Changelog - 2024

23.0.0 - 2024-08-10

** NOTE **

  • The SCRIPT_NAME change mitigates a regression that appeared first in the 22.0.0 release

  • Review your forwarded_allow_ips setting if you are still not seeing the SCRIPT_NAME transmitted

  • Review your forwarder_headers setting if you are missing headers after upgrading from a version prior to 22.0.0

** Breaking changes **

  • refuse requests where the uri field is empty (pull request 3255)

  • refuse requests with invalid CR/LR/NUL in heade field values (pull request 3253)

  • remove temporary --tolerate-dangerous-framing switch from 22.0 (pull request 3260)

  • If any of the breaking changes affect you, be aware that now refused requests can post a security problem, especially so in setups involving request pipe-lining and/or proxies.

22.0.0 - 2024-04-17

  • use utime to notify workers liveness

  • migrate setup to pyproject.toml

  • fix numerous security vulnerabilities in HTTP parser (closing some request smuggling vectors)

  • parsing additional requests is no longer attempted past unsupported request framing

  • on HTTP versions < 1.1 support for chunked transfer is refused (only used in exploits)

  • requests conflicting configured or passed SCRIPT_NAME now produce a verbose error

  • Trailer fields are no longer inspected for headers indicating secure scheme

  • support Python 3.12

** Breaking changes **

  • minimum version is Python 3.7

  • the limitations on valid characters in the HTTP method have been bounded to Internet Standards

  • requests specifying unsupported transfer coding (order) are refused by default (rare)

  • HTTP methods are no longer casefolded by default (IANA method registry contains none affected)

  • HTTP methods containing the number sign (#) are no longer accepted by default (rare)

  • HTTP versions < 1.0 or >= 2.0 are no longer accepted by default (rare, only HTTP/1.1 is supported)

  • HTTP versions consisting of multiple digits or containing a prefix/suffix are no longer accepted

  • HTTP header field names Gunicorn cannot safely map to variables are silently dropped, as in other software

  • HTTP headers with empty field name are refused by default (no legitimate use cases, used in exploits)

  • requests with both Transfer-Encoding and Content-Length are refused by default (such a message might indicate an attempt to perform request smuggling)

  • empty transfer codings are no longer permitted (reportedly seen with really old & broken proxies)

** SECURITY **

  • fix CVE-2024-1135