-
Notifications
You must be signed in to change notification settings - Fork 1.8k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Gunicorn request smuggling vulnerability and 19.10 release #2572
Comments
19.10 has release notes in the [changelog](https://docs.gunicorn.org/en/stable/news.html#id1). I stopped to use this
github feature. Failing builds are due to this crap of travis ci and test
on windows. In the coming month the CI will be moved to an better service.
As for this CVE, this had not been open by us so apparently some people are
more informed than me. In any case this « issue » is not present in 19.10. That "CVE" is correct.
|
@benoitc Thank you for the quick reply! For reference, 19.10 is flagged is insecure by Pipenv/Safety, but I'll move over there now to see about a database update :) |
afaik 20.1.0 is stable and secure. This is the current supported release. 19.x branch is somewhat deprecated. |
Yes, but Airflow is requesting versions between 19.5.0 and 20.0, which is the project I'm using, so I had to check - thanks again (quite refreshing to get such quick responses) |
Thanks @CoburnJoe for asking and @benoitc for answering. Indeed Airflow 2.x uses <20 limitation but the whole discussion prompted me to investigate why (especially that 1.10 line already moved to 20.). I will likely soon update it and switch to 20. Line of versions :) |
Hi, I'm looking into failing security scans for my own projects that have dependencies on Gunicorn 19.10.
I opened this related issue apache/airflow#15570, but now I'm here for clarification.
What is the current state of 19.10?
This CVE says 19.10 and 20.0.1 releases have patched the request smuggling vulnerability.
However, the 19.10 release has a failing build on PyPI https://pypi.org/project/gunicorn/19.10.0/
And 19.10 doesn't have any release notes https://github.com/benoitc/gunicorn/releases
Note: It's possible this is an issue with my vulnerability database Safety https://github.com/pyupio/safety-db/blob/master/data/insecure_full.json#L8507
In short: Is 19.10 stable and secure?
The text was updated successfully, but these errors were encountered: