From e021e3e93fe17b8b78872dc4c6086cc885694e83 Mon Sep 17 00:00:00 2001 From: Benoit Chesneau Date: Fri, 23 Jan 2026 01:39:23 +0100 Subject: [PATCH] docs: Update 24.0.0 changelog with security fixes --- docs/content/2026-news.md | 20 +++++++++++++++----- docs/content/news.md | 6 ++++-- 2 files changed, 19 insertions(+), 7 deletions(-) diff --git a/docs/content/2026-news.md b/docs/content/2026-news.md index 55f6a181..2c9bd8d6 100644 --- a/docs/content/2026-news.md +++ b/docs/content/2026-news.md @@ -23,14 +23,24 @@ with Material theme for improved navigation and mobile experience ([PR #3426](https://github.com/benoitc/gunicorn/pull/3426)) +### Security + +- **eventlet**: Require eventlet >= 0.40.3 to address CVE-2021-21419 (websocket + memory exhaustion) and CVE-2025-58068 (HTTP request smuggling) + ([PR #3445](https://github.com/benoitc/gunicorn/pull/3445)) + +- **gevent**: Require gevent >= 24.10.1 to address CVE-2023-41419 (HTTP request + smuggling) and CVE-2024-3219 (socket.socketpair vulnerability) + ([PR #3445](https://github.com/benoitc/gunicorn/pull/3445)) + +- **tornado**: Require tornado >= 6.5.0 to address CVE-2025-47287 (HTTP request + smuggling) and other security fixes + ([PR #3445](https://github.com/benoitc/gunicorn/pull/3445)) + ### Changes -- Minimum Python version is now 3.12 - Documentation now hosted at https://gunicorn.org - -### Breaking changes - -- Dropped support for Python versions before 3.12 +- Updated license configuration to PEP 639 format for uv compatibility !!! warning "ASGI Worker Beta" The ASGI worker is a beta feature. While tested, the API and behavior diff --git a/docs/content/news.md b/docs/content/news.md index 7a855fa2..11d0e34c 100644 --- a/docs/content/news.md +++ b/docs/content/news.md @@ -17,9 +17,11 @@ - **Documentation Migration**: Migrated to MkDocs with Material theme -### Breaking changes +### Security -- Minimum Python version is now 3.12 +- **eventlet**: Require eventlet >= 0.40.3 (CVE-2021-21419, CVE-2025-58068) +- **gevent**: Require gevent >= 24.10.1 (CVE-2023-41419, CVE-2024-3219) +- **tornado**: Require tornado >= 6.5.0 (CVE-2025-47287) ---