Skip to content

Commit 5d819cf

Browse files
committed
release: 26.0.0
- Bump version_info to (26, 0, 0) - Update SECURITY.md supported releases (26.0.0, 25.3.0) - Add 26.0.0 entry to news.md and 2026-news.md covering eventlet removal, ASGI framework compatibility suite, RFC 9110/9112 request-target and header hardening, smuggling fixes, HEAD/204/304 body framing, WebSocket close handshake compliance, HTTP/2 ASGI stream completion, early-hints validation, framework fixes (Django/Litestar/Quart/BlackSheep), and gunicorn_h1c >= 0.6.5
1 parent b45c70d commit 5d819cf

4 files changed

Lines changed: 194 additions & 3 deletions

File tree

SECURITY.md

Lines changed: 3 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -15,8 +15,9 @@ Please target reports against :white_check_mark: or current master. Please under
1515

1616
| Version | Status |
1717
| ------- | ------------------ |
18-
| 25.0.0 | :white_check_mark: |
19-
| 24.1.1 | :white_check_mark: |
18+
| 26.0.0 | :white_check_mark: |
19+
| 25.3.0 | :white_check_mark: |
20+
| 24.1.1 | :x: |
2021
| 23.0.0 | :x: |
2122
| 22.0.0 | :x: |
2223
| < 22.0 | :x: |

docs/content/2026-news.md

Lines changed: 95 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -1,6 +1,101 @@
11
<span id="news-2026"></span>
22
# Changelog - 2026
33

4+
## 26.0.0 - 2026-05-05
5+
6+
### Breaking Changes
7+
8+
- **Eventlet worker removed**: The `eventlet` worker class has been dropped.
9+
Migrate to `gevent`, `gthread`, or `tornado`.
10+
11+
### New Features
12+
13+
- **ASGI Framework Compatibility Suite**: New end-to-end compatibility test
14+
harness covering Starlette, FastAPI, Litestar, Quart, Sanic, and BlackSheep.
15+
Current grid passes 438/444 tests (98%).
16+
17+
- **ASGI Test Suite Expansion**: 134 additional ASGI unit tests covering
18+
protocol semantics, lifespan, websockets, and chunked framing.
19+
20+
### Security
21+
22+
- **HTTP/1.1 Request-Target Validation** (RFC 9112 sections 3.2.3, 3.2.4):
23+
- Reject `authority-form` request-target outside `CONNECT`
24+
- Reject `asterisk-form` request-target outside `OPTIONS`
25+
- Reject `relative-reference` request-targets
26+
27+
- **Header Field Hardening** (RFC 9110):
28+
- Reject control characters in header field-value (section 5.5)
29+
- Reject forbidden trailer field-names (section 6.5.1)
30+
- Reject `Content-Length` list form (RFC 9112 section 6.3)
31+
32+
- **Request Smuggling Hardening**:
33+
- Tighten keepalive gate and scope `finish_body` byte cap
34+
- Keep `_body_receiver` alive across the keepalive smuggling gate so
35+
pipelined requests cannot re-enter a closed body
36+
- Address parser/protocol findings from a six-point WSGI/ASGI audit
37+
38+
- **PROXY Protocol (ASGI)**: Enforce `proxy_allow_ips` and tighten v1/v2
39+
parsing in the ASGI callback parser.
40+
41+
- **Connection Draining**: Drain the connection on close per RFC 9112
42+
section 9.6 to prevent reset-on-close truncation.
43+
44+
### Bug Fixes
45+
46+
- **Body Framing on HEAD/204/304**:
47+
- Keep `Content-Length` on HEAD and 304 responses
48+
([#3621](https://github.com/benoitc/gunicorn/pull/3621))
49+
- Drop body framing on HEAD/204/304 even when the framework set it
50+
- Warn once when an ASGI app emits a body for a no-body response
51+
52+
- **HTTP/2 ASGI**:
53+
- Fix `_handle_stream_ended` to set `_body_complete` in the async HTTP/2
54+
handler so request bodies finalize correctly on stream end
55+
- Add `InvalidChunkExtension` mapping and fast-parser support in ASGI
56+
tests ([#3565](https://github.com/benoitc/gunicorn/pull/3565))
57+
58+
- **HTTP/1.1 100-Continue**: Stop adding `Transfer-Encoding: chunked` to
59+
100-Continue interim responses.
60+
61+
- **WebSocket Close Handshake** (RFC 6455):
62+
- Comply with the close handshake state machine
63+
- Close the transport after the close handshake completes
64+
- Fix binary send when the `text` key is `None`
65+
66+
- **Early Hints**: Validate headers in the `early_hints` callback to match
67+
`process_headers`; pass only the header name to `InvalidHeader`
68+
([#3588](https://github.com/benoitc/gunicorn/pull/3588)).
69+
70+
- **ASGI Framework Fixes**:
71+
- Fix ASGI disconnect handling for Django-style apps
72+
- Fix Litestar request handling (use raw ASGI receive for body/headers)
73+
- Fix Litestar HTTP endpoints for compatibility tests
74+
- Fix Quart headers endpoint to normalize keys to lowercase
75+
- Fix Quart WebSocket close test app (missing `accept()`)
76+
- Fix duplicate `Transfer-Encoding` header for BlackSheep streaming
77+
78+
### Refactoring
79+
80+
- Split `BodyReceiver._closed` into separate transport and body-wait flags
81+
for clearer keepalive/EOF semantics.
82+
83+
### Changes
84+
85+
- **Fast HTTP Parser**: Require `gunicorn_h1c >= 0.6.5`. Drop the last
86+
`python_only` test markers; the C extension is now used wherever
87+
available (CPython only; PyPy continues to use the Python parser).
88+
89+
- **Test Dependencies**: Add `h2` and `uvloop` to the `testing` extra;
90+
remove `eventlet`.
91+
92+
- **Docker Build**: Bump GitHub Actions `docker/setup-qemu-action`,
93+
`docker/setup-buildx-action`, `docker/login-action`,
94+
`docker/build-push-action`, and `docker/metadata-action` to current
95+
major versions.
96+
97+
---
98+
499
## 25.3.0 - 2026-03-26
5100

