Sourced fromgunicorn's releases.

Gunicorn 22.0 has been released

Gunicorn 22.0.0 has been released. This version fix the numerous security vulnerabilities. You're invited to upgrade asap your own installation.

Changes:

22.0.0 - 2024-04-17===================
useutime to notify workers liveness
migrate setup to pyproject.toml
fix numerous security vulnerabilities in HTTP parser (closing some request smuggling vectors)
parsing additional requests is no longer attempted past unsupported request framing
on HTTP versions < 1.1 support for chunked transfer is refused (only used in exploits)
requests conflicting configured or passed SCRIPT_NAME now produce a verbose error
Trailer fields are no longer inspected for headers indicating secure scheme
support Python 3.12
** Breaking changes **
minimum version is Python 3.7
the limitations on valid characters in the HTTP method have been bounded to Internet Standards
requests specifying unsupported transfer coding (order) are refused by default (rare)
HTTP methods are no longer casefolded by default (IANA method registry contains none affected)
HTTP methods containing the number sign (#) are no longer accepted by default (rare)
HTTP versions < 1.0 or >= 2.0 are no longer accepted by default (rare, only HTTP/1.1 is supported)
HTTP versions consisting of multiple digits or containing a prefix/suffix are no longer accepted
HTTP header field names Gunicorn cannot safely map to variables are silently dropped, as in other software
HTTP headers with empty field name are refused by default (no legitimate use cases, used in exploits)
requests with both Transfer-Encoding and Content-Length are refused by default (such a message might indicate an attempt to perform request smuggling)
empty transfer codings are no longer permitted (reportedly seen with really old & broken proxies)
** SECURITY **
fix CVE-2024-1135

1. Documentation is available there:https://docs.gunicorn.org/en/stable/news.html
2. Packages:https://pypi.org/project/gunicorn/

Gunicorn 21.2.0 has been released

Gunicorn 21.2.0 has been released. This version fix the issue introduced in the threaded worker.

Changes:

21.2.0 - 2023-07-19===================fix thread worker: revert change considering connection as idle .</tr></table>

... (truncated)

• f63d59e bump to 22.0
• 4ac81e0 Merge pull request#3175 from e-kwsm/typo
• 401cecf Merge pull request#3179 from dhdaines/exclude-eventlet-0360
• 0243ec3 fix(deps): exclude eventlet 0.36.0
• 628a0bc chore: fix typos
• 88fc4a4 Merge pull request#3131 from pajod/patch-py12-rebased
• deae2fc CI: back off the agressive timeout
• f470382 docs: promise 3.12 compat
• 5e30bfa add changelog to project.urls (updated for PEP621)
• 481c3f9 remove setup.cfg - overridden by pyproject.toml
• Additional commits viewable incompare view

Sourced fromflask's releases.

3.1.0

This is the Flask 3.1.0 feature release. A feature release may include new features, remove previously deprecated code, add new deprecations, or introduce potentially breaking changes. We encourage everyone to upgrade, and to use a tool such aspip-tools to pin all dependencies and control upgrades. Test with warnings treated as errors to be able to adapt to deprecation warnings early.

PyPI:https://pypi.org/project/Flask/3.1.0/Changes:https://flask.palletsprojects.com/en/stable/changes/#version-3-1-0Milestone:https://github.com/pallets/flask/milestone/33?closed=1

• Drop support for Python 3.8.#5623
• Update minimum dependency versions to latest feature releases. Werkzeug >= 3.1, ItsDangerous >= 2.2, Blinker >= 1.9.#5624,#5633
• Provide a configuration option to control automatic option responses.#5496
• Flask.open_resource/open_instance_resource andBlueprint.open_resource take anencoding parameter to use when opening in text mode. It defaults toutf-8.#5504
• Request.max_content_length can be customized per-request instead of only through theMAX_CONTENT_LENGTH config. AddedMAX_FORM_MEMORY_SIZE andMAX_FORM_PARTS config. Added documentation about resource limits to the security page.#5625
• Add support for thePartitioned cookie attribute (CHIPS), with theSESSION_COOKIE_PARTITIONED config.#5472
• -e path takes precedence over default.env and.flaskenv files.load_dotenv loads default files in addition to a path unlessload_defaults=False is passed.#5628
• Support key rotation with theSECRET_KEY_FALLBACKS config, a list of old secret keys that can still be used for unsigning. Extensions will need to add support.#5621
• Fix how settinghost_matching=True orsubdomain_matching=False interacts withSERVER_NAME. SettingSERVER_NAME no longer restricts requests to only that domain.#5553
• Request.trusted_hosts is checked during routing, and can be set through theTRUSTED_HOSTS config.#5636

3.0.3

This is a fix release for the 3.0.x feature branch.

PyPI:https://pypi.org/project/Flask/3.0.3/Changes:https://flask.palletsprojects.com/en/3.0.x/changes/#version-3-0-3Milestone:https://github.com/pallets/flask/milestone/35?closed=1

• The defaulthashlib.sha1 may not be available in FIPS builds. Don't access it at import time so the developer has time to change the default.#5448
• Don't initialize thecli attribute in the sansio scaffold, but rather in theFlask concrete class.#5270

3.0.2

This is a fix release for the 3.0.x feature release branch. It fixes bugs but does not otherwise change behavior and should not result in breaking changes.

• Changes:https://flask.palletsprojects.com/en/3.0.x/changes/#version-3.0.2
• Milestone:https://github.com/pallets/flask/milestone/34?closed=1
• PyPI:https://pypi.org/project/Flask/3.0.2/

3.0.1

This is a fix release for the 3.0.x feature release branch.

Fixes an issue where using other JSON providers, such asflask-orjson, previously caused loaded session data to have an incorrect format in some cases.

• Changes:https://flask.palletsprojects.com/en/3.0.x/changes/#version-3-0-1
• Milestone:https://github.com/pallets/flask/milestone/32?closed=1
• PyPI:https://pypi.org/project/Flask/3.0.1/

3.0.0

This is a feature release, which includes new features, removes previously deprecated code, and adds new deprecations. The 3.0.x branch is now the supported fix branch, the 2.3.x branch will become a tag marking the end of support for that branch. We encourage everyone to upgrade, and to use a tool such aspip-tools to pin all dependencies and control upgrades. Test with warnings treated as errors to be able to adapt to deprecation warnings early.

• Changes:https://flask.palletsprojects.com/en/3.0.x/changes/#version-3-0-0
• Milestone:https://github.com/pallets/flask/milestone/20?closed=1

... (truncated)

Sourced fromflask's changelog.

Version 3.1.0

Released 2024-11-13

• Drop support for Python 3.8. :pr:5623
• Update minimum dependency versions to latest feature releases.Werkzeug >= 3.1, ItsDangerous >= 2.2, Blinker >= 1.9. :pr:5624,5633
• Provide a configuration option to control automatic optionresponses. :pr:5496
• Flask.open_resource/open_instance_resource andBlueprint.open_resource take anencoding parameter to use whenopening in text mode. It defaults toutf-8. :issue:5504
• Request.max_content_length can be customized per-request instead of onlythrough theMAX_CONTENT_LENGTH config. AddedMAX_FORM_MEMORY_SIZE andMAX_FORM_PARTS config. Added documentationabout resource limits to the security page. :issue:5625
• Add support for thePartitioned cookie attribute (CHIPS), with theSESSION_COOKIE_PARTITIONED config. :issue:5472
• -e path takes precedence over default.env and.flaskenv files.load_dotenv loads default files in addition to a path unlessload_defaults=False is passed. :issue:5628
• Support key rotation with theSECRET_KEY_FALLBACKS config, a list of oldsecret keys that can still be used for unsigning. Extensions will need toadd support. :issue:5621
• Fix how settinghost_matching=True orsubdomain_matching=Falseinteracts withSERVER_NAME. SettingSERVER_NAME no longer restrictsrequests to only that domain. :issue:5553
• Request.trusted_hosts is checked during routing, and can be set throughtheTRUSTED_HOSTS config. :issue:5636

Version 3.0.3

Released 2024-04-07

• The defaulthashlib.sha1 may not be available in FIPS builds. Don'taccess it at import time so the developer has time to change the default.:issue:5448
• Don't initialize thecli attribute in the sansio scaffold, but rather intheFlask concrete class. :pr:5270

Version 3.0.2

Released 2024-02-03

• Correct type forjinja_loader property. :issue:5388

... (truncated)

• ab81496 release version 3.1.0
• 70602a1 remove test pypi
• 6748a09 update dev dependencies
• 22c48a7 Merge remote-tracking branch 'origin/stable'
• 2eab96a use generic bases for session (#5638)
• f49dbfd use generic bases for session
• 7b21d43 configure and checkrequest.trusted_hosts (#5637)
• 4f7156f configure and check trusted_hosts
• 10bdf61 settingSERVER_NAME does not restrict routing for bothsubdomain_matching...
• 4995a77 fix subdomain_matching=False behavior
• Additional commits viewable incompare view

Sourced fromflask's releases.

