Gunicorn request smuggling vulnerability and 19.10 release #2572
Comments
|
19.10 has release notes in the [changelog](https://docs.gunicorn.org/en/stable/news.html#id1). I stopped to use this
github feature. Failing builds are due to this crap of travis ci and test
on windows. In the coming month the CI will be moved to an better service.
As for this CVE, this had not been open by us so apparently some people are
more informed than me. In any case this « issue » is not present in 19.10. That "CVE" is correct.
|
|
@benoitc Thank you for the quick reply! For reference, 19.10 is flagged is insecure by Pipenv/Safety, but I'll move over there now to see about a database update :) |
afaik 20.1.0 is stable and secure. This is the current supported release. 19.x branch is somewhat deprecated. |
Yes, but Airflow is requesting versions between 19.5.0 and 20.0, which is the project I'm using, so I had to check - thanks again (quite refreshing to get such quick responses) |
|
Thanks @CoburnJoe for asking and @benoitc for answering. Indeed Airflow 2.x uses <20 limitation but the whole discussion prompted me to investigate why (especially that 1.10 line already moved to 20.). I will likely soon update it and switch to 20. Line of versions :) |
Hi, I'm looking into failing security scans for my own projects that have dependencies on Gunicorn 19.10.
I opened this related issue apache/airflow#15570, but now I'm here for clarification.
What is the current state of 19.10?
This CVE says 19.10 and 20.0.1 releases have patched the request smuggling vulnerability.
However, the 19.10 release has a failing build on PyPI https://pypi.org/project/gunicorn/19.10.0/
And 19.10 doesn't have any release notes https://github.com/benoitc/gunicorn/releases
Note: It's possible this is an issue with my vulnerability database Safety https://github.com/pyupio/safety-db/blob/master/data/insecure_full.json#L8507
In short: Is 19.10 stable and secure?
The text was updated successfully, but these errors were encountered: