chore(deps): update dependency gunicorn to v23 [security]

[renovate-bot]

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence
gunicorn (changelog)	==22.0.0 -> ==23.0.0

GitHub Vulnerability Alerts

CVE-2024-6827

Gunicorn version 21.2.0 does not properly validate the value of the 'Transfer-Encoding' header as specified in the RFC standards, which leads to the default fallback method of 'Content-Length,' making it vulnerable to TE.CL request smuggling. This vulnerability can lead to cache poisoning, data exposure, session manipulation, SSRF, XSS, DoS, data integrity compromise, security bypass, information leakage, and business logic abuse.

---

Release Notes

benoitc/gunicorn (gunicorn)

v23.0.0

Compare Source

Gunicorn 23.0.0 has been released. This version improve HTTP 1.1. support and which improve safety

You're invited to upgrade asap your own installation.

23.0.0 - 2024-08-10

• minor docs fixes (:pr:3217, :pr:3089, :pr:3167)
• worker_class parameter accepts a class (:pr:3079)
• fix deadlock if request terminated during chunked parsing (:pr:2688)
• permit receiving Transfer-Encodings: compress, deflate, gzip (:pr:3261)
• permit Transfer-Encoding headers specifying multiple encodings. note: no parameters, still (:pr:3261)
• sdist generation now explicitly excludes sphinx build folder (:pr:3257)
• decode bytes-typed status (as can be passed by gevent) as utf-8 instead of raising TypeError (:pr:2336)
• raise correct Exception when encounting invalid chunked requests (:pr:3258)
• the SCRIPT_NAME and PATH_INFO headers, when received from allowed forwarders, are no longer restricted for containing an underscore (:pr:3192)
• include IPv6 loopback address [::1] in default for :ref:forwarded-allow-ips and :ref:proxy-allow-ips (:pr:3192)

** NOTE **

• The SCRIPT_NAME change mitigates a regression that appeared first in the 22.0.0 release
• Review your :ref:forwarded-allow-ips setting if you are still not seeing the SCRIPT_NAME transmitted
• Review your :ref:forwarder-headers setting if you are missing headers after upgrading from a version prior to 22.0.0

** Breaking changes **

• refuse requests where the uri field is empty (:pr:3255)
• refuse requests with invalid CR/LR/NUL in heade field values (:pr:3253)
• remove temporary --tolerate-dangerous-framing switch from 22.0 (:pr:3260)
• If any of the breaking changes affect you, be aware that now refused requests can post a security problem, especially so in setups involving request pipe-lining and/or proxies.

Fix CVE-2024-1135

---

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Never, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[gemini-code-assist]

Hello @renovate-bot, I'm Gemini Code Assist¹! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

Summary of Changes

This pull request updates the gunicorn dependency from version 22.0.0 to 23.0.0 in two requirements.txt files. This update includes security fixes and improvements to HTTP 1.1 support. Specifically, it addresses CVE-2024-6827, a vulnerability related to improper validation of the 'Transfer-Encoding' header. The update also includes fixes for deadlocks during chunked parsing and stricter validation of request headers.

Highlights

• Dependency Update: The pull request updates the gunicorn dependency from version 22.0.0 to 23.0.0.
• Security Fix: Includes a fix for CVE-2024-6827, addressing a vulnerability in gunicorn related to 'Transfer-Encoding' header validation.
• HTTP 1.1 Improvements: Improves HTTP 1.1 support and overall safety.

Changelog

• run/idp-sql/requirements.txt
  • Updated gunicorn from version 22.0.0 to 23.0.0 (line 4).
• run/image-processing/requirements.txt
  • Updated gunicorn from version 22.0.0 to 23.0.0 (line 4).

Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point in your pull request via creating an issue comment (i.e. comment on the pull request page) using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands.

Feature	Command	Description
Code Review	/gemini review	Performs a code review for the current pull request in its current state.
Pull Request Summary	/gemini summary	Provides a summary of the current pull request in its current state.
Comment	@gemini-code-assist	Responds in comments when explicitly tagged, both in issue comments and review comments.
Help	/gemini help	Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist is currently in preview and may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments to provide feedback.

You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension.

---

Trivia time!

What is Gunicorn's primary function in a Python web application?

Click here for the answer

Gunicorn ('Green Unicorn') is a Python WSGI HTTP server. It's used to serve Python web applications, translating between the web server and the application.

Footnotes

1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution. ↩

[gemini-code-assist]

Code Review

This PR updates the gunicorn dependency to version 23.0.0 in two requirements.txt files. This update addresses a security vulnerability (CVE-2024-6827) and includes other improvements and fixes. The pull request description provides detailed information about the changes and potential breaking changes in the new version.

Summary of Findings

• Security Vulnerability: The update addresses CVE-2024-6827, a request smuggling vulnerability in gunicorn versions prior to 23.0.0. This vulnerability could lead to various security issues, including cache poisoning and data exposure. This is a critical update.
• Potential Breaking Changes: The gunicorn v23.0.0 release includes breaking changes, such as refusing requests with empty URI fields or invalid characters in header field values. Ensure the application is compatible with these changes.

Merge Readiness

Given the security vulnerability addressed by this update, it is crucial to merge this PR. However, it's also important to verify that the application is compatible with the breaking changes introduced in gunicorn v23.0.0. I am unable to directly approve this pull request, and recommend that others review and approve this code before merging.