apache
chore: bump gunicorn to 22.0.0
SUMMARY
Bump gunicorn to address a potencial vulnerability
https://docs.gunicorn.org/en/latest/news.html#id1
BEFORE/AFTER SCREENSHOTS OR ANIMATED GIF
TESTING INSTRUCTIONS
ADDITIONAL INFORMATION
- [ ] Has associated issue:
- [ ] Required feature flags:
- [ ] Changes UI
- [ ] Includes DB Migration (follow approval process in SIP-59)
- [ ] Migration is atomic, supports rollback & is backwards-compatible
- [ ] Confirm DB migration upgrade and downgrade tested
- [ ] Runtime estimates and downtime expectations provided
- [ ] Introduces new feature or API
- [ ] Removes existing feature or API
Codecov Report
All modified and coverable lines are covered by tests :white_check_mark:
Project coverage is 83.41%. Comparing base (
76d897e) to head (c4ed164). Report is 108 commits behind head on master.
Additional details and impacted files
@@ Coverage Diff @@
## master #28490 +/- ##
===========================================
+ Coverage 60.48% 83.41% +22.92%
===========================================
Files 1931 521 -1410
Lines 76236 37467 -38769
Branches 8568 0 -8568
===========================================
- Hits 46114 31252 -14862
+ Misses 28017 6215 -21802
+ Partials 2105 0 -2105
| Flag | Coverage Δ | |
|---|---|---|
| hive | 49.09% <ø> (-0.07%) |
:arrow_down: |
| javascript | ? |
|
| mysql | 77.10% <ø> (?) |
|
| postgres | 77.23% <ø> (?) |
|
| presto | 53.65% <ø> (-0.15%) |
:arrow_down: |
| python | 83.41% <ø> (+19.92%) |
:arrow_up: |
| sqlite | 76.68% <ø> (?) |
|
| unit | 58.81% <ø> (+1.19%) |
:arrow_up: |
Flags with carried forward coverage won't be shown. Click here to find out more.
:umbrella: View full report in Codecov by Sentry.
:loudspeaker: Have feedback on the report? Share it here.
![codecov[bot] avatar](https://avatars.githubusercontent.com/in/254?v=4 "Published by a pub.dev verified publisher"){kind=small}
LGTM after reviewing breaking changes https://docs.gunicorn.org/en/latest/news.html
Looks ok to me but thought I'd paste here for @dpgaspar to have another look pre-merge:
** Breaking changes **
minimum version is Python 3.7
the limitations on valid characters in the HTTP method have been bounded to Internet Standards
requests specifying unsupported transfer coding (order) are refused by default (rare)
HTTP methods are no longer casefolded by default (IANA method registry contains none affected)
HTTP methods containing the number sign (#) are no longer accepted by default (rare)
HTTP versions < 1.0 or >= 2.0 are no longer accepted by default (rare, only HTTP/1.1 is supported)
HTTP versions consisting of multiple digits or containing a prefix/suffix are no longer accepted
HTTP header field names Gunicorn cannot safely map to variables are silently dropped, as in other software
HTTP headers with empty field name are refused by default (no legitimate use cases, used in exploits)
requests with both Transfer-Encoding and Content-Length are refused by default (such a message might indicate an attempt to perform request smuggling)
empty transfer codings are no longer permitted (reportedly seen with really old & broken proxies)
I took a look, seems unlikely to break anyones deployments
CVE-2024-1135 is reported as HIGH by some security tools like PRISMA.
Will this version bump be applied to the 3.1-x branch too to avoid that CVE affecting current stable versions?
