Fedora 43 Update: cpp-httplib-0.48.0-1.fc43
Fedora 43 Update: apptainer-1.5.2-1.fc43
Fedora 43 Update: mysql8.4-8.4.10-1.fc43
Fedora 44 Update: 7zip-26.02-1.fc44
Fedora 44 Update: nmap-7.92-11.fc44
Fedora 44 Update: apptainer-1.5.2-1.fc44
Fedora 44 Update: cpp-httplib-0.48.0-1.fc44
Fedora 44 Update: mysql8.4-8.4.10-1.fc44
[SECURITY] Fedora 43 Update: cpp-httplib-0.48.0-1.fc43
--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2026-1d4bd0354a
2026-07-03 01:08:59.045303+00:00
--------------------------------------------------------------------------------
Name : cpp-httplib
Product : Fedora 43
Version : 0.48.0
Release : 1.fc43
URL : https://github.com/yhirose/cpp-httplib
Summary : A C++11 single-file header-only cross platform HTTP/HTTPS library
Description :
A C++11 single-file header-only cross platform HTTP/HTTPS library.
It's extremely easy to setup. Just include the httplib.h file in your code!
--------------------------------------------------------------------------------
Update Information:
Update to 0.48.0 (rhbz#2481109)
Security fixes
Complete the IP-host certificate identity fix from v0.47.0 for the
Mbed TLS and wolfSSL backends. An IP-literal host is now authenticated
only via a matching iPAddress SAN, never via the certificate's Common
Name (RFC 9110) ??? matching what the OpenSSL backend already enforces
through X509_check_ip. Previously these backends fell back to the CN
when no IP SAN matched, and recognized IPv4 only; now IPv6 (16-byte)
iPAddress SANs are matched as well, and the CN fallback is skipped for
both IPv4 and IPv6 literal hosts (#2476)
Improvements
Replace the strtod-based from_chars for double with a hand-written,
locale-independent parser. The only double parsed by the library is the
HTTP quality value; strtod reads the decimal separator from the global C
locale, so an embedder calling setlocale(LC_ALL, "") into a
comma-decimal locale would mis-parse q-values. The new parser always
treats . as the decimal separator and is allocation-free (Fix #2475)
Fix OpenSSL 4.0 deprecation warnings: fetch CA store objects via the
thread-safe X509_STORE_get1_objects() (OpenSSL 3.3+) and extract the
subject CN via X509_NAME_get_index_by_NID()/X509_NAME_get_entry()
instead of the deprecated X509_STORE_get0_objects() and
X509_NAME_get_text_by_NID(). Older OpenSSL, BoringSSL, and LibreSSL keep
using the get0 path. Verified warning-free against OpenSSL 4.0.1, 3.6.2,
and 3.0
Behavior changes
decode_query_component() now uses strict hex parsing for
percent-escapes, consistent with decode_uri_component() and
decode_path_component(). A % followed by non-hex characters (e.g. a sign
or whitespace such as %-1, %+5, % 5) is passed through literally instead
of being accepted as a valid escape (#2472)
Source: https://github.com/yhirose/cpp-httplib/releases/tag/v0.48.0
Update to 0.47.0 (rhbz#2481109, CVE-2026-46527, CVE-2026-45372, CVE-2026-45352)
Security fixes
Fix TLS certificate chain verification bypass for IP-literal hosts on the Mbed
TLS and wolfSSL backends: with server certificate verification enabled,
SSLClient skipped chain validation entirely (any untrusted certificate with a
matching IP SAN was accepted), and WebSocketClient on Mbed TLS skipped
verification altogether. Chain verification now stays enabled for IP hosts, and
certificate identity is verified post-handshake against IP SANs on all backends.
