 from home:mcalabkova:branches:devel:languages:python
- Update to 22.0.0
* use `utime` to notify workers liveness
* migrate setup to pyproject.toml
* fix numerous security vulnerabilities in HTTP parser (closing some
request smuggling vectors)
* parsing additional requests is no longer attempted past unsupported
request framing
* on HTTP versions < 1.1 support for chunked transfer is refused
* requests conflicting configured or passed SCRIPT_NAME now produce
a verbose error
* Trailer fields are no longer inspected for headers indicating secure
scheme
* support Python 3.12
** Breaking changes **
* minimum version is Python 3.7
* the limitations on valid characters in the HTTP method have been bounded
to Internet Standards
* requests specifying unsupported transfer coding (order) are refused by
default (rare)
* HTTP methods are no longer casefolded by default (IANA method registry
contains none affected)
* HTTP methods containing the number sign (#) are no longer accepted by
default (rare)
* HTTP versions < 1.0 or >= 2.0 are no longer accepted by default (rare)
* HTTP versions consisting of multiple digits or containing a prefix/suffix
are no longer accepted
* HTTP header field names Gunicorn cannot safely map to variables are silently
dropped, as in other software
* HTTP headers with empty field name are refused by default
* requests with both Transfer-Encoding and Content-Length are refused by default
OBS-URL: https://build.opensuse.org/request/show/1168546
OBS-URL: https://build.opensuse.org/package/show/devel:languages:python/python-gunicorn?expand=0&rev=59
This commit is contained in:
Git OBS Bridge
@@ -1,3 +1,41 @@
|
||||
-------------------------------------------------------------------
|
||||
Wed Apr 17 12:43:25 UTC 2024 - Markéta Machová <mmachova@suse.com>
|
||||
|
||||
- Update to 22.0.0
|
||||
* use `utime` to notify workers liveness
|
||||
* migrate setup to pyproject.toml
|
||||
* fix numerous security vulnerabilities in HTTP parser (closing some
|
||||
request smuggling vectors)
|
||||
* parsing additional requests is no longer attempted past unsupported
|
||||
request framing
|
||||
* on HTTP versions < 1.1 support for chunked transfer is refused
|
||||
* requests conflicting configured or passed SCRIPT_NAME now produce
|
||||
a verbose error
|
||||
* Trailer fields are no longer inspected for headers indicating secure
|
||||
scheme
|
||||
* support Python 3.12
|
||||
** Breaking changes **
|
||||
* minimum version is Python 3.7
|
||||
* the limitations on valid characters in the HTTP method have been bounded
|
||||
to Internet Standards
|
||||
* requests specifying unsupported transfer coding (order) are refused by
|
||||
default (rare)
|
||||
* HTTP methods are no longer casefolded by default (IANA method registry
|
||||
contains none affected)
|
||||
* HTTP methods containing the number sign (#) are no longer accepted by
|
||||
default (rare)
|
||||
* HTTP versions < 1.0 or >= 2.0 are no longer accepted by default (rare)
|
||||
* HTTP versions consisting of multiple digits or containing a prefix/suffix
|
||||
are no longer accepted
|
||||
* HTTP header field names Gunicorn cannot safely map to variables are silently
|
||||
dropped, as in other software
|
||||
* HTTP headers with empty field name are refused by default
|
||||
* requests with both Transfer-Encoding and Content-Length are refused by default
|
||||
(such a message might indicate an attempt to perform request smuggling)
|
||||
* empty transfer codings are no longer permitted
|
||||
** SECURITY **
|
||||
* fix CVE-2024-1135 (bsc#1222950)
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Mon Jan 8 23:05:51 UTC 2024 - Matej Cepl <mcepl@cepl.eu>
|
||||
|
||||
|
||||
Reference in New Issue
Block a user