-
Notifications
You must be signed in to change notification settings - Fork 176
/
CHANGES.txt
58 lines (41 loc) · 2.18 KB
/
CHANGES.txt
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
3.0.1 (2024-11-28)
------------------
Security
~~~~~~~~
- Fix a bug that would lead to Waitress busy looping on select() on a half-open
socket due to a race condition that existed when creating a new HTTPChannel.
See https://github.com/Pylons/waitress/pull/435,
https://github.com/Pylons/waitress/issues/418 and
https://github.com/Pylons/waitress/security/advisories/GHSA-3f84-rpwh-47g6
With thanks to Dylan Jay and Dieter Maurer for their extensive debugging and
helping track this down.
- No longer strip the header values before passing them to the WSGI environ.
See https://github.com/Pylons/waitress/pull/434 and
https://github.com/Pylons/waitress/issues/432
- Fix a race condition in Waitress when `channel_request_lookahead` is enabled
that could lead to HTTP request smuggling.
See https://github.com/Pylons/waitress/security/advisories/GHSA-9298-4cf8-g4wj
3.0.0 (2024-02-04)
------------------
- Rename "master" git branch to "main"
- Fix a bug that would appear on macOS whereby if we accept() a socket that is
already gone, setting socket options would fail and take down the server. See
https://github.com/Pylons/waitress/pull/399
- Fixed testing of vendored asyncore code to not rely on particular naming for
errno's. See https://github.com/Pylons/waitress/pull/397
- HTTP Request methods and versions are now validated to meet the HTTP
standards thereby dropping invalid requests on the floor. See
https://github.com/Pylons/waitress/pull/423
- No longer close the connection when sending a HEAD request response. See
https://github.com/Pylons/waitress/pull/428
- Always attempt to send the Connection: close response header when we are
going to close the connection to let the remote know in more instances.
https://github.com/Pylons/waitress/pull/429
- Python 3.7 is no longer supported. Add support for Python 3.11, 3.12 and
PyPy 3.9, 3.10. See https://github.com/Pylons/waitress/pull/412
- Document that trusted_proxy may be set to a wildcard value to trust all
proxies. See https://github.com/Pylons/waitress/pull/431
Updated Defaults
~~~~~~~~~~~~~~~~
- clear_untrusted_proxy_headers is set to True by default. See
https://github.com/Pylons/waitress/pull/370