SNI is no longer sent for IP hosts on Mbed TLS and wolfSSL, per RFC 6066
(CVE-2026-54919)
New features
Add Server::set_start_handler(): a callback invoked when the server is ready to
accept connections, useful when running the server in a background thread
(#2467)
Add Client/SSLClient/WebSocketClient::enable_system_ca(bool) to opt into loading
system CA certificates alongside a custom CA. The default is unchanged: a custom
CA remains exclusive. The setting carries over to clients created for HTTPS
redirects (#2471)
Add WebSocketClient::set_hostname_addr_map() to connect to a specific IP address
while keeping the original hostname for the handshake and certificate
verification (#2463)
Behavior changes
The request body is now read after route matching and the pre-request handler,
so both the regular handler and ContentReader paths behave the same: route
matching ??? pre-request handler ??? body read ??? handler. A request rejected by the
pre-request handler (e.g. failed per-route authentication via req.matched_route)
no longer buffers the body at all. Note: code that referenced req.body or body-
derived form fields inside the pre-request handler will now see an empty body;
inspect headers, path, query parameters, or matched_route instead
WebSocketClient with a custom CA no longer merges system CA certificates (it
previously always merged them). This matches SSLClient behavior; call
enable_system_ca(true) to load system CA certificates alongside the custom CA
Range request headers are now ignored for streaming responses of unknown length
instead of producing an invalid response (#2465)
Bug fixes
Fix SSLClient::set_ca_cert_store() breaking custom-CA exclusivity: system CA
certificates were silently merged into the user-provided store, broadening the
trust set. Also fix Client::load_ca_cert_store() not carrying CA certificates
over to clients created for HTTPS redirects
Fix WebSocketClient dropping the query string from the URL during the upgrade
handshake, so query parameters (e.g. auth tokens) are sent (#2468)
Fix a use-after-free when reconnecting a WebSocketClient after
set_ca_cert_store(), and a memory leak in the Mbed TLS and wolfSSL
set_ca_cert_store() backends
Fix MSVC warning C4309 (truncation of constant value) in SHA padding code
(#2464)
Cast to unsigned char before ctype calls in is_hex and is_token_char to avoid
undefined behavior with negative char values (#2469)
Source: https://github.com/yhirose/cpp-httplib/releases/tag/v0.47.0
--------------------------------------------------------------------------------
ChangeLog:
* Wed Jun 24 2026 Petr Men????k [pemensik@redhat.com] - 0.48.0-1
- Update to 0.48.0 (rhbz#2481109)
* Wed Jun 24 2026 Petr Men????k [pemensik@redhat.com] - 0.47.0-1
- Update to 0.47.0 (rhbz#2481109, CVE-2026-46527, CVE-2026-45372,
CVE-2026-45352)
* Wed Jun 24 2026 Petr Men????k [pemensik@redhat.com] - 0.38.0-3
- Record upstream tag format in spec
* Wed Jun 24 2026 Petr Men????k [pemensik@redhat.com] - 0.38.0-2
- Helper definitions of upstream and signed files
--------------------------------------------------------------------------------
References:
[ 1 ] Bug #2452170 - CVE-2026-33745 cpp-httplib: cpp-httplib: Information disclosure of credentials via cross-origin HTTP redirects [fedora-43]
https://bugzilla.redhat.com/show_bug.cgi?id=2452170
[ 2 ] Bug #2453749 - CVE-2026-34441 cpp-httplib: cpp-httplib: HTTP Request Smuggling via unconsumed GET request body [fedora-43]
https://bugzilla.redhat.com/show_bug.cgi?id=2453749
[ 3 ] Bug #2481109 - cpp-httplib-0.48.0 is available
https://bugzilla.redhat.com/show_bug.cgi?id=2481109
[ 4 ] Bug #2483726 - CVE-2026-46527 cpp-httplib: cpp-httplib: Denial of Service via malformed X-Forwarded-For header [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2483726
[ 5 ] Bug #2483733 - CVE-2026-45372 cpp-httplib: cpp-httplib: Arbitrary code execution via improper HTTP header processing [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2483733
[ 6 ] Bug #2483736 - CVE-2026-45352 cpp-httplib: cpp-httplib: Denial of Service due to unbounded memory allocation via negative chunk-size [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2483736
--------------------------------------------------------------------------------
This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2026-1d4bd0354a' at the command
line. For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label
All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------
[SECURITY] Fedora 43 Update: apptainer-1.5.2-1.fc43
--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2026-f8ab642466
2026-07-03 01:08:59.045311+00:00
--------------------------------------------------------------------------------
Name : apptainer
Product : Fedora 43
Version : 1.5.2
Release : 1.fc43
URL : https://apptainer.org
Summary : Application and environment virtualization formerly known as Singularity
Description :
Apptainer provides functionality to make portable
containers that can be used across host environments.
