Request 1168546: Submit python-gunicorn - openSUSE Build Service

Overview

Request 1168546 accepted

- Update to 22.0.0
* use `utime` to notify workers liveness
* migrate setup to pyproject.toml
* fix numerous security vulnerabilities in HTTP parser (closing some
request smuggling vectors)
* parsing additional requests is no longer attempted past unsupported
request framing
* on HTTP versions < 1.1 support for chunked transfer is refused
* requests conflicting configured or passed SCRIPT_NAME now produce
a verbose error
* Trailer fields are no longer inspected for headers indicating secure
scheme
* support Python 3.12
** Breaking changes **
* minimum version is Python 3.7
* the limitations on valid characters in the HTTP method have been bounded
to Internet Standards
* requests specifying unsupported transfer coding (order) are refused by
default (rare)
* HTTP methods are no longer casefolded by default (IANA method registry
contains none affected)
* HTTP methods containing the number sign (#) are no longer accepted by
default (rare)
* HTTP versions < 1.0 or >= 2.0 are no longer accepted by default (rare)
* HTTP versions consisting of multiple digits or containing a prefix/suffix
are no longer accepted
* HTTP header field names Gunicorn cannot safely map to variables are silently
dropped, as in other software
* HTTP headers with empty field name are refused by default
* requests with both Transfer-Encoding and Content-Length are refused by default

Created by mcalabkova about 1 month ago
In state accepted
Package maintainer: posophe

Submit python-gunicorn

Comments for request 1168546 3

Matej Cepl (mcepl) - about 1 month ago

target maintainer

Shouldn’t be bsc#1222950 and CVE-2024-1135 mentioned somewhere here?

Markéta Machová (mcalabkova) - 29 days ago

author source maintainer target maintainer

it is, at the bottom (it felt stupid to me to repeat it)

Staging Bot (staging-bot) - about 1 month ago

@posophe: review reminder

Login required, please login in order to comment

Request History

mcalabkova created request about 1 month ago

- Update to 22.0.0
* use `utime` to notify workers liveness
* migrate setup to pyproject.toml
* fix numerous security vulnerabilities in HTTP parser (closing some
request smuggling vectors)
* parsing additional requests is no longer attempted past unsupported
request framing
* on HTTP versions < 1.1 support for chunked transfer is refused
* requests conflicting configured or passed SCRIPT_NAME now produce
a verbose error
* Trailer fields are no longer inspected for headers indicating secure
scheme
* support Python 3.12
** Breaking changes **
* minimum version is Python 3.7
* the limitations on valid characters in the HTTP method have been bounded
to Internet Standards
* requests specifying unsupported transfer coding (order) are refused by
default (rare)
* HTTP methods are no longer casefolded by default (IANA method registry
contains none affected)
* HTTP methods containing the number sign (#) are no longer accepted by
default (rare)
* HTTP versions < 1.0 or >= 2.0 are no longer accepted by default (rare)
* HTTP versions consisting of multiple digits or containing a prefix/suffix
are no longer accepted
* HTTP header field names Gunicorn cannot safely map to variables are silently
dropped, as in other software
* HTTP headers with empty field name are refused by default
* requests with both Transfer-Encoding and Content-Length are refused by default

mcalabkova accepted request 29 days ago

openSUSE Build Service is sponsored by