Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Update dependency gunicorn to v22 - autoclosed #405

Closed
wants to merge 1 commit into from
Closed

Update dependency gunicorn to v22 - autoclosed #405

wants to merge 1 commit into from

Conversation

mend-for-jackfan.us.kg[bot]
Copy link
Contributor

This PR contains the following updates:

Package Update Change
gunicorn (changelog) major ==20.1.0 -> ==22.0.0

By merging this PR, the issue #355 will be automatically resolved and closed:

Severity CVSS Score CVE
High High 7.4 CVE-2024-1135
High High 7.0 CVE-2024-6345

Release Notes

benoitc/gunicorn (gunicorn)

v22.0.0: Gunicorn 22.0 has been released

Compare Source

Gunicorn 22.0.0 has been released. This version fix the numerous security vulnerabilities. You're invited to upgrade asap your own installation.

Changes:

22.0.0 - 2024-04-17
===================

- use `utime` to notify workers liveness
- migrate setup to pyproject.toml
- fix numerous security vulnerabilities in HTTP parser (closing some request smuggling vectors)
- parsing additional requests is no longer attempted past unsupported request framing
- on HTTP versions < 1.1 support for chunked transfer is refused (only used in exploits)
- requests conflicting configured or passed SCRIPT_NAME now produce a verbose error
- Trailer fields are no longer inspected for headers indicating secure scheme
- support Python 3.12

** Breaking changes **

- minimum version is Python 3.7
- the limitations on valid characters in the HTTP method have been bounded to Internet Standards
- requests specifying unsupported transfer coding (order) are refused by default (rare)
- HTTP methods are no longer casefolded by default (IANA method registry contains none affected)
- HTTP methods containing the number sign (#) are no longer accepted by default (rare)
- HTTP versions < 1.0 or >= 2.0 are no longer accepted by default (rare, only HTTP/1.1 is supported)
- HTTP versions consisting of multiple digits or containing a prefix/suffix are no longer accepted
- HTTP header field names Gunicorn cannot safely map to variables are silently dropped, as in other software
- HTTP headers with empty field name are refused by default (no legitimate use cases, used in exploits)
- requests with both Transfer-Encoding and Content-Length are refused by default (such a message might indicate an attempt to perform request smuggling)
- empty transfer codings are no longer permitted (reportedly seen with really old & broken proxies)

** SECURITY **

- fix CVE-2024-1135
  1. Documentation is available there: https://docs.gunicorn.org/en/stable/news.html
  2. Packages: https://pypi.org/project/gunicorn/

v21.2.0: Gunicorn 21.2.0 has been released

Compare Source

Gunicorn 21.2.0 has been released. This version fix the issue introduced in the threaded worker.

Changes:

21.2.0 - 2023-07-19
===================
fix thread worker: revert change considering connection as idle .

*** NOTE ***

This is fixing the bad file description error.
  1. Documentation is available there: https://docs.gunicorn.org/en/stable/news.html
  2. Packages: https://pypi.org/project/gunicorn/

v21.1.0: Gunicorn 21.1.0 has been released

Compare Source

gunicorn 21.1.0 has been released. This version fix the issue introduced in the threaded worker.

21.1.0 - 2023-07-18

  • fix thread worker: fix socket removal from the queuet checkout 21.x

v21.0.1: Gunicorn 21 has been released

Compare Source

Gunicorn 21 is out with miscellaneous changes. Enjoy!

We made this release major to start our new release cycle. More info will be provided on our discussion forum.