--------------------------------------------------------------------------------
Update Information:
Update to upstream 1.5.2. Also fixes CVE-2026-27145 because golang was new
enough.
--------------------------------------------------------------------------------
ChangeLog:
* Tue Jun 23 2026 Dave Dykstra [dwd@cern.ch] - 1.5.2
- Update to upstream 1.5.2
--------------------------------------------------------------------------------
References:
[ 1 ] Bug #2437258 - Apptainer is compiled without FIPS support
https://bugzilla.redhat.com/show_bug.cgi?id=2437258
[ 2 ] Bug #2489307 - Apptainer persistently segfaults during SIF file compression using mksquashfs
https://bugzilla.redhat.com/show_bug.cgi?id=2489307
[ 3 ] Bug #2494375 - CVE-2026-27145 apptainer: golang crypto/x509: Denial of Service via excessive processing of DNS SAN entries [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2494375
--------------------------------------------------------------------------------
This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2026-f8ab642466' at the command
line. For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label
All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------
Do not reply to spam, report it: https://forge.fedoraproject.org/infra/tickets/issues/new
[SECURITY] Fedora 43 Update: mysql8.4-8.4.10-1.fc43
--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2026-280245e2ea
2026-07-03 01:08:59.045291+00:00
--------------------------------------------------------------------------------
Name : mysql8.4
Product : Fedora 43
Version : 8.4.10
Release : 1.fc43
URL : http://www.mysql.com
Summary : MySQL client programs and shared libraries
Description :
MySQL is a multi-user, multi-threaded SQL database server. MySQL is a
client/server implementation consisting of a server daemon (mysqld)
and many different client programs and libraries. The base package
contains the standard MySQL client programs and generic MySQL files.
--------------------------------------------------------------------------------
Update Information:
MySQL 8.4.10
Release notes:
https://dev.mysql.com/doc/relnotes/mysql/8.4/en/news-8-4-10.html
Upstream changelog:
https://dev.mysql.com/doc/relnotes/mysql/8.4/en/
Oracle Critical Security Patch Update - June 2026:
https://www.oracle.com/security-alerts/cspujun2026.html#AppendixMSQL
CVE-2026-46863 (CVSS 7.5) - Server: Connection Handling
The only CVE from the June 2026 CPU affecting the 'mysql8.4' package.
Remotely exploitable without authentication (DoS).
The remaining 7 CVEs affect MySQL Shell (VS Code extension),
MySQL Router, and NDB Cluster Operator ??? none of which are built
or shipped by this package.
