Gunicorn 23.0.0 has been released. This version improve HTTP 1.1. support and which improve safety
You're invited to upgrade asap your own installation.
23.0.0 - 2024-08-10
- minor docs fixes (:pr:
3217, :pr:3089, :pr:3167) - worker_class parameter accepts a class (:pr:
3079) - fix deadlock if request terminated during chunked parsing (:pr:
2688) - permit receiving Transfer-Encodings: compress, deflate, gzip (:pr:
3261) - permit Transfer-Encoding headers specifying multiple encodings. note: no parameters, still (:pr:
3261) - sdist generation now explicitly excludes sphinx build folder (:pr:
3257) - decode bytes-typed status (as can be passed by gevent) as utf-8 instead of raising
TypeError(:pr:2336) - raise correct Exception when encounting invalid chunked requests (:pr:
3258) - the SCRIPT_NAME and PATH_INFO headers, when received from allowed forwarders, are no longer restricted for containing an underscore (:pr:
3192) - include IPv6 loopback address
[::1]in default for :ref:forwarded-allow-ipsand :ref:proxy-allow-ips(:pr:3192)
** NOTE **
- The SCRIPT_NAME change mitigates a regression that appeared first in the 22.0.0 release
- Review your :ref:
forwarded-allow-ipssetting if you are still not seeing the SCRIPT_NAME transmitted - Review your :ref:
forwarder-headerssetting if you are missing headers after upgrading from a version prior to 22.0.0
** Breaking changes **
- refuse requests where the uri field is empty (:pr:
3255) - refuse requests with invalid CR/LR/NUL in heade field values (:pr:
3253) - remove temporary
--tolerate-dangerous-framingswitch from 22.0 (:pr:3260) - If any of the breaking changes affect you, be aware that now refused requests can post a security problem, especially so in setups involving request pipe-lining and/or proxies.
Fix CVE-2024-1135