21.0.1 - 2023-07-17

fix documentation build

21.0.0 - 2023-07-17

support python 3.11
fix gevent and eventlet workers
fix threads support (gththread): improve performance and unblock requests
SSL: noaw use SSLContext object
HTTP parser: miscellaneous fixes
remove unecessary setuid calls
fix testing
improve logging
miscellaneous fixes to core engine

Full Changelog: benoitc/gunicorn@21.0.0...21.0.1

v21.0.0

Compare Source

  • If you want to rebase/retry this PR, check this box

@mend-for-jackfan.us.kg mend-for-jackfan.us.kg bot added the security fix Security fix generated by Mend label Mar 5, 2025
@socket-security Socket Security
Copy link

Updated dependencies detected. Learn more about Socket for GitHub ↗︎

Package New capabilities Transitives Size Publisher
pypi/[email protected]22.0.0 environment, eval, filesystem, network, shell Transitive: unsafe +219 1.42 GB benoitc, tilgovi

View full report↗︎

@rafikmojr
Copy link
Contributor

Logo
Checkmarx One – Scan Summary & Detailsb002afc6-5320-4e47-8566-d007ca3684d4

New Issues (3)

Checkmarx found the following issues in this Pull Request

Severity Issue Source File / Package Checkmarx Insight
HIGH CVE-2024-34069 Python-Werkzeug-2.2.3
detailsRecommended version: 3.0.6
Description: Werkzeug is a comprehensive WSGI web application library. The debugger in affected versions prior to 3.0.3 of Werkzeug can allow an attacker to exe...
Attack Vector: NETWORK
Attack Complexity: HIGH
Vulnerable Package
HIGH CVE-2024-49767 Python-Werkzeug-2.2.3
detailsRecommended version: 3.0.6
Description: Werkzeug is a Web Server Gateway Interface web application library. Applications using `werkzeug.formparser.MultiPartParser` corresponding to a ver...
Attack Vector: NETWORK
Attack Complexity: LOW
Vulnerable Package
LOW CVE-2024-49766 Python-Werkzeug-2.2.3
detailsRecommended version: 3.0.6
Description: Werkzeug is a Web Server Gateway Interface web application library. On Python < 3.11 on Windows, "os.path.isabs()" does not catch UNC paths like "/...
Attack Vector: NETWORK
Attack Complexity: HIGH
Vulnerable Package
Fixed Issues (18)

Great job! The following issues were fixed in this Pull Request

Severity Issue Source File / Package
MEDIUM Host Namespace is Shared /docker-compose.yaml: 11
MEDIUM Host Namespace is Shared /docker-compose.yaml: 3
MEDIUM Networks Not Set /docker-compose.yaml: 3
MEDIUM Networks Not Set /docker-compose.yaml: 11
LOW Trust_Boundary_Violation_in_Session_Variables /api_views/users.py: 34
LOW Trust_Boundary_Violation_in_Session_Variables /api_views/books.py: 22
LOW Trust_Boundary_Violation_in_Session_Variables /api_views/users.py: 34
LOW Trust_Boundary_Violation_in_Session_Variables /api_views/books.py: 22
LOW Trust_Boundary_Violation_in_Session_Variables /api_views/users.py: 34
LOW Trust_Boundary_Violation_in_Session_Variables /api_views/books.py: 22
LOW Trust_Boundary_Violation_in_Session_Variables /api_views/users.py: 34
LOW Trust_Boundary_Violation_in_Session_Variables /api_views/books.py: 22
LOW Trust_Boundary_Violation_in_Session_Variables /api_views/users.py: 34
LOW Trust_Boundary_Violation_in_Session_Variables /api_views/books.py: 22
LOW Trust_Boundary_Violation_in_Session_Variables /api_views/users.py: 34
LOW Trust_Boundary_Violation_in_Session_Variables /api_views/books.py: 22
LOW Trust_Boundary_Violation_in_Session_Variables /api_views/books.py: 22
LOW Trust_Boundary_Violation_in_Session_Variables /api_views/users.py: 34

@mend-for-jackfan.us.kg mend-for-jackfan.us.kg bot changed the title Update dependency gunicorn to v22 Update dependency gunicorn to v22 - autoclosed Mar 6, 2025
@mend-for-jackfan.us.kg mend-for-jackfan.us.kg bot deleted the whitesource-remediate/gunicorn-22.x branch March 6, 2025 12:07
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
security fix Security fix generated by Mend
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@rafikmojr