--------------------------------------------------------------------------------
ChangeLog:
* Tue Jun 23 2026 Michal Schorm [mschorm@redhat.com] - 8.4.10-1
- Rebase to 8.4.10
--------------------------------------------------------------------------------
References:
[ 1 ] Bug #2489372 - mysql8.4-8.4.10 is available
https://bugzilla.redhat.com/show_bug.cgi?id=2489372
--------------------------------------------------------------------------------
This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2026-280245e2ea' at the command
line. For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label
All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------
[SECURITY] Fedora 44 Update: 7zip-26.02-1.fc44
--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2026-948b74882b
2026-07-03 00:54:50.177281+00:00
--------------------------------------------------------------------------------
Name : 7zip
Product : Fedora 44
Version : 26.02
Release : 1.fc44
URL : https://7-zip.org
Summary : A file archiver
Description :
7-Zip is a file archiver with a high compression ratio. The main features
of 7-Zip are:
* High compression ratio in 7z format with LZMA and LZMA2 compression
* Supported formats:
* Packing / unpacking: 7z, XZ, BZIP2, GZIP, TAR, ZIP and WIM
* Unpacking only: AR, ARJ, CAB, CHM, CPIO, CramFS, DMG, EXT, FAT,
GPT, HFS, IHEX, ISO, LZH, LZMA, MBR, MSI, NSIS, NTFS, QCOW2,
RPM, SquashFS, UDF, UEFI, VDI, VHD, VMDK, WIM, XAR and Z.
* For ZIP and GZIP formats, 7-Zip provides a compression ratio that is
2-10 % better than the ratio provided by PKZip and WinZip
* Strong AES-256 encryption in 7z and ZIP formats
* Powerful command line version
--------------------------------------------------------------------------------
Update Information:
7-zip 26.02
Some bugs and vulnerabilities were fixed.
--------------------------------------------------------------------------------
ChangeLog:
* Wed Jul 1 2026 Michel Lind [salimma@fedoraproject.org] - 26.02-1
- Update to version 26.02; Resolves: rhbz#2493347
* Wed Jul 1 2026 Michel Lind [salimma@fedoraproject.org] - 26.01-2
- Load 7z.so from a fixed libexec path instead of deriving it from argv[0]
- Resolves: rhbz#2491337
--------------------------------------------------------------------------------
References:
[ 1 ] Bug #2491337 - 7-zip under the root account cannot extract RAR archives
https://bugzilla.redhat.com/show_bug.cgi?id=2491337
[ 2 ] Bug #2493347 - 7zip-26.02 is available
https://bugzilla.redhat.com/show_bug.cgi?id=2493347
--------------------------------------------------------------------------------
This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2026-948b74882b' at the command
line. For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label
All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------
Do not reply to spam, report it: https://forge.fedoraproject.org/infra/tickets/issues/new
[SECURITY] Fedora 44 Update: nmap-7.92-11.fc44
--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2026-3b30fa1da4
2026-07-03 00:54:50.177274+00:00
--------------------------------------------------------------------------------
Name : nmap
Product : Fedora 44
Version : 7.92
Release : 11.fc44
URL : http://nmap.org/
Summary : Network exploration tool and security scanner
Description :
Nmap is a utility for network exploration or security auditing. It supports
ping scanning (determine which hosts are up), many port scanning techniques
(determine what services the hosts are offering), and TCP/IP fingerprinting
(remote host operating system identification). Nmap also offers flexible target
and port specification, decoy scanning, determination of TCP sequence
predictability characteristics, reverse-identd scanning, and more. In addition
to the classic command-line nmap executable, the Nmap suite includes a flexible
data transfer, redirection, and debugging tool (netcat utility ncat), a utility
for comparing scan results (ndiff), and a packet generation and response
analysis tool (nping).
--------------------------------------------------------------------------------
Update Information:
Fix CVE-2026-58058 (rhbz#2494410)
--------------------------------------------------------------------------------
ChangeLog:
* Tue Jun 30 2026 Martin Osvald [mosvald@redhat.com] - 4:7.92-11
- Fix CVE-2026-58058 (rhbz#2494410)
* Fri Jun 12 2026 Yaakov Selkowitz [yselkowi@redhat.com] - 4:7.92-10
- Rebuilt for openssl 4.0
* Mon May 4 2026 Pavol ??????ik [pzacik@redhat.com] - 4:7.92-9
- Add patch to fix OpenSSL 4.0 compatibility
--------------------------------------------------------------------------------
References:
[ 1 ] Bug #2494410 - CVE-2026-58058 nmap: Nmap: Denial of Service via crafted IPv6 response [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2494410
--------------------------------------------------------------------------------
This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2026-3b30fa1da4' at the command
line. For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label
All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------
[SECURITY] Fedora 44 Update: apptainer-1.5.2-1.fc44
--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2026-ca1825e29e
2026-07-03 00:54:50.177247+00:00
--------------------------------------------------------------------------------
Name : apptainer
Product : Fedora 44
Version : 1.5.2
Release : 1.fc44
URL : https://apptainer.org
Summary : Application and environment virtualization formerly known as Singularity
Description :
Apptainer provides functionality to make portable
containers that can be used across host environments.
