release: 26.0.0

- Bump version_info to (26, 0, 0)
- Update SECURITY.md supported releases (26.0.0, 25.3.0)
- Add 26.0.0 entry to news.md and 2026-news.md covering eventlet
  removal, ASGI framework compatibility suite, RFC 9110/9112
  request-target and header hardening, smuggling fixes, HEAD/204/304
  body framing, WebSocket close handshake compliance, HTTP/2 ASGI
  stream completion, early-hints validation, framework fixes
  (Django/Litestar/Quart/BlackSheep), and gunicorn_h1c >= 0.6.5
This commit is contained in:
Benoit Chesneau 2026-05-05 08:34:34 +02:00
parent b45c70df10
commit 5d819cf360
4 changed files with 194 additions and 3 deletions

View File

@ -15,8 +15,9 @@ Please target reports against :white_check_mark: or current master. Please under
| Version | Status |
| ------- | ------------------ |
| 25.0.0 | :white_check_mark: |
| 24.1.1 | :white_check_mark: |
| 26.0.0 | :white_check_mark: |
| 25.3.0 | :white_check_mark: |
| 24.1.1 | :x: |
| 23.0.0 | :x: |
| 22.0.0 | :x: |
| < 22.0 | :x: |

View File

@ -1,6 +1,101 @@
<span id="news-2026"></span>
# Changelog - 2026
## 26.0.0 - 2026-05-05
### Breaking Changes
- **Eventlet worker removed**: The `eventlet` worker class has been dropped.
Migrate to `gevent`, `gthread`, or `tornado`.
### New Features
- **ASGI Framework Compatibility Suite**: New end-to-end compatibility test
harness covering Starlette, FastAPI, Litestar, Quart, Sanic, and BlackSheep.
Current grid passes 438/444 tests (98%).
- **ASGI Test Suite Expansion**: 134 additional ASGI unit tests covering
protocol semantics, lifespan, websockets, and chunked framing.
### Security
- **HTTP/1.1 Request-Target Validation** (RFC 9112 sections 3.2.3, 3.2.4):
- Reject `authority-form` request-target outside `CONNECT`
- Reject `asterisk-form` request-target outside `OPTIONS`
- Reject `relative-reference` request-targets
- **Header Field Hardening** (RFC 9110):
- Reject control characters in header field-value (section 5.5)
- Reject forbidden trailer field-names (section 6.5.1)
- Reject `Content-Length` list form (RFC 9112 section 6.3)
- **Request Smuggling Hardening**:
- Tighten keepalive gate and scope `finish_body` byte cap
- Keep `_body_receiver` alive across the keepalive smuggling gate so
pipelined requests cannot re-enter a closed body
- Address parser/protocol findings from a six-point WSGI/ASGI audit
- **PROXY Protocol (ASGI)**: Enforce `proxy_allow_ips` and tighten v1/v2
parsing in the ASGI callback parser.
- **Connection Draining**: Drain the connection on close per RFC 9112
section 9.6 to prevent reset-on-close truncation.
### Bug Fixes
- **Body Framing on HEAD/204/304**:
- Keep `Content-Length` on HEAD and 304 responses
([#3621](https://github.com/benoitc/gunicorn/pull/3621))
- Drop body framing on HEAD/204/304 even when the framework set it
- Warn once when an ASGI app emits a body for a no-body response
- **HTTP/2 ASGI**:
- Fix `_handle_stream_ended` to set `_body_complete` in the async HTTP/2
handler so request bodies finalize correctly on stream end
- Add `InvalidChunkExtension` mapping and fast-parser support in ASGI
tests ([#3565](https://github.com/benoitc/gunicorn/pull/3565))
- **HTTP/1.1 100-Continue**: Stop adding `Transfer-Encoding: chunked` to
100-Continue interim responses.
- **WebSocket Close Handshake** (RFC 6455):
- Comply with the close handshake state machine
- Close the transport after the close handshake completes
- Fix binary send when the `text` key is `None`
- **Early Hints**: Validate headers in the `early_hints` callback to match
`process_headers`; pass only the header name to `InvalidHeader`
([#3588](https://github.com/benoitc/gunicorn/pull/3588)).
- **ASGI Framework Fixes**:
- Fix ASGI disconnect handling for Django-style apps
- Fix Litestar request handling (use raw ASGI receive for body/headers)
- Fix Litestar HTTP endpoints for compatibility tests
- Fix Quart headers endpoint to normalize keys to lowercase
- Fix Quart WebSocket close test app (missing `accept()`)
- Fix duplicate `Transfer-Encoding` header for BlackSheep streaming
### Refactoring
- Split `BodyReceiver._closed` into separate transport and body-wait flags
for clearer keepalive/EOF semantics.
### Changes
- **Fast HTTP Parser**: Require `gunicorn_h1c >= 0.6.5`. Drop the last
`python_only` test markers; the C extension is now used wherever
available (CPython only; PyPy continues to use the Python parser).
- **Test Dependencies**: Add `h2` and `uvloop` to the `testing` extra;
remove `eventlet`.
- **Docker Build**: Bump GitHub Actions `docker/setup-qemu-action`,
`docker/setup-buildx-action`, `docker/login-action`,
`docker/build-push-action`, and `docker/metadata-action` to current
major versions.
---
## 25.3.0 - 2026-03-26
### Bug Fixes