3.1.0

This is the Flask 3.1.0 feature release. A feature release may include new features, remove previously deprecated code, add new deprecations, or introduce potentially breaking changes. We encourage everyone to upgrade, and to use a tool such aspip-tools to pin all dependencies and control upgrades. Test with warnings treated as errors to be able to adapt to deprecation warnings early.

PyPI:https://pypi.org/project/Flask/3.1.0/Changes:https://flask.palletsprojects.com/en/stable/changes/#version-3-1-0Milestone:https://github.com/pallets/flask/milestone/33?closed=1

• Drop support for Python 3.8.#5623
• Update minimum dependency versions to latest feature releases. Werkzeug >= 3.1, ItsDangerous >= 2.2, Blinker >= 1.9.#5624,#5633
• Provide a configuration option to control automatic option responses.#5496
• Flask.open_resource/open_instance_resource andBlueprint.open_resource take anencoding parameter to use when opening in text mode. It defaults toutf-8.#5504
• Request.max_content_length can be customized per-request instead of only through theMAX_CONTENT_LENGTH config. AddedMAX_FORM_MEMORY_SIZE andMAX_FORM_PARTS config. Added documentation about resource limits to the security page.#5625
• Add support for thePartitioned cookie attribute (CHIPS), with theSESSION_COOKIE_PARTITIONED config.#5472
• -e path takes precedence over default.env and.flaskenv files.load_dotenv loads default files in addition to a path unlessload_defaults=False is passed.#5628
• Support key rotation with theSECRET_KEY_FALLBACKS config, a list of old secret keys that can still be used for unsigning. Extensions will need to add support.#5621
• Fix how settinghost_matching=True orsubdomain_matching=False interacts withSERVER_NAME. SettingSERVER_NAME no longer restricts requests to only that domain.#5553
• Request.trusted_hosts is checked during routing, and can be set through theTRUSTED_HOSTS config.#5636

3.0.3

This is a fix release for the 3.0.x feature branch.

PyPI:https://pypi.org/project/Flask/3.0.3/Changes:https://flask.palletsprojects.com/en/3.0.x/changes/#version-3-0-3Milestone:https://github.com/pallets/flask/milestone/35?closed=1

• The defaulthashlib.sha1 may not be available in FIPS builds. Don't access it at import time so the developer has time to change the default.#5448
• Don't initialize thecli attribute in the sansio scaffold, but rather in theFlask concrete class.#5270

3.0.2

This is a fix release for the 3.0.x feature release branch. It fixes bugs but does not otherwise change behavior and should not result in breaking changes.

• Changes:https://flask.palletsprojects.com/en/3.0.x/changes/#version-3.0.2
• Milestone:https://github.com/pallets/flask/milestone/34?closed=1
• PyPI:https://pypi.org/project/Flask/3.0.2/

3.0.1

This is a fix release for the 3.0.x feature release branch.

Fixes an issue where using other JSON providers, such asflask-orjson, previously caused loaded session data to have an incorrect format in some cases.

• Changes:https://flask.palletsprojects.com/en/3.0.x/changes/#version-3-0-1
• Milestone:https://github.com/pallets/flask/milestone/32?closed=1
• PyPI:https://pypi.org/project/Flask/3.0.1/

3.0.0

This is a feature release, which includes new features, removes previously deprecated code, and adds new deprecations. The 3.0.x branch is now the supported fix branch, the 2.3.x branch will become a tag marking the end of support for that branch. We encourage everyone to upgrade, and to use a tool such aspip-tools to pin all dependencies and control upgrades. Test with warnings treated as errors to be able to adapt to deprecation warnings early.

• Changes:https://flask.palletsprojects.com/en/3.0.x/changes/#version-3-0-0
• Milestone:https://github.com/pallets/flask/milestone/20?closed=1

... (truncated)

Sourced fromflask's changelog.