--------------------------------------------------------------------------------
Update Information:
Update to upstream 1.5.2. Also fixes CVE-2026-27145 because golang was new
enough.
--------------------------------------------------------------------------------
ChangeLog:
* Tue Jun 23 2026 Dave Dykstra [dwd@cern.ch] - 1.5.2
- Update to upstream 1.5.2
* Mon Jun 22 2026 Dave Dykstra [dwd@cern.ch] - 1.5.1-2
- Rebuild after applying patch to skip PRoot on x86_64 f45.
--------------------------------------------------------------------------------
References:
[ 1 ] Bug #2437258 - Apptainer is compiled without FIPS support
https://bugzilla.redhat.com/show_bug.cgi?id=2437258
[ 2 ] Bug #2489307 - Apptainer persistently segfaults during SIF file compression using mksquashfs
https://bugzilla.redhat.com/show_bug.cgi?id=2489307
[ 3 ] Bug #2494375 - CVE-2026-27145 apptainer: golang crypto/x509: Denial of Service via excessive processing of DNS SAN entries [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2494375
--------------------------------------------------------------------------------
This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2026-ca1825e29e' at the command
line. For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label
All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------
Do not reply to spam, report it: https://forge.fedoraproject.org/infra/tickets/issues/new
[SECURITY] Fedora 44 Update: cpp-httplib-0.48.0-1.fc44
--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2026-1b15ac058b
2026-07-03 00:54:50.177237+00:00
--------------------------------------------------------------------------------
Name : cpp-httplib
Product : Fedora 44
Version : 0.48.0
Release : 1.fc44
URL : https://github.com/yhirose/cpp-httplib
Summary : A C++11 single-file header-only cross platform HTTP/HTTPS library
Description :
A C++11 single-file header-only cross platform HTTP/HTTPS library.
It's extremely easy to setup. Just include the httplib.h file in your code!
--------------------------------------------------------------------------------
Update Information:
Update to 0.48.0 (rhbz#2481109)
Security fixes
Complete the IP-host certificate identity fix from v0.47.0 for the
Mbed TLS and wolfSSL backends. An IP-literal host is now authenticated
only via a matching iPAddress SAN, never via the certificate's Common
Name (RFC 9110) ??? matching what the OpenSSL backend already enforces
through X509_check_ip. Previously these backends fell back to the CN
when no IP SAN matched, and recognized IPv4 only; now IPv6 (16-byte)
iPAddress SANs are matched as well, and the CN fallback is skipped for
both IPv4 and IPv6 literal hosts (#2476)
Improvements
Replace the strtod-based from_chars for double with a hand-written,
locale-independent parser. The only double parsed by the library is the
HTTP quality value; strtod reads the decimal separator from the global C
locale, so an embedder calling setlocale(LC_ALL, "") into a
comma-decimal locale would mis-parse q-values. The new parser always
treats . as the decimal separator and is allocation-free (Fix #2475)
Fix OpenSSL 4.0 deprecation warnings: fetch CA store objects via the
thread-safe X509_STORE_get1_objects() (OpenSSL 3.3+) and extract the
subject CN via X509_NAME_get_index_by_NID()/X509_NAME_get_entry()
instead of the deprecated X509_STORE_get0_objects() and
X509_NAME_get_text_by_NID(). Older OpenSSL, BoringSSL, and LibreSSL keep
using the get0 path. Verified warning-free against OpenSSL 4.0.1, 3.6.2,
and 3.0
Behavior changes
decode_query_component() now uses strict hex parsing for
percent-escapes, consistent with decode_uri_component() and
decode_path_component(). A % followed by non-hex characters (e.g. a sign
or whitespace such as %-1, %+5, % 5) is passed through literally instead
of being accepted as a valid escape (#2472)
Source: https://github.com/yhirose/cpp-httplib/releases/tag/v0.48.0
Update to 0.47.0 (rhbz#2481109, CVE-2026-46527, CVE-2026-45372, CVE-2026-45352)
Security fixes
Fix TLS certificate chain verification bypass for IP-literal hosts on the Mbed
TLS and wolfSSL backends: with server certificate verification enabled,
SSLClient skipped chain validation entirely (any untrusted certificate with a
matching IP SAN was accepted), and WebSocketClient on Mbed TLS skipped
verification altogether. Chain verification now stays enabled for IP hosts, and
certificate identity is verified post-handshake against IP SANs on all backends.
