mirror of
https://github.com/frappe/gunicorn.git
synced 2026-01-14 11:09:11 +08:00
59 lines
2.3 KiB
ReStructuredText
59 lines
2.3 KiB
ReStructuredText
================
|
|
Changelog - 2023
|
|
================
|
|
|
|
22.0.0 - TBDTBDTBD
|
|
==================
|
|
|
|
- fix numerous security vulnerabilities in HTTP parser (closing some request smuggling vectors)
|
|
- parsing additional requests is no longer attempted past unsupported request framing
|
|
- on HTTP versions < 1.1 support for chunked transfer is refused (only used in exploits)
|
|
- requests conflicting configured or passed SCRIPT_NAME now produce a verbose error
|
|
- Trailer fields are no longer inspected for headers indicating secure scheme
|
|
- support Python 3.12
|
|
|
|
** Breaking changes **
|
|
|
|
- minimum version is Python 3.7
|
|
- the limitations on valid characters in the HTTP method have been bounded to Internet Standards
|
|
- requests specifying unsupported transfer coding (order) are refused by default (rare)
|
|
- HTTP methods are no longer casefolded by default (IANA method registry contains none affected)
|
|
- HTTP methods containing the number sign (#) are no longer accepted by default (rare)
|
|
- HTTP versions < 1.0 or >= 2.0 are no longer accepted by default (rare, only HTTP/1.1 is supported)
|
|
- HTTP versions consisting of multiple digits or containing a prefix/suffix are no longer accepted
|
|
- HTTP header field names Gunicorn cannot safely map to variables are silently dropped, as in other software
|
|
- HTTP headers with empty field name are refused by default (no legitimate use cases, used in exploits)
|
|
- requests with both Transfer-Encoding and Content-Length are refused by default (such a message might indicate an attempt to perform request smuggling)
|
|
- empty transfer codings are no longer permitted (reportedly seen with really old & broken proxies)
|
|
|
|
21.2.0 - 2023-07-19
|
|
===================
|
|
|
|
- fix thread worker: revert change considering connection as idle .
|
|
|
|
*** NOTE ***
|
|
|
|
This is fixing the bad file description error.
|
|
|
|
21.0.1 - 2023-07-17
|
|
===================
|
|
|
|
- fix documentation build
|
|
|
|
21.0.0 - 2023-07-17
|
|
===================
|
|
|
|
- support python 3.11
|
|
- fix gevent and eventlet workers
|
|
- fix threads support (gththread): improve performance and unblock requests
|
|
- SSL: now use SSLContext object
|
|
- HTTP parser: miscellaneous fixes
|
|
- remove unnecessary setuid calls
|
|
- fix testing
|
|
- improve logging
|
|
- miscellaneous fixes to core engine
|
|
|
|
*** RELEASE NOTE ***
|
|
|
|
We made this release major to start our new release cycle. More info will be provided on our discussion forum.
|