View File

@ -1,6 +1,101 @@
<span id="news"></span>
# Changelog
## 26.0.0 - 2026-05-05
### Breaking Changes
- **Eventlet worker removed**: The `eventlet` worker class has been dropped.
Migrate to `gevent`, `gthread`, or `tornado`.
### New Features
- **ASGI Framework Compatibility Suite**: New end-to-end compatibility test
harness covering Starlette, FastAPI, Litestar, Quart, Sanic, and BlackSheep.
Current grid passes 438/444 tests (98%).
- **ASGI Test Suite Expansion**: 134 additional ASGI unit tests covering
protocol semantics, lifespan, websockets, and chunked framing.
### Security
- **HTTP/1.1 Request-Target Validation** (RFC 9112 sections 3.2.3, 3.2.4):
- Reject `authority-form` request-target outside `CONNECT`
- Reject `asterisk-form` request-target outside `OPTIONS`
- Reject `relative-reference` request-targets
- **Header Field Hardening** (RFC 9110):
- Reject control characters in header field-value (section 5.5)
- Reject forbidden trailer field-names (section 6.5.1)
- Reject `Content-Length` list form (RFC 9112 section 6.3)
- **Request Smuggling Hardening**:
- Tighten keepalive gate and scope `finish_body` byte cap
- Keep `_body_receiver` alive across the keepalive smuggling gate so
pipelined requests cannot re-enter a closed body
- Address parser/protocol findings from a six-point WSGI/ASGI audit
- **PROXY Protocol (ASGI)**: Enforce `proxy_allow_ips` and tighten v1/v2
parsing in the ASGI callback parser.
- **Connection Draining**: Drain the connection on close per RFC 9112
section 9.6 to prevent reset-on-close truncation.
### Bug Fixes
- **Body Framing on HEAD/204/304**:
- Keep `Content-Length` on HEAD and 304 responses
([#3621](https://github.com/benoitc/gunicorn/pull/3621))
- Drop body framing on HEAD/204/304 even when the framework set it
- Warn once when an ASGI app emits a body for a no-body response
- **HTTP/2 ASGI**:
- Fix `_handle_stream_ended` to set `_body_complete` in the async HTTP/2
handler so request bodies finalize correctly on stream end
- Add `InvalidChunkExtension` mapping and fast-parser support in ASGI
tests ([#3565](https://github.com/benoitc/gunicorn/pull/3565))
- **HTTP/1.1 100-Continue**: Stop adding `Transfer-Encoding: chunked` to
100-Continue interim responses.
- **WebSocket Close Handshake** (RFC 6455):
- Comply with the close handshake state machine
- Close the transport after the close handshake completes
- Fix binary send when the `text` key is `None`
- **Early Hints**: Validate headers in the `early_hints` callback to match
`process_headers`; pass only the header name to `InvalidHeader`
([#3588](https://github.com/benoitc/gunicorn/pull/3588)).
- **ASGI Framework Fixes**:
- Fix ASGI disconnect handling for Django-style apps
- Fix Litestar request handling (use raw ASGI receive for body/headers)
- Fix Litestar HTTP endpoints for compatibility tests
- Fix Quart headers endpoint to normalize keys to lowercase
- Fix Quart WebSocket close test app (missing `accept()`)
- Fix duplicate `Transfer-Encoding` header for BlackSheep streaming
### Refactoring
- Split `BodyReceiver._closed` into separate transport and body-wait flags
for clearer keepalive/EOF semantics.
### Changes
- **Fast HTTP Parser**: Require `gunicorn_h1c >= 0.6.5`. Drop the last
`python_only` test markers; the C extension is now used wherever
available (CPython only; PyPy continues to use the Python parser).
- **Test Dependencies**: Add `h2` and `uvloop` to the `testing` extra;
remove `eventlet`.
- **Docker Build**: Bump GitHub Actions `docker/setup-qemu-action`,
`docker/setup-buildx-action`, `docker/login-action`,
`docker/build-push-action`, and `docker/metadata-action` to current
major versions.
---
## 25.3.0 - 2026-03-26
### Bug Fixes

View File

@ -2,7 +2,7 @@
# This file is part of gunicorn released under the MIT license.
# See the NOTICE for more information.
version_info = (25, 3, 0)
version_info = (26, 0, 0)
__version__ = ".".join([str(v) for v in version_info])
SERVER = "gunicorn"
SERVER_SOFTWARE = "%s/%s" % (SERVER, __version__)