Version 3.1.0

Released 2024-11-13

• Drop support for Python 3.8. :pr:5623
• Update minimum dependency versions to latest feature releases.Werkzeug >= 3.1, ItsDangerous >= 2.2, Blinker >= 1.9. :pr:5624,5633
• Provide a configuration option to control automatic optionresponses. :pr:5496
• Flask.open_resource/open_instance_resource andBlueprint.open_resource take anencoding parameter to use whenopening in text mode. It defaults toutf-8. :issue:5504
• Request.max_content_length can be customized per-request instead of onlythrough theMAX_CONTENT_LENGTH config. AddedMAX_FORM_MEMORY_SIZE andMAX_FORM_PARTS config. Added documentationabout resource limits to the security page. :issue:5625
• Add support for thePartitioned cookie attribute (CHIPS), with theSESSION_COOKIE_PARTITIONED config. :issue:5472
• -e path takes precedence over default.env and.flaskenv files.load_dotenv loads default files in addition to a path unlessload_defaults=False is passed. :issue:5628
• Support key rotation with theSECRET_KEY_FALLBACKS config, a list of oldsecret keys that can still be used for unsigning. Extensions will need toadd support. :issue:5621
• Fix how settinghost_matching=True orsubdomain_matching=Falseinteracts withSERVER_NAME. SettingSERVER_NAME no longer restrictsrequests to only that domain. :issue:5553
• Request.trusted_hosts is checked during routing, and can be set throughtheTRUSTED_HOSTS config. :issue:5636

Version 3.0.3

Released 2024-04-07

• The defaulthashlib.sha1 may not be available in FIPS builds. Don'taccess it at import time so the developer has time to change the default.:issue:5448
• Don't initialize thecli attribute in the sansio scaffold, but rather intheFlask concrete class. :pr:5270

Version 3.0.2

Released 2024-02-03

• Correct type forjinja_loader property. :issue:5388

... (truncated)

• ab81496 release version 3.1.0
• 70602a1 remove test pypi
• 6748a09 update dev dependencies
• 22c48a7 Merge remote-tracking branch 'origin/stable'
• 2eab96a use generic bases for session (#5638)
• f49dbfd use generic bases for session
• 7b21d43 configure and checkrequest.trusted_hosts (#5637)
• 4f7156f configure and check trusted_hosts
• 10bdf61 settingSERVER_NAME does not restrict routing for bothsubdomain_matching...
• 4995a77 fix subdomain_matching=False behavior
• Additional commits viewable incompare view

Sourced fromgunicorn's releases.

Gunicorn 22.0 has been released

Gunicorn 22.0.0 has been released. This version fix the numerous security vulnerabilities. You're invited to upgrade asap your own installation.

Changes:

22.0.0 - 2024-04-17===================
useutime to notify workers liveness
migrate setup to pyproject.toml
fix numerous security vulnerabilities in HTTP parser (closing some request smuggling vectors)
parsing additional requests is no longer attempted past unsupported request framing
on HTTP versions < 1.1 support for chunked transfer is refused (only used in exploits)
requests conflicting configured or passed SCRIPT_NAME now produce a verbose error
Trailer fields are no longer inspected for headers indicating secure scheme
support Python 3.12
** Breaking changes **
minimum version is Python 3.7
the limitations on valid characters in the HTTP method have been bounded to Internet Standards
requests specifying unsupported transfer coding (order) are refused by default (rare)
HTTP methods are no longer casefolded by default (IANA method registry contains none affected)
HTTP methods containing the number sign (#) are no longer accepted by default (rare)
HTTP versions < 1.0 or >= 2.0 are no longer accepted by default (rare, only HTTP/1.1 is supported)
HTTP versions consisting of multiple digits or containing a prefix/suffix are no longer accepted
HTTP header field names Gunicorn cannot safely map to variables are silently dropped, as in other software
HTTP headers with empty field name are refused by default (no legitimate use cases, used in exploits)
requests with both Transfer-Encoding and Content-Length are refused by default (such a message might indicate an attempt to perform request smuggling)
empty transfer codings are no longer permitted (reportedly seen with really old & broken proxies)
** SECURITY **
fix CVE-2024-1135

1. Documentation is available there:https://docs.gunicorn.org/en/stable/news.html
2. Packages:https://pypi.org/project/gunicorn/

Gunicorn 21.2.0 has been released

Gunicorn 21.2.0 has been released. This version fix the issue introduced in the threaded worker.

