Skip to content

Releases: benoitc/gunicorn

24.0.0

Choose a tag to compare

@benoitc benoitc released this 23 Jan 00:40
3960372

New Features

  • ASGI Worker (Beta): Native asyncio-based ASGI support for running async Python frameworks like FastAPI, Starlette, and Quart without external dependencies

    • HTTP/1.1 with keepalive connections
    • WebSocket support
    • Lifespan protocol for startup/shutdown hooks
    • Optional uvloop for improved performance
  • uWSGI Binary Protocol: Support for receiving requests from nginx via uwsgi_pass directive

  • Documentation Migration: Migrated to MkDocs with Material theme

Security

Install

pip install gunicorn==24.0.0

23.0.0

Choose a tag to compare

@benoitc benoitc released this 10 Aug 20:28

Gunicorn 23.0.0 has been released. This version improve HTTP 1.1. support and which improve safety

You're invited to upgrade asap your own installation.

23.0.0 - 2024-08-10

  • minor docs fixes (:pr:3217, :pr:3089, :pr:3167)
  • worker_class parameter accepts a class (:pr:3079)
  • fix deadlock if request terminated during chunked parsing (:pr:2688)
  • permit receiving Transfer-Encodings: compress, deflate, gzip (:pr:3261)
  • permit Transfer-Encoding headers specifying multiple encodings. note: no parameters, still (:pr:3261)
  • sdist generation now explicitly excludes sphinx build folder (:pr:3257)
  • decode bytes-typed status (as can be passed by gevent) as utf-8 instead of raising TypeError (:pr:2336)
  • raise correct Exception when encounting invalid chunked requests (:pr:3258)
  • the SCRIPT_NAME and PATH_INFO headers, when received from allowed forwarders, are no longer restricted for containing an underscore (:pr:3192)
  • include IPv6 loopback address [::1] in default for :ref:forwarded-allow-ips and :ref:proxy-allow-ips (:pr:3192)

** NOTE **

  • The SCRIPT_NAME change mitigates a regression that appeared first in the 22.0.0 release
  • Review your :ref:forwarded-allow-ips setting if you are still not seeing the SCRIPT_NAME transmitted
  • Review your :ref:forwarder-headers setting if you are missing headers after upgrading from a version prior to 22.0.0

** Breaking changes **

  • refuse requests where the uri field is empty (:pr:3255)
  • refuse requests with invalid CR/LR/NUL in heade field values (:pr:3253)
  • remove temporary --tolerate-dangerous-framing switch from 22.0 (:pr:3260)
  • If any of the breaking changes affect you, be aware that now refused requests can post a security problem, especially so in setups involving request pipe-lining and/or proxies.

Fix CVE-2024-1135

Gunicorn 22.0 has been released

Choose a tag to compare

@benoitc benoitc released this 16 Apr 23:03

Gunicorn 22.0.0 has been released. This version fix the numerous security vulnerabilities. You're invited to upgrade asap your own installation.

Changes:

22.0.0 - 2024-04-17
===================

- use `utime` to notify workers liveness
- migrate setup to pyproject.toml
- fix numerous security vulnerabilities in HTTP parser (closing some request smuggling vectors)
- parsing additional requests is no longer attempted past unsupported request framing
- on HTTP versions < 1.1 support for chunked transfer is refused (only used in exploits)
- requests conflicting configured or passed SCRIPT_NAME now produce a verbose error
- Trailer fields are no longer inspected for headers indicating secure scheme
- support Python 3.12

** Breaking changes **

- minimum version is Python 3.7
- the limitations on valid characters in the HTTP method have been bounded to Internet Standards
- requests specifying unsupported transfer coding (order) are refused by default (rare)
- HTTP methods are no longer casefolded by default (IANA method registry contains none affected)
- HTTP methods containing the number sign (#) are no longer accepted by default (rare)
- HTTP versions < 1.0 or >= 2.0 are no longer accepted by default (rare, only HTTP/1.1 is supported)
- HTTP versions consisting of multiple digits or containing a prefix/suffix are no longer accepted
- HTTP header field names Gunicorn cannot safely map to variables are silently dropped, as in other software
- HTTP headers with empty field name are refused by default (no legitimate use cases, used in exploits)
- requests with both Transfer-Encoding and Content-Length are refused by default (such a message might indicate an attempt to perform request smuggling)
- empty transfer codings are no longer permitted (reportedly seen with really old & broken proxies)


** SECURITY **

- fix CVE-2024-1135
  1. Documentation is available there: https://docs.gunicorn.org/en/stable/news.html
  2. Packages: https://pypi.org/project/gunicorn/

Gunicorn 21.2.0 has been released

Choose a tag to compare

@benoitc benoitc released this 19 Jul 11:51

Gunicorn 21.2.0 has been released. This version fix the issue introduced in the threaded worker.

