cpp-httplib-0.48.0-1.el10_3
FEDORA-EPEL-2026-4d48176243
Packages in this update:
- cpp-httplib-0.48.0-1.el10_3
- Complete the IP-host certificate identity fix from v0.47.0 for the Mbed TLS and wolfSSL backends. An IP-literal host is now authenticated only via a matching iPAddress SAN, never via the certificate's Common Name (RFC 9110) — matching what the OpenSSL backend already enforces through X509_check_ip. Previously these backends fell back to the CN when no IP SAN matched, and recognized IPv4 only; now IPv6 (16-byte) iPAddress SANs are matched as well, and the CN fallback is skipped for both IPv4 and IPv6 literal hosts (#2476)
- Replace the strtod-based from_chars for double with a hand-written, locale-independent parser. The only double parsed by the library is the HTTP quality value; strtod reads the decimal separator from the global C locale, so an embedder calling setlocale(LC_ALL, "") into a comma-decimal locale would mis-parse q-values. The new parser always treats . as the decimal separator and is allocation-free (Fix #2475)
- Fix OpenSSL 4.0 deprecation warnings: fetch CA store objects via the thread-safe X509_STORE_get1_objects() (OpenSSL 3.3+) and extract the subject CN via X509_NAME_get_index_by_NID()/X509_NAME_get_entry() instead of the deprecated X509_STORE_get0_objects() and X509_NAME_get_text_by_NID(). Older OpenSSL, BoringSSL, and LibreSSL keep using the get0 path. Verified warning-free against OpenSSL 4.0.1, 3.6.2, and 3.0
- decode_query_component() now uses strict hex parsing for percent-escapes, consistent with decode_uri_component() and decode_path_component(). A % followed by non-hex characters (e.g. a sign or whitespace such as %-1, %+5, % 5) is passed through literally instead of being accepted as a valid escape (#2472)
Source: https://github.com/yhirose/cpp-httplib/releases/tag/v0.48.0
Update to 0.47.0 (rhbz#2481109, CVE-2026-46527, CVE-2026-45372, CVE-2026-45352) Security fixes- Fix TLS certificate chain verification bypass for IP-literal hosts on the Mbed TLS and wolfSSL backends: with server certificate verification enabled, SSLClient skipped chain validation entirely (any untrusted certificate with a matching IP SAN was accepted), and WebSocketClient on Mbed TLS skipped verification altogether. Chain verification now stays enabled for IP hosts, and certificate identity is verified post-handshake against IP SANs on all backends. SNI is no longer sent for IP hosts on Mbed TLS and wolfSSL, per RFC 6066 (CVE-2026-54919)
- Add Server::set_start_handler(): a callback invoked when the server is ready to accept connections, useful when running the server in a background thread (#2467)
- Add Client/SSLClient/WebSocketClient::enable_system_ca(bool) to opt into loading system CA certificates alongside a custom CA. The default is unchanged: a custom CA remains exclusive. The setting carries over to clients created for HTTPS redirects (#2471)
- Add WebSocketClient::set_hostname_addr_map() to connect to a specific IP address while keeping the original hostname for the handshake and certificate verification (#2463)
- The request body is now read after route matching and the pre-request handler, so both the regular handler and ContentReader paths behave the same: route matching → pre-request handler → body read → handler. A request rejected by the pre-request handler (e.g. failed per-route authentication via req.matched_route) no longer buffers the body at all. Note: code that referenced req.body or body-derived form fields inside the pre-request handler will now see an empty body; inspect headers, path, query parameters, or matched_route instead
- WebSocketClient with a custom CA no longer merges system CA certificates (it previously always merged them). This matches SSLClient behavior; call enable_system_ca(true) to load system CA certificates alongside the custom CA
- Range request headers are now ignored for streaming responses of unknown length instead of producing an invalid response (#2465)
- Fix SSLClient::set_ca_cert_store() breaking custom-CA exclusivity: system CA certificates were silently merged into the user-provided store, broadening the trust set. Also fix Client::load_ca_cert_store() not carrying CA certificates over to clients created for HTTPS redirects
- Fix WebSocketClient dropping the query string from the URL during the upgrade handshake, so query parameters (e.g. auth tokens) are sent (#2468)
- Fix a use-after-free when reconnecting a WebSocketClient after set_ca_cert_store(), and a memory leak in the Mbed TLS and wolfSSL set_ca_cert_store() backends
- Fix MSVC warning C4309 (truncation of constant value) in SHA padding code (#2464)
- Cast to unsigned char before ctype calls in is_hex and is_token_char to avoid undefined behavior with negative char values (#2469)
Source: https://github.com/yhirose/cpp-httplib/releases/tag/v0.47.0