Changes:

21.2.0 - 2023-07-19===================fix thread worker: revert change considering connection as idle .</tr></table>

... (truncated)

• f63d59e bump to 22.0
• 4ac81e0 Merge pull request#3175 from e-kwsm/typo
• 401cecf Merge pull request#3179 from dhdaines/exclude-eventlet-0360
• 0243ec3 fix(deps): exclude eventlet 0.36.0
• 628a0bc chore: fix typos
• 88fc4a4 Merge pull request#3131 from pajod/patch-py12-rebased
• deae2fc CI: back off the agressive timeout
• f470382 docs: promise 3.12 compat
• 5e30bfa add changelog to project.urls (updated for PEP621)
• 481c3f9 remove setup.cfg - overridden by pyproject.toml
• Additional commits viewable incompare view

Sourced fromflask's releases.

3.1.0

This is the Flask 3.1.0 feature release. A feature release may include new features, remove previously deprecated code, add new deprecations, or introduce potentially breaking changes. We encourage everyone to upgrade, and to use a tool such aspip-tools to pin all dependencies and control upgrades. Test with warnings treated as errors to be able to adapt to deprecation warnings early.

PyPI:https://pypi.org/project/Flask/3.1.0/Changes:https://flask.palletsprojects.com/en/stable/changes/#version-3-1-0Milestone:https://github.com/pallets/flask/milestone/33?closed=1

• Drop support for Python 3.8.#5623
• Update minimum dependency versions to latest feature releases. Werkzeug >= 3.1, ItsDangerous >= 2.2, Blinker >= 1.9.#5624,#5633
• Provide a configuration option to control automatic option responses.#5496
• Flask.open_resource/open_instance_resource andBlueprint.open_resource take anencoding parameter to use when opening in text mode. It defaults toutf-8.#5504
• Request.max_content_length can be customized per-request instead of only through theMAX_CONTENT_LENGTH config. AddedMAX_FORM_MEMORY_SIZE andMAX_FORM_PARTS config. Added documentation about resource limits to the security page.#5625
• Add support for thePartitioned cookie attribute (CHIPS), with theSESSION_COOKIE_PARTITIONED config.#5472
• -e path takes precedence over default.env and.flaskenv files.load_dotenv loads default files in addition to a path unlessload_defaults=False is passed.#5628
• Support key rotation with theSECRET_KEY_FALLBACKS config, a list of old secret keys that can still be used for unsigning. Extensions will need to add support.#5621
• Fix how settinghost_matching=True orsubdomain_matching=False interacts withSERVER_NAME. SettingSERVER_NAME no longer restricts requests to only that domain.#5553
• Request.trusted_hosts is checked during routing, and can be set through theTRUSTED_HOSTS config.#5636

3.0.3

This is a fix release for the 3.0.x feature branch.

PyPI:https://pypi.org/project/Flask/3.0.3/Changes:https://flask.palletsprojects.com/en/3.0.x/changes/#version-3-0-3Milestone:https://github.com/pallets/flask/milestone/35?closed=1

• The defaulthashlib.sha1 may not be available in FIPS builds. Don't access it at import time so the developer has time to change the default.#5448
• Don't initialize thecli attribute in the sansio scaffold, but rather in theFlask concrete class.#5270

3.0.2

This is a fix release for the 3.0.x feature release branch. It fixes bugs but does not otherwise change behavior and should not result in breaking changes.

• Changes:https://flask.palletsprojects.com/en/3.0.x/changes/#version-3.0.2
• Milestone:https://github.com/pallets/flask/milestone/34?closed=1
• PyPI:https://pypi.org/project/Flask/3.0.2/

3.0.1

This is a fix release for the 3.0.x feature release branch.

Fixes an issue where using other JSON providers, such asflask-orjson, previously caused loaded session data to have an incorrect format in some cases.

• Changes:https://flask.palletsprojects.com/en/3.0.x/changes/#version-3-0-1
• Milestone:https://github.com/pallets/flask/milestone/32?closed=1
• PyPI:https://pypi.org/project/Flask/3.0.1/

3.0.0

This is a feature release, which includes new features, removes previously deprecated code, and adds new deprecations. The 3.0.x branch is now the supported fix branch, the 2.3.x branch will become a tag marking the end of support for that branch. We encourage everyone to upgrade, and to use a tool such aspip-tools to pin all dependencies and control upgrades. Test with warnings treated as errors to be able to adapt to deprecation warnings early.

