Skip to content

Commit f63d59e

Browse files
benoitcbenoitc
committed
bump to 22.0
1 parent 4ac81e0 commit f63d59e

File tree

4 files changed

+34
-26
lines changed

4 files changed

+34
-26
lines changed

docs/site/index.html

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -16,7 +16,7 @@
1616
<div class="logo-div">
1717
<div class="latest">
1818
Latest version: <strong><a
19-
href="https://docs.gunicorn.org/en/stable/">21.2.0</a></strong>
19+
href="https://docs.gunicorn.org/en/stable/">22.0.0</a></strong>
2020
</div>
2121

2222
<div class="logo"><img src="images/logo.jpg" ></div>

docs/source/2023-news.rst

Lines changed: 0 additions & 24 deletions
Original file line numberDiff line numberDiff line change
@@ -2,30 +2,6 @@
22
Changelog - 2023
33
================
44

5-
22.0.0 - TBDTBDTBD
6-
==================
7-
8-
- fix numerous security vulnerabilities in HTTP parser (closing some request smuggling vectors)
9-
- parsing additional requests is no longer attempted past unsupported request framing
10-
- on HTTP versions < 1.1 support for chunked transfer is refused (only used in exploits)
11-
- requests conflicting configured or passed SCRIPT_NAME now produce a verbose error
12-
- Trailer fields are no longer inspected for headers indicating secure scheme
13-
- support Python 3.12
14-
15-
** Breaking changes **
16-
17-
- minimum version is Python 3.7
18-
- the limitations on valid characters in the HTTP method have been bounded to Internet Standards
19-
- requests specifying unsupported transfer coding (order) are refused by default (rare)
20-
- HTTP methods are no longer casefolded by default (IANA method registry contains none affected)
21-
- HTTP methods containing the number sign (#) are no longer accepted by default (rare)
22-
- HTTP versions < 1.0 or >= 2.0 are no longer accepted by default (rare, only HTTP/1.1 is supported)
23-
- HTTP versions consisting of multiple digits or containing a prefix/suffix are no longer accepted
24-
- HTTP header field names Gunicorn cannot safely map to variables are silently dropped, as in other software
25-
- HTTP headers with empty field name are refused by default (no legitimate use cases, used in exploits)
26-
- requests with both Transfer-Encoding and Content-Length are refused by default (such a message might indicate an attempt to perform request smuggling)
27-
- empty transfer codings are no longer permitted (reportedly seen with really old & broken proxies)
28-
295
21.2.0 - 2023-07-19
306
===================
317

docs/source/news.rst

Lines changed: 32 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -2,6 +2,37 @@
22
Changelog
33
=========
44

5+
22.0.0 - 2024-04-17
6+
===================
7+
8+
- use `utime` to notify workers liveness
9+
- migrate setup to pyproject.toml
10+
- fix numerous security vulnerabilities in HTTP parser (closing some request smuggling vectors)
11+
- parsing additional requests is no longer attempted past unsupported request framing
12+
- on HTTP versions < 1.1 support for chunked transfer is refused (only used in exploits)
13+
- requests conflicting configured or passed SCRIPT_NAME now produce a verbose error
14+
- Trailer fields are no longer inspected for headers indicating secure scheme
15+
- support Python 3.12
16+
17+
** Breaking changes **
18+
19+
- minimum version is Python 3.7
20+
- the limitations on valid characters in the HTTP method have been bounded to Internet Standards
21+
- requests specifying unsupported transfer coding (order) are refused by default (rare)
22+
- HTTP methods are no longer casefolded by default (IANA method registry contains none affected)
23+
- HTTP methods containing the number sign (#) are no longer accepted by default (rare)
24+
- HTTP versions < 1.0 or >= 2.0 are no longer accepted by default (rare, only HTTP/1.1 is supported)
25+
- HTTP versions consisting of multiple digits or containing a prefix/suffix are no longer accepted
26+
- HTTP header field names Gunicorn cannot safely map to variables are silently dropped, as in other software
27+
- HTTP headers with empty field name are refused by default (no legitimate use cases, used in exploits)
28+
- requests with both Transfer-Encoding and Content-Length are refused by default (such a message might indicate an attempt to perform request smuggling)
29+
- empty transfer codings are no longer permitted (reportedly seen with really old & broken proxies)
30+
31+
32+
** SECURITY **
33+
34+
- fix CVE-2024-1135
35+
536
21.2.0 - 2023-07-19
637
===================
738

@@ -44,6 +75,7 @@ History
4475
.. toctree::
4576
:titlesonly:
4677

78+
2024-news
4779
2023-news
4880
2021-news
4981
2020-news

gunicorn/__init__.py

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -3,7 +3,7 @@
33
# This file is part of gunicorn released under the MIT license.
44
# See the NOTICE for more information.
55

6-
version_info = (21, 2, 0)
6+
version_info = (22, 0, 0)
77
__version__ = ".".join([str(v) for v in version_info])
88
SERVER = "gunicorn"
99
SERVER_SOFTWARE = "%s/%s" % (SERVER, __version__)

0 commit comments

Comments
 (0)