From 51fefb9ef63bc10b578a47256e26c6383198ac1f Mon Sep 17 00:00:00 2001
From: Francis Charette Migneault <francis.charette.migneault@gmail.com>
Date: Fri, 26 Apr 2024 21:55:59 -0400
Subject: [PATCH] update gunicorn

---
 CHANGES.rst      | 2 +-
 requirements.txt | 3 +--
 2 files changed, 2 insertions(+), 3 deletions(-)

diff --git a/CHANGES.rst b/CHANGES.rst
index 788807e21..12b63c307 100644
--- a/CHANGES.rst
+++ b/CHANGES.rst
@@ -12,7 +12,7 @@ Changes
 
 Changes:
 --------
-- No change.
+- Pin ``gunicorn>=22`` to address CVE-2024-1135.
 
 Fixes:
 ------
diff --git a/requirements.txt b/requirements.txt
index cac4c8ef2..b78d74669 100644
--- a/requirements.txt
+++ b/requirements.txt
@@ -40,9 +40,8 @@ esgf-compute-api @ git+https://github.com/ESGF/esgf-compute-api.git@v2.3.7
 # (https://github.com/KipCrossing/geotiff/pull/59)
 geotiff>=0.2.8
 # gunicorn >20 breaks some config.ini loading parameters (paste)
-# it is also only available for Python >=3.5
 # use pserve to continue supporting config.ini with paste settings
-gunicorn>=20.0.4
+gunicorn>=22
 # reduced dependencies contrains to let packages update to latest (https://github.com/vinitkumar/json2xml/issues/157)
 # even more reduced dependency constraints (https://github.com/vinitkumar/json2xml/pull/195)
 json2xml>=4.1.0