• Changes:https://flask.palletsprojects.com/en/3.0.x/changes/#version-3-0-0
• Milestone:https://github.com/pallets/flask/milestone/20?closed=1

... (truncated)

Sourced fromflask's changelog.

Version 3.1.0

Released 2024-11-13

• Drop support for Python 3.8. :pr:5623
• Update minimum dependency versions to latest feature releases.Werkzeug >= 3.1, ItsDangerous >= 2.2, Blinker >= 1.9. :pr:5624,5633
• Provide a configuration option to control automatic optionresponses. :pr:5496
• Flask.open_resource/open_instance_resource andBlueprint.open_resource take anencoding parameter to use whenopening in text mode. It defaults toutf-8. :issue:5504
• Request.max_content_length can be customized per-request instead of onlythrough theMAX_CONTENT_LENGTH config. AddedMAX_FORM_MEMORY_SIZE andMAX_FORM_PARTS config. Added documentationabout resource limits to the security page. :issue:5625
• Add support for thePartitioned cookie attribute (CHIPS), with theSESSION_COOKIE_PARTITIONED config. :issue:5472
• -e path takes precedence over default.env and.flaskenv files.load_dotenv loads default files in addition to a path unlessload_defaults=False is passed. :issue:5628
• Support key rotation with theSECRET_KEY_FALLBACKS config, a list of oldsecret keys that can still be used for unsigning. Extensions will need toadd support. :issue:5621
• Fix how settinghost_matching=True orsubdomain_matching=Falseinteracts withSERVER_NAME. SettingSERVER_NAME no longer restrictsrequests to only that domain. :issue:5553
• Request.trusted_hosts is checked during routing, and can be set throughtheTRUSTED_HOSTS config. :issue:5636

Version 3.0.3

Released 2024-04-07

• The defaulthashlib.sha1 may not be available in FIPS builds. Don'taccess it at import time so the developer has time to change the default.:issue:5448
• Don't initialize thecli attribute in the sansio scaffold, but rather intheFlask concrete class. :pr:5270

Version 3.0.2

Released 2024-02-03

• Correct type forjinja_loader property. :issue:5388

... (truncated)

• ab81496 release version 3.1.0
• 70602a1 remove test pypi
• 6748a09 update dev dependencies
• 22c48a7 Merge remote-tracking branch 'origin/stable'
• 2eab96a use generic bases for session (#5638)
• f49dbfd use generic bases for session
• 7b21d43 configure and checkrequest.trusted_hosts (#5637)
• 4f7156f configure and check trusted_hosts
• 10bdf61 settingSERVER_NAME does not restrict routing for bothsubdomain_matching...
• 4995a77 fix subdomain_matching=False behavior
• Additional commits viewable incompare view

Sourced fromgunicorn's releases.

Gunicorn 22.0 has been released

Gunicorn 22.0.0 has been released. This version fix the numerous security vulnerabilities. You're invited to upgrade asap your own installation.

Changes:

22.0.0 - 2024-04-17===================
useutime to notify workers liveness
migrate setup to pyproject.toml
fix numerous security vulnerabilities in HTTP parser (closing some request smuggling vectors)
parsing additional requests is no longer attempted past unsupported request framing
on HTTP versions < 1.1 support for chunked transfer is refused (only used in exploits)
requests conflicting configured or passed SCRIPT_NAME now produce a verbose error
Trailer fields are no longer inspected for headers indicating secure scheme
support Python 3.12
** Breaking changes **
minimum version is Python 3.7
the limitations on valid characters in the HTTP method have been bounded to Internet Standards
requests specifying unsupported transfer coding (order) are refused by default (rare)
HTTP methods are no longer casefolded by default (IANA method registry contains none affected)
HTTP methods containing the number sign (#) are no longer accepted by default (rare)
HTTP versions < 1.0 or >= 2.0 are no longer accepted by default (rare, only HTTP/1.1 is supported)
HTTP versions consisting of multiple digits or containing a prefix/suffix are no longer accepted
HTTP header field names Gunicorn cannot safely map to variables are silently dropped, as in other software
HTTP headers with empty field name are refused by default (no legitimate use cases, used in exploits)
requests with both Transfer-Encoding and Content-Length are refused by default (such a message might indicate an attempt to perform request smuggling)
empty transfer codings are no longer permitted (reportedly seen with really old & broken proxies)
** SECURITY **
fix CVE-2024-1135

1. Documentation is available there:https://docs.gunicorn.org/en/stable/news.html
2. Packages:https://pypi.org/project/gunicorn/

Gunicorn 21.2.0 has been released

Gunicorn 21.2.0 has been released. This version fix the issue introduced in the threaded worker.

