bump to 22.0

benoitc · Apr 16, 2024 · f63d59e · f63d59e
1 parent 4ac81e0
commit f63d59e
Show file tree

Hide file tree

Showing 4 changed files with 34 additions and 26 deletions.
diff --git a/docs/site/index.html b/docs/site/index.html
@@ -16,7 +16,7 @@
     <div class="logo-div">
       <div class="latest">
         Latest version: <strong><a
-            href="https://docs.gunicorn.org/en/stable/">21.2.0</a></strong>
+            href="https://docs.gunicorn.org/en/stable/">22.0.0</a></strong>
       </div>
 
       <div class="logo"><img src="images/logo.jpg" ></div>

diff --git a/docs/source/2023-news.rst b/docs/source/2023-news.rst
@@ -2,30 +2,6 @@
 Changelog - 2023
 ================
 
-22.0.0 - TBDTBDTBD
-==================
-
-- fix numerous security vulnerabilities in HTTP parser (closing some request smuggling vectors)
-- parsing additional requests is no longer attempted past unsupported request framing
-- on HTTP versions < 1.1 support for chunked transfer is refused (only used in exploits)
-- requests conflicting configured or passed SCRIPT_NAME now produce a verbose error
-- Trailer fields are no longer inspected for headers indicating secure scheme
-- support Python 3.12
-
-** Breaking changes **
-
-- minimum version is Python 3.7
-- the limitations on valid characters in the HTTP method have been bounded to Internet Standards
-- requests specifying unsupported transfer coding (order) are refused by default (rare)
-- HTTP methods are no longer casefolded by default (IANA method registry contains none affected)
-- HTTP methods containing the number sign (#) are no longer accepted by default (rare)
-- HTTP versions < 1.0 or >= 2.0 are no longer accepted by default (rare, only HTTP/1.1 is supported)
-- HTTP versions consisting of multiple digits or containing a prefix/suffix are no longer accepted
-- HTTP header field names Gunicorn cannot safely map to variables are silently dropped, as in other software
-- HTTP headers with empty field name are refused by default (no legitimate use cases, used in exploits)
-- requests with both Transfer-Encoding and Content-Length are refused by default (such a message might indicate an attempt to perform request smuggling)
-- empty transfer codings are no longer permitted (reportedly seen with really old & broken proxies)
-
 21.2.0 - 2023-07-19
 ===================
 

diff --git a/docs/source/news.rst b/docs/source/news.rst
@@ -2,6 +2,37 @@
 Changelog
 =========
 
+22.0.0 - 2024-04-17
+===================
+
+- use `utime` to notify workers liveness 
+- migrate setup to pyproject.toml
+- fix numerous security vulnerabilities in HTTP parser (closing some request smuggling vectors)
+- parsing additional requests is no longer attempted past unsupported request framing
+- on HTTP versions < 1.1 support for chunked transfer is refused (only used in exploits)
+- requests conflicting configured or passed SCRIPT_NAME now produce a verbose error
+- Trailer fields are no longer inspected for headers indicating secure scheme
+- support Python 3.12
+
+** Breaking changes **
+
+- minimum version is Python 3.7
+- the limitations on valid characters in the HTTP method have been bounded to Internet Standards
+- requests specifying unsupported transfer coding (order) are refused by default (rare)
+- HTTP methods are no longer casefolded by default (IANA method registry contains none affected)
+- HTTP methods containing the number sign (#) are no longer accepted by default (rare)
+- HTTP versions < 1.0 or >= 2.0 are no longer accepted by default (rare, only HTTP/1.1 is supported)
+- HTTP versions consisting of multiple digits or containing a prefix/suffix are no longer accepted
+- HTTP header field names Gunicorn cannot safely map to variables are silently dropped, as in other software
+- HTTP headers with empty field name are refused by default (no legitimate use cases, used in exploits)
+- requests with both Transfer-Encoding and Content-Length are refused by default (such a message might indicate an attempt to perform request smuggling)
+- empty transfer codings are no longer permitted (reportedly seen with really old & broken proxies)
+
+
+** SECURITY **
+
+- fix CVE-2024-1135
+
 21.2.0 - 2023-07-19
 ===================
 
@@ -44,6 +75,7 @@ History
 .. toctree::
    :titlesonly:
 
+   2024-news
    2023-news
    2021-news
    2020-news

diff --git a/gunicorn/__init__.py b/gunicorn/__init__.py
@@ -3,7 +3,7 @@
 # This file is part of gunicorn released under the MIT license.
 # See the NOTICE for more information.
 
-version_info = (21, 2, 0)
+version_info = (22, 0, 0)
 __version__ = ".".join([str(v) for v in version_info])
 SERVER = "gunicorn"
 SERVER_SOFTWARE = "%s/%s" % (SERVER, __version__)