SNI is no longer sent for IP hosts on Mbed TLS and wolfSSL, per RFC 6066
(CVE-2026-54919)
New features
Add Server::set_start_handler(): a callback invoked when the server is ready to
accept connections, useful when running the server in a background thread
(#2467)
Add Client/SSLClient/WebSocketClient::enable_system_ca(bool) to opt into loading
system CA certificates alongside a custom CA. The default is unchanged: a custom
CA remains exclusive. The setting carries over to clients created for HTTPS
redirects (#2471)
Add WebSocketClient::set_hostname_addr_map() to connect to a specific IP address
while keeping the original hostname for the handshake and certificate
verification (#2463)
Behavior changes
The request body is now read after route matching and the pre-request handler,
so both the regular handler and ContentReader paths behave the same: route
matching ??? pre-request handler ??? body read ??? handler. A request rejected by the
pre-request handler (e.g. failed per-route authentication via req.matched_route)
no longer buffers the body at all. Note: code that referenced req.body or body-
derived form fields inside the pre-request handler will now see an empty body;
inspect headers, path, query parameters, or matched_route instead
WebSocketClient with a custom CA no longer merges system CA certificates (it
previously always merged them). This matches SSLClient behavior; call
enable_system_ca(true) to load system CA certificates alongside the custom CA
Range request headers are now ignored for streaming responses of unknown length
instead of producing an invalid response (#2465)
Bug fixes
Fix SSLClient::set_ca_cert_store() breaking custom-CA exclusivity: system CA
certificates were silently merged into the user-provided store, broadening the
trust set. Also fix Client::load_ca_cert_store() not carrying CA certificates
over to clients created for HTTPS redirects
Fix WebSocketClient dropping the query string from the URL during the upgrade
handshake, so query parameters (e.g. auth tokens) are sent (#2468)
Fix a use-after-free when reconnecting a WebSocketClient after
set_ca_cert_store(), and a memory leak in the Mbed TLS and wolfSSL
set_ca_cert_store() backends
Fix MSVC warning C4309 (truncation of constant value) in SHA padding code
(#2464)
Cast to unsigned char before ctype calls in is_hex and is_token_char to avoid
undefined behavior with negative char values (#2469)
Source: https://github.com/yhirose/cpp-httplib/releases/tag/v0.47.0
--------------------------------------------------------------------------------
ChangeLog:
* Wed Jun 24 2026 Petr Men????k [pemensik@redhat.com] - 0.48.0-1
- Update to 0.48.0 (rhbz#2481109)
* Wed Jun 24 2026 Petr Men????k [pemensik@redhat.com] - 0.47.0-1
- Update to 0.47.0 (rhbz#2481109, CVE-2026-46527, CVE-2026-45372,
CVE-2026-45352)
* Tue May 19 2026 Petr Men????k [pemensik@redhat.com] - 0.45.0-1
- Update to 0.45.0 (rhbz#2450591)
* Fri Mar 27 2026 Petr Men????k [pemensik@redhat.com] - 0.39.0-1
- Update to 0.39.0 (rhbz#2450591)
* Fri Mar 27 2026 Petr Men????k [pemensik@redhat.com] - 0.38.0-3
- Record upstream tag format in spec
* Mon Mar 23 2026 Petr Men????k [pemensik@redhat.com] - 0.38.0-2
- Helper definitions of upstream and signed files
--------------------------------------------------------------------------------
References:
[ 1 ] Bug #2452170 - CVE-2026-33745 cpp-httplib: cpp-httplib: Information disclosure of credentials via cross-origin HTTP redirects [fedora-43]