Changes:

21.2.0 - 2023-07-19===================fix thread worker: revert change considering connection as idle .</tr></table>

... (truncated)

• f63d59e bump to 22.0
• 4ac81e0 Merge pull request#3175 from e-kwsm/typo
• 401cecf Merge pull request#3179 from dhdaines/exclude-eventlet-0360
• 0243ec3 fix(deps): exclude eventlet 0.36.0
• 628a0bc chore: fix typos
• 88fc4a4 Merge pull request#3131 from pajod/patch-py12-rebased
• deae2fc CI: back off the agressive timeout
• f470382 docs: promise 3.12 compat
• 5e30bfa add changelog to project.urls (updated for PEP621)
• 481c3f9 remove setup.cfg - overridden by pyproject.toml
• Additional commits viewable incompare view

• 1f0356f [4.2.x] Bumped version for 4.2.17 release.
• 7376bcb [4.2.x] FixedCVE-2024-53908 -- Prevented SQL injections in direct HasKeyLook...
• 790eb05 [4.2.x] FixedCVE-2024-53907 -- Mitigated potential DoS in strip_tags().
• f663277 [4.2.x] RefsCVE-2024-11168 -- Updated vendored _urlsplit() to properly valid...
• 0acff0f [4.2.x] Added stub release notes and release date for 4.2.17.
• b381b19 [4.2.x] Fixed docs build on Sphinx 8.1+.
• ea4a1fb [4.2.x] Refs#35844 -- Expanded compatibility for expected error messages in ...
• 345a665 [4.2.x] Added GitHub Action workflow to test all Python versions listed in th...
• 5211677 [4.2.x] AddedCVE-2024-45230 andCVE-2024-45231 to security archive.
• 8f6c362 [4.2.x] Post-release version bump.
• Additional commits viewable incompare view

Sourced fromsqlparse's changelog.

Release 0.5.0 (Apr 13, 2024)

Notable Changes

• Drop support for Python 3.5, 3.6, and 3.7.
• Python 3.12 is now supported (pr725, by hugovk).
• IMPORTANT: Fixes a potential denial of service attack (DOS) due to recursionerror for deeply nested statements. Instead of recursion error a genericSQLParseError is raised. See the security advisory for details:GHSA-2m57-hf25-phggThe vulnerability was discovered by@​uriyay-jfrog. Thanks for reporting!

Enhancements

• Splitting statements now allows to remove the semicolon at the end.Some database backends love statements without semicolon (issue742).
• Support TypedLiterals in get_parameters (pr749, by Khrol).
• Improve splitting of Transact SQL when using GO keyword (issue762).
• Support for some JSON operators (issue682).
• Improve formatting of statements containing JSON operators (issue542).
• Support for BigQuery and Snowflake keywords (pr699, by griffatrasgo).
• Support parsing of OVER clause (issue701, pr768 by r33s3n6).

Bug Fixes

• Ignore dunder attributes when creating Tokens (issue672).
• Allow operators to precede dollar-quoted strings (issue763).
• Fix parsing of nested order clauses (issue745, pr746 by john-bodley).
• Thread-safe initialization of Lexer class (issue730).
• Classify TRUNCATE as DDL and GRANT/REVOKE as DCL keywords (based on pr719by josuc1, thanks for bringing this up!).
• Fix parsing of PRIMARY KEY (issue740).

Other

• Optimize performance of matching function (pr799, by admachainz).

Release 0.4.4 (Apr 18, 2023)

Notable Changes

• IMPORTANT: This release fixes a security vulnerability in theparser where a regular expression vulnerable to ReDOS (RegularExpression Denial of Service) was used. See the security advisoryfor details:GHSA-rrm6-wvj7-cwh2The vulnerability was discovered by@​erik-krogh from GitHubSecurity Lab (GHSL). Thanks for reporting!

