lp-signing

Merge ~pelpsi/lp-signing/+git/dependencies:gunicorn-upgrade-HTTP-request-smuggling-vulnerability into ~launchpad/lp-signing/+git/dependencies:master

  1. Git
  2. lp:~pelpsi/lp-signing/+git/dependencies
  3. gunicorn-upgrade-HTTP-request-smuggling-vulnerability
  4. Merge into master
Proposed by Simone Pelosi
Status: Merged
Approved by: Simone Pelosi
Approved revision: 7a8457f95cc9625779578cb7c423109e3838c3e4
Merge reported by: Otto Co-Pilot
Merged at revision: not available
Proposed branch: ~pelpsi/lp-signing/+git/dependencies:gunicorn-upgrade-HTTP-request-smuggling-vulnerability
Merge into: ~launchpad/lp-signing/+git/dependencies:master
Diff against target: 4 lines (+0/-0)
0 files modified
Reviewer Review Type Date Requested Status
Guruprasad Approve
Colin Watson (community) Approve
Review via email: mp+440165@code.launchpad.net

This proposal supersedes a proposal from 2023-03-31.

Commit message

Upgraded gunicorn to fix HTTP request smuggling vulnerability

A penetration test found that our gunicorn version is vulnerable, version 20.1.0 should be safe.

To post a comment you must log in.
Revision history for this message
Guruprasad (lgp171188) wrote :

The added gunicorn 20.1.0 tarball looks okay to me, but the previous version of gunicorn is present in wheel form. We have to check with Colin if it is required to do the same for the newer version as well.

review: Needs Information
Revision history for this message
Colin Watson (cjwatson) wrote :

I think an sdist is fine - the deployment machinery should end up building a wheel as needed.

review: Approve
Revision history for this message
Guruprasad (lgp171188) :
review: Approve

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk
1diff --git a/gunicorn-20.1.0.tar.gz b/gunicorn-20.1.0.tar.gz
2new file mode 100644
3index 0000000..b5da493
4Binary files /dev/null and b/gunicorn-20.1.0.tar.gz differ

Subscribers

People subscribed via source and target branches