Overview
Request 1168546 accepted
- Update to 22.0.0
* use `utime` to notify workers liveness
* migrate setup to pyproject.toml
* fix numerous security vulnerabilities in HTTP parser (closing some
request smuggling vectors)
* parsing additional requests is no longer attempted past unsupported
request framing
* on HTTP versions < 1.1 support for chunked transfer is refused
* requests conflicting configured or passed SCRIPT_NAME now produce
a verbose error
* Trailer fields are no longer inspected for headers indicating secure
scheme
* support Python 3.12
** Breaking changes **
* minimum version is Python 3.7
* the limitations on valid characters in the HTTP method have been bounded
to Internet Standards
* requests specifying unsupported transfer coding (order) are refused by
default (rare)
* HTTP methods are no longer casefolded by default (IANA method registry
contains none affected)
* HTTP methods containing the number sign (#) are no longer accepted by
default (rare)
* HTTP versions < 1.0 or >= 2.0 are no longer accepted by default (rare)
* HTTP versions consisting of multiple digits or containing a prefix/suffix
are no longer accepted
* HTTP header field names Gunicorn cannot safely map to variables are silently
dropped, as in other software
* HTTP headers with empty field name are refused by default
* requests with both Transfer-Encoding and Content-Length are refused by default
- Created by mcalabkova
- In state accepted
- Package maintainer: posophe
Request History
mcalabkova created request
- Update to 22.0.0
* use `utime` to notify workers liveness
* migrate setup to pyproject.toml
* fix numerous security vulnerabilities in HTTP parser (closing some
request smuggling vectors)
* parsing additional requests is no longer attempted past unsupported
request framing
* on HTTP versions < 1.1 support for chunked transfer is refused
* requests conflicting configured or passed SCRIPT_NAME now produce
a verbose error
* Trailer fields are no longer inspected for headers indicating secure
scheme
* support Python 3.12
** Breaking changes **
* minimum version is Python 3.7
* the limitations on valid characters in the HTTP method have been bounded
to Internet Standards
* requests specifying unsupported transfer coding (order) are refused by
default (rare)
* HTTP methods are no longer casefolded by default (IANA method registry
contains none affected)
* HTTP methods containing the number sign (#) are no longer accepted by
default (rare)
* HTTP versions < 1.0 or >= 2.0 are no longer accepted by default (rare)
* HTTP versions consisting of multiple digits or containing a prefix/suffix
are no longer accepted
* HTTP header field names Gunicorn cannot safely map to variables are silently
dropped, as in other software
* HTTP headers with empty field name are refused by default
* requests with both Transfer-Encoding and Content-Length are refused by default
mcalabkova accepted request
Shouldn’t be bsc#1222950 and CVE-2024-1135 mentioned somewhere here?
it is, at the bottom (it felt stupid to me to repeat it)
@posophe: review reminder