... (truncated)

• ddbd0ec Bump version.
• 29f2e0a Raise recursion limit for tests.
• b4a39d9 Raise SQLParseError instead of RecursionError.
• f1bcf2f Update AUHTORS and Changelog.
• e03b74e Fix Function.get_parameters(), add Funtion.get_window()
• 617b8f6 Add OVER clause, and group it into Function (fixes#701)
• d8f8147 Update AUHTORS and Changelog.
• 012c9f1 Optimize sqlparse.utils.imt().
• 46971e5 Fix parsing of PRIMARY KEY (fixes#740).
• fc4b0be Code cleanup.
• Additional commits viewable incompare view

Sourced fromflask's releases.

3.1.0

This is the Flask 3.1.0 feature release. A feature release may include new features, remove previously deprecated code, add new deprecations, or introduce potentially breaking changes. We encourage everyone to upgrade, and to use a tool such aspip-tools to pin all dependencies and control upgrades. Test with warnings treated as errors to be able to adapt to deprecation warnings early.

PyPI:https://pypi.org/project/Flask/3.1.0/Changes:https://flask.palletsprojects.com/en/stable/changes/#version-3-1-0Milestone:https://github.com/pallets/flask/milestone/33?closed=1

• Drop support for Python 3.8.#5623
• Update minimum dependency versions to latest feature releases. Werkzeug >= 3.1, ItsDangerous >= 2.2, Blinker >= 1.9.#5624,#5633
• Provide a configuration option to control automatic option responses.#5496
• Flask.open_resource/open_instance_resource andBlueprint.open_resource take anencoding parameter to use when opening in text mode. It defaults toutf-8.#5504
• Request.max_content_length can be customized per-request instead of only through theMAX_CONTENT_LENGTH config. AddedMAX_FORM_MEMORY_SIZE andMAX_FORM_PARTS config. Added documentation about resource limits to the security page.#5625
• Add support for thePartitioned cookie attribute (CHIPS), with theSESSION_COOKIE_PARTITIONED config.#5472
• -e path takes precedence over default.env and.flaskenv files.load_dotenv loads default files in addition to a path unlessload_defaults=False is passed.#5628
• Support key rotation with theSECRET_KEY_FALLBACKS config, a list of old secret keys that can still be used for unsigning. Extensions will need to add support.#5621
• Fix how settinghost_matching=True orsubdomain_matching=False interacts withSERVER_NAME. SettingSERVER_NAME no longer restricts requests to only that domain.#5553
• Request.trusted_hosts is checked during routing, and can be set through theTRUSTED_HOSTS config.#5636

3.0.3

This is a fix release for the 3.0.x feature branch.

PyPI:https://pypi.org/project/Flask/3.0.3/Changes:https://flask.palletsprojects.com/en/3.0.x/changes/#version-3-0-3Milestone:https://github.com/pallets/flask/milestone/35?closed=1

• The defaulthashlib.sha1 may not be available in FIPS builds. Don't access it at import time so the developer has time to change the default.#5448
• Don't initialize thecli attribute in the sansio scaffold, but rather in theFlask concrete class.#5270

3.0.2

This is a fix release for the 3.0.x feature release branch. It fixes bugs but does not otherwise change behavior and should not result in breaking changes.

• Changes:https://flask.palletsprojects.com/en/3.0.x/changes/#version-3.0.2
• Milestone:https://github.com/pallets/flask/milestone/34?closed=1
• PyPI:https://pypi.org/project/Flask/3.0.2/

3.0.1

This is a fix release for the 3.0.x feature release branch.

Fixes an issue where using other JSON providers, such asflask-orjson, previously caused loaded session data to have an incorrect format in some cases.

• Changes:https://flask.palletsprojects.com/en/3.0.x/changes/#version-3-0-1
• Milestone:https://github.com/pallets/flask/milestone/32?closed=1
• PyPI:https://pypi.org/project/Flask/3.0.1/

3.0.0

This is a feature release, which includes new features, removes previously deprecated code, and adds new deprecations. The 3.0.x branch is now the supported fix branch, the 2.3.x branch will become a tag marking the end of support for that branch. We encourage everyone to upgrade, and to use a tool such aspip-tools to pin all dependencies and control upgrades. Test with warnings treated as errors to be able to adapt to deprecation warnings early.

• Changes:https://flask.palletsprojects.com/en/3.0.x/changes/#version-3-0-0
• Milestone:https://github.com/pallets/flask/milestone/20?closed=1

... (truncated)