Vulnerability in gevent

[alimony]

Snyk claims there is a vulnerability in gevent: https://security.snyk.io/vuln/SNYK-PYTHON-GEVENT-8320934

If this is indeed the case, gunicorn should require a later version of gevent.

But also, it seems like gunicorn has not been touched in four months, what's the current status?

Does anyone know the latest version of gevent that gunicorn currently supports?

[pajod]

#ifndef HAVE_SOCKETPAIR

Gunicorn is not commonly used outside of Linux and MacOS.

gunicorn should require a later version of gevent

Bumping the Gunicorn requirements would primarily make sense if Gunicorn itself was directly utilizing that call on any supported and affected platform. Otherwise those requirements would serve as little more than annoyance to distributors.

What's the current status?

See #3395 - Gunicorn is currently short on maintainer time and has seen little community contributions in that area either - there are multiple PRs with no feedback whatsoever. And Gunicorn is publicly documented to be affected to other vulnerabilities.. some of them applying to less obscure scenarios.

Ref: The problem you are referring to has a CVE assigned for cPython - Gevent was just duplicating that code:

• https://www.cve.org/CVERecord?id=CVE-2024-3219