6101
### Bug Fixes

docs/content/news.md

Lines changed: 95 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -1,6 +1,101 @@
11
<span id="news"></span>
22
# Changelog
33

4+
## 26.0.0 - 2026-05-05
5+
6+
### Breaking Changes
7+
8+
- **Eventlet worker removed**: The `eventlet` worker class has been dropped.
9+
Migrate to `gevent`, `gthread`, or `tornado`.
10+
11+
### New Features
12+
13+
- **ASGI Framework Compatibility Suite**: New end-to-end compatibility test
14+
harness covering Starlette, FastAPI, Litestar, Quart, Sanic, and BlackSheep.
15+
Current grid passes 438/444 tests (98%).
16+
17+
- **ASGI Test Suite Expansion**: 134 additional ASGI unit tests covering
18+
protocol semantics, lifespan, websockets, and chunked framing.
19+
20+
### Security
21+
22+
- **HTTP/1.1 Request-Target Validation** (RFC 9112 sections 3.2.3, 3.2.4):
23+
- Reject `authority-form` request-target outside `CONNECT`
24+
- Reject `asterisk-form` request-target outside `OPTIONS`
25+
- Reject `relative-reference` request-targets
26+
27+
- **Header Field Hardening** (RFC 9110):
28+
- Reject control characters in header field-value (section 5.5)
29+
- Reject forbidden trailer field-names (section 6.5.1)
30+
- Reject `Content-Length` list form (RFC 9112 section 6.3)
31+
32+
- **Request Smuggling Hardening**:
33+
- Tighten keepalive gate and scope `finish_body` byte cap
34+
- Keep `_body_receiver` alive across the keepalive smuggling gate so
35+
pipelined requests cannot re-enter a closed body
36+
- Address parser/protocol findings from a six-point WSGI/ASGI audit
37+
38+
- **PROXY Protocol (ASGI)**: Enforce `proxy_allow_ips` and tighten v1/v2
39+
parsing in the ASGI callback parser.
40+
41+
- **Connection Draining**: Drain the connection on close per RFC 9112
42+
section 9.6 to prevent reset-on-close truncation.
43+
44+
### Bug Fixes
45+
46+
- **Body Framing on HEAD/204/304**:
47+
- Keep `Content-Length` on HEAD and 304 responses
48+
([#3621](https://github.com/benoitc/gunicorn/pull/3621))
49+
- Drop body framing on HEAD/204/304 even when the framework set it
50+
- Warn once when an ASGI app emits a body for a no-body response
51+
52+
- **HTTP/2 ASGI**:
53+
- Fix `_handle_stream_ended` to set `_body_complete` in the async HTTP/2
54+
handler so request bodies finalize correctly on stream end
55+
- Add `InvalidChunkExtension` mapping and fast-parser support in ASGI
56+
tests ([#3565](https://github.com/benoitc/gunicorn/pull/3565))
57+
58+
- **HTTP/1.1 100-Continue**: Stop adding `Transfer-Encoding: chunked` to
59+
100-Continue interim responses.
60+
61+
- **WebSocket Close Handshake** (RFC 6455):
62+
- Comply with the close handshake state machine
63+
- Close the transport after the close handshake completes
64+
- Fix binary send when the `text` key is `None`
65+
66+
- **Early Hints**: Validate headers in the `early_hints` callback to match
67+
`process_headers`; pass only the header name to `InvalidHeader`
68+
([#3588](https://github.com/benoitc/gunicorn/pull/3588)).
69+
70+
- **ASGI Framework Fixes**:
71+
- Fix ASGI disconnect handling for Django-style apps
72+
- Fix Litestar request handling (use raw ASGI receive for body/headers)
73+
- Fix Litestar HTTP endpoints for compatibility tests
74+
- Fix Quart headers endpoint to normalize keys to lowercase
75+
- Fix Quart WebSocket close test app (missing `accept()`)
76+
- Fix duplicate `Transfer-Encoding` header for BlackSheep streaming
77+
78+
### Refactoring
79+
80+
- Split `BodyReceiver._closed` into separate transport and body-wait flags
81+
for clearer keepalive/EOF semantics.
82+
83+
### Changes
84+
85+
- **Fast HTTP Parser**: Require `gunicorn_h1c >= 0.6.5`. Drop the last
86+
`python_only` test markers; the C extension is now used wherever
87+
available (CPython only; PyPy continues to use the Python parser).
88+
89+
- **Test Dependencies**: Add `h2` and `uvloop` to the `testing` extra;
90+
remove `eventlet`.
91+
92+
- **Docker Build**: Bump GitHub Actions `docker/setup-qemu-action`,
93+
`docker/setup-buildx-action`, `docker/login-action`,
94+
`docker/build-push-action`, and `docker/metadata-action` to current
95+
major versions.
96+
97+
---
98+
499
## 25.3.0 - 2026-03-26
5100

6101
### Bug Fixes

gunicorn/__init__.py

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -2,7 +2,7 @@
22
# This file is part of gunicorn released under the MIT license.
33
# See the NOTICE for more information.
44

5-
version_info = (25, 3, 0)
5+
version_info = (26, 0, 0)
66
__version__ = ".".join([str(v) for v in version_info])
77
SERVER = "gunicorn"
88
SERVER_SOFTWARE = "%s/%s" % (SERVER, __version__)

0 commit comments

Comments
 (0)