https://bugzilla.redhat.com/show_bug.cgi?id=2452170
[ 2 ] Bug #2481109 - cpp-httplib-0.48.0 is available
https://bugzilla.redhat.com/show_bug.cgi?id=2481109
[ 3 ] Bug #2483726 - CVE-2026-46527 cpp-httplib: cpp-httplib: Denial of Service via malformed X-Forwarded-For header [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2483726
[ 4 ] Bug #2483733 - CVE-2026-45372 cpp-httplib: cpp-httplib: Arbitrary code execution via improper HTTP header processing [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2483733
[ 5 ] Bug #2483736 - CVE-2026-45352 cpp-httplib: cpp-httplib: Denial of Service due to unbounded memory allocation via negative chunk-size [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2483736
--------------------------------------------------------------------------------
This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2026-1b15ac058b' at the command
line. For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label
All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------
[SECURITY] Fedora 44 Update: mysql8.4-8.4.10-1.fc44
--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2026-8c7f5e32c5
2026-07-03 00:54:50.177215+00:00
--------------------------------------------------------------------------------
Name : mysql8.4
Product : Fedora 44
Version : 8.4.10
Release : 1.fc44
URL : http://www.mysql.com
Summary : MySQL client programs and shared libraries
Description :
MySQL is a multi-user, multi-threaded SQL database server. MySQL is a
client/server implementation consisting of a server daemon (mysqld)
and many different client programs and libraries. The base package
contains the standard MySQL client programs and generic MySQL files.
--------------------------------------------------------------------------------
Update Information:
MySQL 8.4.10
Release notes:
https://dev.mysql.com/doc/relnotes/mysql/8.4/en/news-8-4-10.html
Upstream changelog:
https://dev.mysql.com/doc/relnotes/mysql/8.4/en/
Oracle Critical Security Patch Update - June 2026:
https://www.oracle.com/security-alerts/cspujun2026.html#AppendixMSQL
CVE-2026-46863 (CVSS 7.5) - Server: Connection Handling
The only CVE from the June 2026 CPU affecting the 'mysql8.4' package.
Remotely exploitable without authentication (DoS).
The remaining 7 CVEs affect MySQL Shell (VS Code extension),
MySQL Router, and NDB Cluster Operator ??? none of which are built
or shipped by this package.
--------------------------------------------------------------------------------
ChangeLog:
* Tue Jun 23 2026 Michal Schorm [mschorm@redhat.com] - 8.4.10-1
- Rebase to 8.4.10
* Fri Jun 12 2026 Yaakov Selkowitz [yselkowi@redhat.com] - 8.4.9-4
- Rebuilt for openssl 4.0
* Mon Jun 8 2026 Franti??ek Zatloukal [fzatlouk@redhat.com] - 8.4.9-3
- Rebuilt for icu 78.3
* Wed May 13 2026 Pavol Sloboda [psloboda@redhat.com] - 8.4.9-2
- Bump release for openssl4 fixup
--------------------------------------------------------------------------------
References:
[ 1 ] Bug #2489372 - mysql8.4-8.4.10 is available
https://bugzilla.redhat.com/show_bug.cgi?id=2489372
--------------------------------------------------------------------------------
This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2026-8c7f5e32c5' at the command
line. For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label
All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------