Gunicorn: Gunicorn request smuggling vulnerability and 19.10 release

Created on 28 Apr 2021  ·  5Comments  ·  Source: benoitc/gunicorn

Hi, I'm looking into failing security scans for my own projects that have dependencies on Gunicorn 19.10.
I opened this related issue https://github.com/apache/airflow/issues/15570, but now I'm here for clarification.

What is the current state of 19.10?
This CVE says 19.10 and 20.0.1 releases have patched the request smuggling vulnerability.

However, the 19.10 release has a failing build on PyPI https://pypi.org/project/gunicorn/19.10.0/
And 19.10 doesn't have any release notes https://github.com/benoitc/gunicorn/releases

Note: It's possible this is an issue with my vulnerability database Safety https://github.com/pyupio/safety-db/blob/master/data/insecure_full.json#L8507

In short: Is 19.10 stable and secure?

picture CoburnJoe

All 5 comments

19.10 has release notes in the changelog. I stopped to use this
github feature. Failing builds are due to this crap of travis ci and test
on windows. In the coming month the CI will be moved to an better service.

As for this CVE, this had not been open by us so apparently some people are
more informed than me. In any case this « issue » is not present in 19.10. That "CVE" is correct.

benoitc picture benoitc on 28 Apr 2021
👍1

@benoitc Thank you for the quick reply!
That perfectly answers my questions.

For reference, 19.10 is flagged is insecure by Pipenv/Safety, but I'll move over there now to see about a database update :)

CoburnJoe picture CoburnJoe on 28 Apr 2021

@benoitc Thank you for the quick reply!
That perfectly answers my questions.

For reference, 19.10 is flagged is insecure by Pipenv/Safety, but I'll move over there now to see about a database update :)

afaik 20.1.0 is stable and secure. This is the current supported release. 19.x branch is somewhat deprecated.

benoitc picture benoitc on 28 Apr 2021
👍1

afaik 20.1.0 is stable and secure. This is the current supported release. 19.x branch is somewhat deprecated.

Yes, but Airflow is requesting versions between 19.5.0 and 20.0, which is the project I'm using, so I had to check - thanks again (quite refreshing to get such quick responses)

CoburnJoe picture CoburnJoe on 28 Apr 2021

Thanks @CoburnJoe for asking and @benoitc for answering. Indeed Airflow 2.x uses <20 limitation but the whole discussion prompted me to investigate why (especially that 1.10 line already moved to 20.). I will likely soon update it and switch to 20. Line of versions :)

potiuk picture potiuk on 28 Apr 2021
👍1
Was this page helpful?
0 / 5 - 0 ratings

Related issues

erjiang picture erjiang  ·  34Comments
andjedani picture andjedani  ·  87Comments
benhjames picture benhjames  ·  65Comments
CorreyL picture CorreyL  ·  31Comments
BoWuGit picture BoWuGit  ·  33Comments