|
| 1 | +================ |
| 2 | +Changelog - 2024 |
| 3 | +================ |
| 4 | + |
| 5 | +23.0.0 - 2024-08-10 |
| 6 | +=================== |
| 7 | + |
| 8 | +- minor docs fixes (:pr:`3217`, :pr:`3089`, :pr:`3167`) |
| 9 | +- worker_class parameter accepts a class (:pr:`3079`) |
| 10 | +- fix deadlock if request terminated during chunked parsing (:pr:`2688`) |
| 11 | +- permit receiving Transfer-Encodings: compress, deflate, gzip (:pr:`3261`) |
| 12 | +- permit Transfer-Encoding headers specifying multiple encodings. note: no parameters, still (:pr:`3261`) |
| 13 | +- sdist generation now explicitly excludes sphinx build folder (:pr:`3257`) |
| 14 | +- decode bytes-typed status (as can be passed by gevent) as utf-8 instead of raising `TypeError` (:pr:`2336`) |
| 15 | +- raise correct Exception when encounting invalid chunked requests (:pr:`3258`) |
| 16 | +- the SCRIPT_NAME and PATH_INFO headers, when received from allowed forwarders, are no longer restricted for containing an underscore (:pr:`3192`) |
| 17 | +- include IPv6 loopback address ``[::1]`` in default for :ref:`forwarded-allow-ips` and :ref:`proxy-allow-ips` (:pr:`3192`) |
| 18 | + |
| 19 | +** NOTE ** |
| 20 | + |
| 21 | +- The SCRIPT_NAME change mitigates a regression that appeared first in the 22.0.0 release |
| 22 | +- Review your :ref:`forwarded-allow-ips` setting if you are still not seeing the SCRIPT_NAME transmitted |
| 23 | +- Review your :ref:`forwarder-headers` setting if you are missing headers after upgrading from a version prior to 22.0.0 |
| 24 | + |
| 25 | +** Breaking changes ** |
| 26 | + |
| 27 | +- refuse requests where the uri field is empty (:pr:`3255`) |
| 28 | +- refuse requests with invalid CR/LR/NUL in heade field values (:pr:`3253`) |
| 29 | +- remove temporary ``--tolerate-dangerous-framing`` switch from 22.0 (:pr:`3260`) |
| 30 | +- If any of the breaking changes affect you, be aware that now refused requests can post a security problem, especially so in setups involving request pipe-lining and/or proxies. |
| 31 | + |
| 32 | +22.0.0 - 2024-04-17 |
| 33 | +=================== |
| 34 | + |
| 35 | +- use `utime` to notify workers liveness |
| 36 | +- migrate setup to pyproject.toml |
| 37 | +- fix numerous security vulnerabilities in HTTP parser (closing some request smuggling vectors) |
| 38 | +- parsing additional requests is no longer attempted past unsupported request framing |
| 39 | +- on HTTP versions < 1.1 support for chunked transfer is refused (only used in exploits) |
| 40 | +- requests conflicting configured or passed SCRIPT_NAME now produce a verbose error |
| 41 | +- Trailer fields are no longer inspected for headers indicating secure scheme |
| 42 | +- support Python 3.12 |
| 43 | + |
| 44 | +** Breaking changes ** |
| 45 | + |
| 46 | +- minimum version is Python 3.7 |
| 47 | +- the limitations on valid characters in the HTTP method have been bounded to Internet Standards |
| 48 | +- requests specifying unsupported transfer coding (order) are refused by default (rare) |
| 49 | +- HTTP methods are no longer casefolded by default (IANA method registry contains none affected) |
| 50 | +- HTTP methods containing the number sign (#) are no longer accepted by default (rare) |
| 51 | +- HTTP versions < 1.0 or >= 2.0 are no longer accepted by default (rare, only HTTP/1.1 is supported) |
| 52 | +- HTTP versions consisting of multiple digits or containing a prefix/suffix are no longer accepted |
| 53 | +- HTTP header field names Gunicorn cannot safely map to variables are silently dropped, as in other software |
| 54 | +- HTTP headers with empty field name are refused by default (no legitimate use cases, used in exploits) |
| 55 | +- requests with both Transfer-Encoding and Content-Length are refused by default (such a message might indicate an attempt to perform request smuggling) |
| 56 | +- empty transfer codings are no longer permitted (reportedly seen with really old & broken proxies) |
| 57 | + |
| 58 | + |
| 59 | +** SECURITY ** |
| 60 | + |
| 61 | +- fix CVE-2024-1135 |
0 commit comments