Changes:

21.2.0 - 2023-07-19
===================
fix thread worker: revert change considering connection as idle .

*** NOTE ***

This is fixing the bad file description error.
  1. Documentation is available there: https://docs.gunicorn.org/en/stable/news.html
  2. Packages: https://pypi.org/project/gunicorn/

Gunicorn 21.1.0 has been released

Choose a tag to compare

@benoitc benoitc released this 18 Jul 12:58

gunicorn 21.1.0 has been released. This version fix the issue introduced in the threaded worker.

21.1.0 - 2023-07-18

  • fix thread worker: fix socket removal from the queuet checkout 21.x

Gunicorn 21 has been released

Choose a tag to compare

@benoitc benoitc released this 18 Jul 09:07

Gunicorn 21 is out with miscellaneous changes. Enjoy!

We made this release major to start our new release cycle. More info will be provided on our discussion forum.

21.0.1 - 2023-07-17

fix documentation build

21.0.0 - 2023-07-17

support python 3.11
fix gevent and eventlet workers
fix threads support (gththread): improve performance and unblock requests
SSL: noaw use SSLContext object
HTTP parser: miscellaneous fixes
remove unecessary setuid calls
fix testing
improve logging
miscellaneous fixes to core engine

Full Changelog: 21.0.0...21.0.1

20.1.0

Choose a tag to compare

@benoitc benoitc released this 28 Apr 15:16
  • document WEB_CONCURRENCY is set by, at least, Heroku
  • capture peername from accept: Avoid calls to getpeername by capturing the peer name returned by
    accept
  • log a warning when a worker was terminated due to a signal
  • fix tornado usage with latest versions of Django
  • add support for python -m gunicorn
  • fix systemd socket activation example
  • allows to set wsgi application in configg file using wsgi_app
  • document --timeout = 0
  • always close a connection when the number of requests exceeds the max requests
  • Disable keepalive during graceful shutdown
  • kill tasks in the gthread workers during upgrade
  • fix latency in gevent worker when accepting new requests
  • fix file watcher: handle errors when new worker reboot and ensure the list of files is kept
  • document the default name and path of the configuration file
  • document how variable impact configuration
  • document the $PORT environment variable
  • added milliseconds option to request_time in access_log
  • added PIP requirements to be used for example
  • remove version from the Server header
  • fix sendfile: use socket.sendfile instead of os.sendfile
  • reloader: use absolute path to prevent empty to prevent0 InotifyError when a file
    is added to the working directory
  • Add --print-config option to print the resolved settings at startup.
  • remove the --log-dict-config CLI flag because it never had a working format
    (the logconfig_dict setting in configuration files continues to work)

** Breaking changes **

  • minimum version is Python 3.5
  • remove version from the Server header

** Documentation **

** Others **

  • miscellaneous changes in the code base to be a better citizen with Python 3
  • remove dead code
  • fix documentation generation

20.0.4

Choose a tag to compare

@benoitc benoitc released this 26 Nov 22:56
  • fix binding a socket using the file descriptor
  • remove support for the bdist_rpm build

20.0.3

Choose a tag to compare

@benoitc benoitc released this 25 Nov 22:23
  • fixed load of a config file without a Python extension
  • fixed socketfromfd.fromfd when defaults are not set

note: we now warn when we load a config file without Python Extension

20.0.2

Choose a tag to compare

@benoitc benoitc released this 23 Nov 10:47

20.0.2

  • fix changelog

20.0.1

  • fixed the way the config module is loaded. __file__ is now available
  • fixed wsgi.input_terminated. It is always true.
  • use the highest protocol version of openssl by default
  • only support Python >= 3.5
  • added __repr__ method to Config instance
  • fixed support of AIX platform and musl libc in socketfromfd.fromfd function
  • fixed support of applications loaded from a factory function
  • fixed chunked encoding support to prevent any request smuggling <https://portswigger.net/research/http-desync-attacks-request-smuggling-reborn>_
  • Capture os.sendfile before patching in gevent and eventlet workers.
    fix RecursionError.
  • removed locking in reloader when adding new files
  • load the WSGI application before the loader to pick up all files

note this release add official support for applications loaded from a factory function
as documented in Flask and other places.