[rpms/cpp-httplib] epel10: Update to 0.47.0 (rhbz#2481109, CVE-2026-46527, CVE-2026-45372, CVE-2026-45352)

[rpms/cpp-httplib] epel10: Update to 0.47.0 (rhbz#2481109, CVE-2026-46527, CVE-2026-45372, CVE-2026-45352)

[@ 2026-06-24 16:48 UTC (permalink / raw)]

            A new commit has been pushed.

            Repo   : rpms/cpp-httplib
            Branch : epel10
            Commit : f0825934b2b298840de2d4e26fce396e419206d5
            Author : Petr Menšík <pemensik@redhat.com>
            Date   : 2026-06-24T12:19:18+02:00
            Stats  : +2/-2 in 2 file(s)
            URL    : https://src.fedoraproject.org/rpms/cpp-httplib/c/f0825934b2b298840de2d4e26fce396e419206d5?branch=epel10

            Log:
            Update to 0.47.0 (rhbz#2481109, CVE-2026-46527, CVE-2026-45372, CVE-2026-45352)

Security fixes

    Fix TLS certificate chain verification bypass for IP-literal hosts on the Mbed TLS and wolfSSL backends: with server certificate verification enabled, SSLClient skipped chain validation entirely (any untrusted certificate with a matching IP SAN was accepted), and WebSocketClient on Mbed TLS skipped verification altogether. Chain verification now stays enabled for IP hosts, and certificate identity is verified post-handshake against IP SANs on all backends. SNI is no longer sent for IP hosts on Mbed TLS and wolfSSL, per RFC 6066

New features

    Add Server::set_start_handler(): a callback invoked when the server is ready to accept connections, useful when running the server in a background thread (#2467)
    Add Client/SSLClient/WebSocketClient::enable_system_ca(bool) to opt into loading system CA certificates alongside a custom CA. The default is unchanged: a custom CA remains exclusive. The setting carries over to clients created for HTTPS redirects (#2471)
    Add WebSocketClient::set_hostname_addr_map() to connect to a specific IP address while keeping the original hostname for the handshake and certificate verification (#2463)

Behavior changes

    The request body is now read after route matching and the pre-request handler, so both the regular handler and ContentReader paths behave the same: route matching → pre-request handler → body read → handler. A request rejected by the pre-request handler (e.g. failed per-route authentication via req.matched_route) no longer buffers the body at all. Note: code that referenced req.body or body-derived form fields inside the pre-request handler will now see an empty body; inspect headers, path, query parameters, or matched_route instead
    WebSocketClient with a custom CA no longer merges system CA certificates (it previously always merged them). This matches SSLClient behavior; call enable_system_ca(true) to load system CA certificates alongside the custom CA
    Range request headers are now ignored for streaming responses of unknown length instead of producing an invalid response (#2465)

Bug fixes

    Fix SSLClient::set_ca_cert_store() breaking custom-CA exclusivity: system CA certificates were silently merged into the user-provided store, broadening the trust set. Also fix Client::load_ca_cert_store() not carrying CA certificates over to clients created for HTTPS redirects
    Fix WebSocketClient dropping the query string from the URL during the upgrade handshake, so query parameters (e.g. auth tokens) are sent (#2468)
    Fix a use-after-free when reconnecting a WebSocketClient after set_ca_cert_store(), and a memory leak in the Mbed TLS and wolfSSL set_ca_cert_store() backends
    Fix MSVC warning C4309 (truncation of constant value) in SHA padding code (#2464)
    Cast to unsigned char before ctype calls in is_hex and is_token_char to avoid undefined behavior with negative char values (#2469)

Source: https://github.com/yhirose/cpp-httplib/releases/tag/v0.47.0

Bug fixes

    Fix Expect: 100-continue over TLS: the client decided whether to withhold the request body based on raw socket readability, but post-handshake TLS 1.3 records (e.g. session tickets) make the socket readable without any HTTP response, causing the body to be withheld and the request to fail with Failed to read connection. The client now decides by attempting to read the status line within the 100-continue timeout, and sends the body if none arrives (matching curl) (#2458, #2460)
    Fix -Wmissing-field-initializers warnings on Windows by using {} instead of {0} for OVERLAPPED and ADDRINFOEXW initialization (#2459)

Source: https://github.com/yhirose/cpp-httplib/releases/tag/v0.46.1

Security

    Fix proxy digest credential leak when an HTTPS origin returns 407 inside a CONNECT tunnel. The 401/407 retry is now gated on the response actually coming from a proxy hop (#2457)

New features

    Add Client::set_no_proxy() for per-host proxy bypass. Accepts *, hostname suffix (dot-boundary rule), IPv4/IPv6 CIDR, and bare IP literals. Proxy-Authorization is suppressed for bypassed hosts, including across redirects (#2446, #2448)

Source: https://github.com/yhirose/cpp-httplib/releases/tag/v0.46.0

Bug fixes

    Fix iOS build break caused by TARGET_OS_MAC being true on all Apple platforms (iOS, tvOS, watchOS). The Keychain enumeration path and Security.h include guards are now narrowed to TARGET_OS_OSX, and defining CPPHTTPLIB_USE_CERTS_FROM_MACOSX_KEYCHAIN on a non-macOS Apple platform now emits an explicit #error directing users to set_ca_cert_path() with a bundled CA file. Addresses #2454 (#2455)
    Fix zstd detection in the installed httplibConfig.cmake so downstream projects that depend on the installed package correctly pick up zstd (#2453)

Improvements

    Replace the deprecated SecTrustCopyAnchorCertificates (deprecated in macOS 13) with SecTrustSettingsCopyCertificates, iterating over the System, Admin, and User trust domains to retain equivalent anchor-certificate coverage (#2455)
    Declare Server::stop() as noexcept, reflecting that the implementation does not throw (#2451)

CI / Internal

    Add a best-effort BoringSSL CI job (Ubuntu and macOS) that builds BoringSSL from source and exercises cpp-httplib's existing OpenSSL backend path. SSLClientServerTest.TlsVerifyHostname is now backend-aware (BoringSSL is SAN-only per RFC 6125 §6.4.4), and the README notes BoringSSL as a best-effort variant with the C++14 and SAN-only caveats (#2456)
    Add an iOS header parse check to CI to catch accidental use of macOS-only APIs or guards (e.g. TARGET_OS_MAC vs TARGET_OS_OSX) that would silently break iOS builds (#2455)

Source: https://github.com/yhirose/cpp-httplib/releases/tag/v0.45.1

---
diff --git a/cpp-httplib.spec b/cpp-httplib.spec
index d8ff192..d75ea00 100644
--- a/cpp-httplib.spec
+++ b/cpp-httplib.spec
@@ -18,7 +18,7 @@
 %endif
 
 Name:           cpp-httplib
-Version:        0.38.0
+Version:        0.47.0
 %forgemeta
 Release:        %autorelease
 

diff --git a/sources b/sources
index 0e7f0ee..639925f 100644
--- a/sources
+++ b/sources
@@ -1 +1 @@
-SHA512 (cpp-httplib-0.38.0.tar.gz) = d8dfd5a447db4d6eb2a92c498af18cb3bf999ed43ef9a9552a8781f9c23597a3d178d2a15f5fa0afb68f2ec278080e6d4808cef5cfa68a8ed5f0c57b42bdbee7
+SHA512 (cpp-httplib-0.47.0.tar.gz) = dffde14997beef8b6f35f985d0865b2679f133a79a626df1d915c445b63108ef326becd31475751c78d02a1563ef0cff48ff646e47591e2e479b3bbc57d65d2d