Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

chore: bump gunicorn to 22.0.0 #28490

Merged
merged 1 commit into from
May 14, 2024
Merged

chore: bump gunicorn to 22.0.0 #28490

merged 1 commit into from
May 14, 2024

Conversation

dpgaspar
Copy link
Member

SUMMARY

Bump gunicorn to address a potencial vulnerability

https://docs.gunicorn.org/en/latest/news.html#id1

BEFORE/AFTER SCREENSHOTS OR ANIMATED GIF

TESTING INSTRUCTIONS

ADDITIONAL INFORMATION

  • Has associated issue:
  • Required feature flags:
  • Changes UI
  • Includes DB Migration (follow approval process in SIP-59)
    • Migration is atomic, supports rollback & is backwards-compatible
    • Confirm DB migration upgrade and downgrade tested
    • Runtime estimates and downtime expectations provided
  • Introduces new feature or API
  • Removes existing feature or API

@dosubot dosubot bot added the install:dependencies Installation - Dependencies label May 14, 2024
@codecov Codecov
Copy link

codecov bot commented May 14, 2024
edited
Loading

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 83.41%. Comparing base (76d897e) to head (c4ed164).
Report is 108 commits behind head on master.

Additional details and impacted files 
@@             Coverage Diff             @@
##           master   #28490       +/-   ##
===========================================
+ Coverage   60.48%   83.41%   +22.92%     
===========================================
  Files        1931      521     -1410     
  Lines       76236    37467    -38769     
  Branches     8568        0     -8568     
===========================================
- Hits        46114    31252    -14862     
+ Misses      28017     6215    -21802     
+ Partials     2105        0     -2105
Flag Coverage Δ
hive 49.09% <ø> (-0.07%) ⬇️
javascript ?
mysql 77.10% <ø> (?)
postgres 77.23% <ø> (?)
presto 53.65% <ø> (-0.15%) ⬇️
python 83.41% <ø> (+19.92%) ⬆️
sqlite 76.68% <ø> (?)
unit 58.81% <ø> (+1.19%) ⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

@rusackas rusackas requested a review from john-bodley May 14, 2024 15:40
mistercrunch
mistercrunch approved these changes May 14, 2024
View reviewed changes
Copy link
Member

@mistercrunch mistercrunch left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM after reviewing breaking changes https://docs.gunicorn.org/en/latest/news.html

Looks ok to me but thought I'd paste here for @dpgaspar to have another look pre-merge:

** Breaking changes **

minimum version is Python 3.7

the limitations on valid characters in the HTTP method have been bounded to Internet Standards

requests specifying unsupported transfer coding (order) are refused by default (rare)

HTTP methods are no longer casefolded by default (IANA method registry contains none affected)

HTTP methods containing the number sign (#) are no longer accepted by default (rare)

HTTP versions < 1.0 or >= 2.0 are no longer accepted by default (rare, only HTTP/1.1 is supported)

HTTP versions consisting of multiple digits or containing a prefix/suffix are no longer accepted

HTTP header field names Gunicorn cannot safely map to variables are silently dropped, as in other software

HTTP headers with empty field name are refused by default (no legitimate use cases, used in exploits)

requests with both Transfer-Encoding and Content-Length are refused by default (such a message might indicate an attempt to perform request smuggling)

empty transfer codings are no longer permitted (reportedly seen with really old & broken proxies)

john-bodley
john-bodley reviewed May 14, 2024
View reviewed changes
pyproject.toml
@@ -55,7 +55,7 @@ dependencies = [
"flask-wtf>=1.1.0, <2.0",
"func_timeout",
"geopy",
"gunicorn>=21.2.0, <22.0; sys_platform != 'win32'",
"gunicorn>=22.0.0; sys_platform != 'win32'",
Copy link
Member

@john-bodley john-bodley May 14, 2024
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@dpgaspar should we include an upper limit on <23.0?

Additionally, do you know why we need the sys_platform != 'win32' check, especially given that we don't support Windows?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We may be moving away from always pinning the upper limit: #28144 (comment)

@dpgaspar
Copy link
Member Author

LGTM after reviewing breaking changes https://docs.gunicorn.org/en/latest/news.html

Looks ok to me but thought I'd paste here for @dpgaspar to have another look pre-merge:

** Breaking changes **

minimum version is Python 3.7

the limitations on valid characters in the HTTP method have been bounded to Internet Standards

requests specifying unsupported transfer coding (order) are refused by default (rare)

HTTP methods are no longer casefolded by default (IANA method registry contains none affected)

HTTP methods containing the number sign (#) are no longer accepted by default (rare)

HTTP versions < 1.0 or >= 2.0 are no longer accepted by default (rare, only HTTP/1.1 is supported)

HTTP versions consisting of multiple digits or containing a prefix/suffix are no longer accepted

HTTP header field names Gunicorn cannot safely map to variables are silently dropped, as in other software

HTTP headers with empty field name are refused by default (no legitimate use cases, used in exploits)

requests with both Transfer-Encoding and Content-Length are refused by default (such a message might indicate an attempt to perform request smuggling)

empty transfer codings are no longer permitted (reportedly seen with really old & broken proxies)

I took a look, seems unlikely to break anyones deployments

@dpgaspar dpgaspar merged commit 4f693c6 into apache:master May 14, 2024
36 of 37 checks passed
@dpgaspar dpgaspar deleted the fix/bump-gunicorn branch May 14, 2024 19:06
jzhao62 pushed a commit to jzhao62/superset that referenced this pull request May 16, 2024
@dpgaspar @jzhao62
chore: bump gunicorn to 22.0.0 (apache#28490)
a3a0bbc
@denodo-research-labs
Copy link

CVE-2024-1135 is reported as HIGH by some security tools like PRISMA.

Will this version bump be applied to the 3.1-x branch too to avoid that CVE affecting current stable versions?

@mistercrunch mistercrunch added the v3.1 Label added by the release manager to track PRs to be included in the 3.1 branch label May 20, 2024
EnxDev pushed a commit to EnxDev/superset that referenced this pull request May 31, 2024
@dpgaspar @EnxDev
chore: bump gunicorn to 22.0.0 (apache#28490)
809d4d4
@g-jgreen
Copy link

Any update on this? Seems to not be available on release 4.0.2.

Thanks

@mistercrunch
Copy link
Member

Should be in 4.1.0, which has an open release candidate

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@john-bodley john-bodley john-bodley left review comments

@mistercrunch mistercrunch mistercrunch approved these changes

@betodealmeida betodealmeida Awaiting requested review from betodealmeida

@villebro villebro Awaiting requested review from villebro

Assignees
No one assigned
Labels
install:dependencies Installation - Dependencies size/S v3.1 Label added by the release manager to track PRs to be included in the 3.1 branch
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
5 participants
@dpgaspar @denodo-research-labs @g-jgreen @mistercrunch @john-bodley