Can we get a version bump? 19.7.1 was released over a year ago, and includes important fixes over 19.6.0. In particular, 19.6.0 does not support setting supplementary groups for worker processes, which is a security issue (they wind up with root's group list).
Better be safe...
To add to the security impact info: - Affected versions are <www-servers/gunicorn-19.7.0 (.1 came later) - To properly drop privileges, gunicorn needs to be started with --initgroups (or initgroups = True in the config file). I don't know why they don't just do the right thing by default... I guess it *technically* would be backwards incompatible (with broken setups).
bumped to 19.7.1
@arches, please stabilize.
amd64 stable
x86 stable
@maintainer, please drop vulnerable versions.