benoitc/gunicorn (gunicorn)
### [`v23.0.0`](https://togithub.com/benoitc/gunicorn/releases/tag/23.0.0)
[Compare Source](https://togithub.com/benoitc/gunicorn/compare/22.0.0...23.0.0)
Gunicorn 23.0.0 has been released. This version fix the numerous security vulnerabilities. You're invited to upgrade asap your own installation.
# 23.0.0 - 2024-08-10
- minor docs fixes (:pr:`3217`, :pr:`3089`, :pr:`3167`)
- worker_class parameter accepts a class (:pr:`3079`)
- fix deadlock if request terminated during chunked parsing (:pr:`2688`)
- permit receiving Transfer-Encodings: compress, deflate, gzip (:pr:`3261`)
- permit Transfer-Encoding headers specifying multiple encodings. note: no parameters, still (:pr:`3261`)
- sdist generation now explicitly excludes sphinx build folder (:pr:`3257`)
- decode bytes-typed status (as can be passed by gevent) as utf-8 instead of raising `TypeError` (:pr:`2336`)
- raise correct Exception when encounting invalid chunked requests (:pr:`3258`)
- the SCRIPT_NAME and PATH_INFO headers, when received from allowed forwarders, are no longer restricted for containing an underscore (:pr:`3192`)
- include IPv6 loopback address `[::1]` in default for :ref:`forwarded-allow-ips` and :ref:`proxy-allow-ips` (:pr:`3192`)
\*\* NOTE \*\*
- The SCRIPT_NAME change mitigates a regression that appeared first in the 22.0.0 release
- Review your :ref:`forwarded-allow-ips` setting if you are still not seeing the SCRIPT_NAME transmitted
- Review your :ref:`forwarder-headers` setting if you are missing headers after upgrading from a version prior to 22.0.0
\*\* Breaking changes \*\*
- refuse requests where the uri field is empty (:pr:`3255`)
- refuse requests with invalid CR/LR/NUL in heade field values (:pr:`3253`)
- remove temporary `--tolerate-dangerous-framing` switch from 22.0 (:pr:`3260`)
- If any of the breaking changes affect you, be aware that now refused requests can post a security problem, especially so in setups involving request pipe-lining and/or proxies.
Configuration
📅 Schedule: Branch creation - "every weekday" (UTC), Automerge - At any time (no schedule defined).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
â™» Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
[ ] If you want to rebase/retry this PR, check this box
This PR contains the following updates:
^20.0 \|\| ^21.0.0 \|\| ^22.0.0
->^20.0 \|\| ^21.0.0 \|\| ^22.0.0 \|\| ^23.0.0
Release Notes
benoitc/gunicorn (gunicorn)
### [`v23.0.0`](https://togithub.com/benoitc/gunicorn/releases/tag/23.0.0) [Compare Source](https://togithub.com/benoitc/gunicorn/compare/22.0.0...23.0.0) Gunicorn 23.0.0 has been released. This version fix the numerous security vulnerabilities. You're invited to upgrade asap your own installation. # 23.0.0 - 2024-08-10 - minor docs fixes (:pr:`3217`, :pr:`3089`, :pr:`3167`) - worker_class parameter accepts a class (:pr:`3079`) - fix deadlock if request terminated during chunked parsing (:pr:`2688`) - permit receiving Transfer-Encodings: compress, deflate, gzip (:pr:`3261`) - permit Transfer-Encoding headers specifying multiple encodings. note: no parameters, still (:pr:`3261`) - sdist generation now explicitly excludes sphinx build folder (:pr:`3257`) - decode bytes-typed status (as can be passed by gevent) as utf-8 instead of raising `TypeError` (:pr:`2336`) - raise correct Exception when encounting invalid chunked requests (:pr:`3258`) - the SCRIPT_NAME and PATH_INFO headers, when received from allowed forwarders, are no longer restricted for containing an underscore (:pr:`3192`) - include IPv6 loopback address `[::1]` in default for :ref:`forwarded-allow-ips` and :ref:`proxy-allow-ips` (:pr:`3192`) \*\* NOTE \*\* - The SCRIPT_NAME change mitigates a regression that appeared first in the 22.0.0 release - Review your :ref:`forwarded-allow-ips` setting if you are still not seeing the SCRIPT_NAME transmitted - Review your :ref:`forwarder-headers` setting if you are missing headers after upgrading from a version prior to 22.0.0 \*\* Breaking changes \*\* - refuse requests where the uri field is empty (:pr:`3255`) - refuse requests with invalid CR/LR/NUL in heade field values (:pr:`3253`) - remove temporary `--tolerate-dangerous-framing` switch from 22.0 (:pr:`3260`) - If any of the breaking changes affect you, be aware that now refused requests can post a security problem, especially so in setups involving request pipe-lining and/or proxies.Configuration
📅 Schedule: Branch creation - "every weekday" (UTC), Automerge - At any time (no schedule defined).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
â™» Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR was generated by Mend Renovate. View the repository job log.