[Security] Bump gunicorn from 0.17.4 to 19.5.0

[dependabot-preview]

Bumps gunicorn from 0.17.4 to 19.5.0. This update includes a security fix.

Vulnerabilities fixed

Sourced from The GitHub Security Advisory Database.

Moderate severity vulnerability that affects gunicorn
gunicorn version 19.4.5 contains a CWE-113: Improper Neutralization of CRLF Sequences in HTTP Headers vulnerability in "process_headers" function in "gunicorn/http/wsgi.py" that can result in an attacker causing the server to return arbitrary HTTP headers. This vulnerability appears to have been fixed in 19.5.0.

Affected versions: < 19.5.0

Release notes

Sourced from gunicorn's releases.

19.5.0

== 19.5.0 ==

=== Core ===

• fix: Ensure response to HEAD request won't have message body
• fix: lock domain socket and remove on last arbiter exit (#1220)
• improvement: use EnvironmentError instead of socket.error (#939)
• add: new $FORWARDDED_ALLOW_IPS environment variable (#1205)
• fix: infinite recursion when destroying sockets (#1219)
• fix: close sockets on shutdown (#922)
• fix: clean up sys.exc_info calls to drop circular refs (#1228)
• fix: do post_worker_init after load_wsgi (#1248)

=== Workers ===

• fix access logging in gaiohttp worker (#1193)
• eventlet: handle QUIT in a new coroutine (#1217)
• gevent: remove obsolete exception clauses in run (#1218)
• tornado: fix extra "Server" response header (#1246)
• fix: unblock the wait loop under python 3.5 in sync worker (#1256)

=== Logging ===

• fix: log message for listener reloading (#1181)
• Let logging module handle traceback printing (#1201)
• improvement: Allow configuring logger_class with statsd_host (#1188)
• fix: traceback formatting (#1235)
• fix: print error logs on stderr and access logs on stdout (#1184)

=== Documentation ===

• Simplify installation instructions in gunicorn.org (#1072)
• Fix URL and default worker type in example_config (#1209)
• update django doc url to 1.8 lts (#1213)
• fix: miscellaneous wording corrections (#1216)
• Add PSF License Agreement of selectors.py to NOTICE (:issue: #1226)
• document LOGGING overriding (#1051)
• put a note that error logs are only errors from Gunicorn (#1124)
• add a note about the requirements of the threads workers under python 2.x (#1200)
• add access_log_format to config example (#1251)

=== Tests ===

• Use more pytest.raises() in test_http.py

19.4.5

== 19.4.5 ==

• fix: NameError fileno in gunicorn.http.wsgi (#1178)

19.4.4

== 19.4.4 ==

• fix: check if a fileobject can be used with sendfile(2) (#1174)
• doc: be more descriptive in errorlog option (#1173)

... (truncated)

Commits

• 7d61a60 add changelog
• 58f190d Merge pull request #1257 from benoitc/fix/1256
• b0c0333 unblock the wait loop under python 3.5
• 9d158be Add access_log_format to config example (#1251)
• ded610e add a note about the requirements of the threads workers under python 2.x
• 6f9ae5e put a note that error logs are only errors from Gunicorn.
• 65db610 print error logs on stderr and access logs on stdout
• 5fa32a6 document LOGGING overriding
• e005c9d reverse change in example_config.py
• 66546d6 fix #1246
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
• @dependabot use these labels will set the current labels as the default for future PRs for this repo and language
• @dependabot use these reviewers will set the current reviewers as the default for future PRs for this repo and language
• @dependabot use these assignees will set the current assignees as the default for future PRs for this repo and language
• @dependabot use this milestone will set the current milestone as the default for future PRs for this repo and language
• @dependabot badge me will comment on this PR with code to add a "Dependabot enabled" badge to your readme

Additionally, you can set the following in your Dependabot dashboard:

• Update frequency (including time of day and day of week)
• Automerge options (never/patch/minor, and dev/runtime dependencies)
• Pull request limits (per update run and/or open at any time)
• Out-of-range updates (receive only lockfile updates, if desired)
• Security updates (receive only security updates, if desired)

Finally, you can contact us by mentioning @dependabot.

[coveralls]

Coverage remained the same at 76.984% when pulling e326658 on dependabot/pip/gunicorn-19.5.0 into 1a3f718 on v0.15.

[dependabot-preview]

OK, I won't notify you again about this release, but will get in touch when a new version is available. If you'd rather skip all updates until the next major or minor version, let me know by commenting @dependabot ignore this major version or @dependabot ignore this minor version.

If you change your mind, just re-open this PR and I'll resolve any conflicts on it.