Patch Detail
get:
Show a patch.
patch:
Update a patch.
put:
Update a patch.
GET /api/patches/2217778/?format=api
{ "id": 2217778, "url": "http://patchwork.ozlabs.org/api/patches/2217778/?format=api", "web_url": "http://patchwork.ozlabs.org/project/buildroot/patch/20260330150605.300571-1-titouan.christophe@mind.be/", "project": { "id": 27, "url": "http://patchwork.ozlabs.org/api/projects/27/?format=api", "name": "Buildroot development", "link_name": "buildroot", "list_id": "buildroot.buildroot.org", "list_email": "buildroot@buildroot.org", "web_url": "", "scm_url": "", "webscm_url": "", "list_archive_url": "", "list_archive_url_format": "", "commit_url_format": "" }, "msgid": "<20260330150605.300571-1-titouan.christophe@mind.be>", "list_archive_url": null, "date": "2026-03-30T15:06:04", "name": "[1/2] package/cpp-httplib: security bump to v0.37.2", "commit_ref": null, "pull_url": null, "state": "accepted", "archived": false, "hash": "b6b8c2ef37cf635409ca9e25f39b1e59a85e3303", "submitter": { "id": 90763, "url": "http://patchwork.ozlabs.org/api/people/90763/?format=api", "name": "Titouan Christophe", "email": "titouan.christophe@mind.be" }, "delegate": { "id": 89618, "url": "http://patchwork.ozlabs.org/api/users/89618/?format=api", "username": "juju", "first_name": "Julien", "last_name": "Olivain", "email": "juju@cotds.org" }, "mbox": "http://patchwork.ozlabs.org/project/buildroot/patch/20260330150605.300571-1-titouan.christophe@mind.be/mbox/", "series": [ { "id": 498046, "url": "http://patchwork.ozlabs.org/api/series/498046/?format=api", "web_url": "http://patchwork.ozlabs.org/project/buildroot/list/?series=498046", "date": "2026-03-30T15:06:04", "name": "[1/2] package/cpp-httplib: security bump to v0.37.2", "version": 1, "mbox": "http://patchwork.ozlabs.org/series/498046/mbox/" } ], "comments": "http://patchwork.ozlabs.org/api/patches/2217778/comments/", "check": "pending", "checks": "http://patchwork.ozlabs.org/api/patches/2217778/checks/", "tags": {}, "related": [], "headers": { "Return-Path": "<buildroot-bounces@buildroot.org>", "X-Original-To": [ "incoming-buildroot@patchwork.ozlabs.org", "buildroot@buildroot.org" ], "Delivered-To": [ "patchwork-incoming-buildroot@legolas.ozlabs.org", "buildroot@buildroot.org" ], "Authentication-Results": [ "legolas.ozlabs.org;\n\tdkim=pass (2048-bit key;\n unprotected) header.d=buildroot.org header.i=@buildroot.org\n header.a=rsa-sha256 header.s=default header.b=lvAAe4EE;\n\tdkim-atps=neutral", "legolas.ozlabs.org;\n spf=pass (sender SPF authorized) smtp.mailfrom=buildroot.org\n (client-ip=2605:bc80:3010::137; helo=smtp4.osuosl.org;\n envelope-from=buildroot-bounces@buildroot.org; receiver=patchwork.ozlabs.org)" ], "Received": [ "from smtp4.osuosl.org (smtp4.osuosl.org [IPv6:2605:bc80:3010::137])\n\t(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)\n\t key-exchange x25519 server-signature ECDSA (secp384r1) server-digest SHA384)\n\t(No client certificate requested)\n\tby legolas.ozlabs.org (Postfix) with ESMTPS id 4fkvhn5Mjwz1xtJ\n\tfor <incoming-buildroot@patchwork.ozlabs.org>;\n Tue, 31 Mar 2026 02:06:17 +1100 (AEDT)", "from localhost (localhost [127.0.0.1])\n\tby smtp4.osuosl.org (Postfix) with ESMTP id 5493140CB3;\n\tMon, 30 Mar 2026 15:06:16 +0000 (UTC)", "from smtp4.osuosl.org ([127.0.0.1])\n by localhost (smtp4.osuosl.org [127.0.0.1]) (amavis, port 10024) with ESMTP\n id Xp6hRuEJQmF4; Mon, 30 Mar 2026 15:06:15 +0000 (UTC)", "from lists1.osuosl.org (lists1.osuosl.org [140.211.166.142])\n\tby smtp4.osuosl.org (Postfix) with ESMTP id 43AD140C9C;\n\tMon, 30 Mar 2026 15:06:15 +0000 (UTC)", "from smtp2.osuosl.org (smtp2.osuosl.org [140.211.166.133])\n by lists1.osuosl.org (Postfix) with ESMTP id D06351D3\n for <buildroot@buildroot.org>; Mon, 30 Mar 2026 15:06:13 +0000 (UTC)", "from localhost (localhost [127.0.0.1])\n by smtp2.osuosl.org (Postfix) with ESMTP id B699A4047A\n for <buildroot@buildroot.org>; Mon, 30 Mar 2026 15:06:13 +0000 (UTC)", "from smtp2.osuosl.org ([127.0.0.1])\n by localhost (smtp2.osuosl.org [127.0.0.1]) (amavis, port 10024) with ESMTP\n id 8hn8Vi11Cfr4 for <buildroot@buildroot.org>;\n Mon, 30 Mar 2026 15:06:12 +0000 (UTC)", "from mail-wr1-x42c.google.com (mail-wr1-x42c.google.com\n [IPv6:2a00:1450:4864:20::42c])\n by smtp2.osuosl.org (Postfix) with ESMTPS id 485CC4004E\n for <buildroot@buildroot.org>; Mon, 30 Mar 2026 15:06:11 +0000 (UTC)", "by mail-wr1-x42c.google.com with SMTP id\n ffacd0b85a97d-43cfbd17589so1277835f8f.0\n for <buildroot@buildroot.org>; Mon, 30 Mar 2026 08:06:11 -0700 (PDT)", "from dragon (ip-94-140-185-241.reverse.destiny.be. [94.140.185.241])\n by smtp.gmail.com with ESMTPSA id\n 5b1f17b1804b1-48730688694sm175716085e9.11.2026.03.30.08.06.08\n (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);\n Mon, 30 Mar 2026 08:06:08 -0700 (PDT)" ], "X-Virus-Scanned": [ "amavis at osuosl.org", "amavis at osuosl.org" ], "X-Comment": "SPF check N/A for local connections - client-ip=140.211.166.142;\n helo=lists1.osuosl.org; envelope-from=buildroot-bounces@buildroot.org;\n receiver=<UNKNOWN> ", "DKIM-Filter": [ "OpenDKIM Filter v2.11.0 smtp4.osuosl.org 43AD140C9C", "OpenDKIM Filter v2.11.0 smtp2.osuosl.org 485CC4004E" ], "DKIM-Signature": "v=1; a=rsa-sha256; c=relaxed/relaxed; d=buildroot.org;\n\ts=default; t=1774883175;\n\tbh=6ECw6dBjn4Z80cNTgJq9p/XNHDJlm1FlKjgwBNuYwuU=;\n\th=To:Cc:Date:Subject:List-Id:List-Unsubscribe:List-Archive:\n\t List-Post:List-Help:List-Subscribe:From:Reply-To:From;\n\tb=lvAAe4EEhI8gZfaKVvwimC/6i6c50dJ7+OZkxiJjpNRb4pQPIppN0lbURfmNRwanL\n\t P8BTKu4UEupZGmWQBcwT+kTltMzS38zSwhOIFSSi14v4hPS+5TLsXNaNG/KFIc03N9\n\t PTkNLrjoH/GIZhRelJlGA9LPKiF0LuEBp03MlCzpO6DJj/P+dTsnbTetSeMkqHAMFt\n\t waTjgiUR8Gn5QKtB3kwEtJTTxldnvThmsFBwD+YGfLjkb6ePtE9ERuNhSZfIy42Bxw\n\t hvhzXtxLzMx9KPqrvUXD/hgcxtms40vL1joi6KyyGRruiBz9cIEC962l7cJfTBHW7O\n\t pys2feddh/kCw==", "Received-SPF": "Pass (mailfrom) identity=mailfrom;\n client-ip=2a00:1450:4864:20::42c; helo=mail-wr1-x42c.google.com;\n envelope-from=titouan.christophe@essensium.com; receiver=<UNKNOWN>", "DMARC-Filter": "OpenDMARC Filter v1.4.2 smtp2.osuosl.org 485CC4004E", "X-Google-DKIM-Signature": "v=1; a=rsa-sha256; c=relaxed/relaxed;\n d=1e100.net; s=20251104; t=1774883170; x=1775487970;\n h=content-transfer-encoding:mime-version:message-id:date:subject:cc\n :to:from:x-gm-gg:x-gm-message-state:from:to:cc:subject:date\n :message-id:reply-to;\n bh=Np88fNcdBW/AjO5AvYpDUN6b8WdwZMqV7YqRkpMqSZo=;\n b=O99FT+7CSko7vBQ6HYUPFuMmLYTKgsJIRi98xH3tpHoOKaGw5bp1Tt5/BMLfBvCrtH\n 8Hv7utCKu1XRcvJk6XxHGhGzo0xYHnTXx9frDw4SUZZNw6hu0Yrc40Gy+gchxRUBWuL5\n +Vs8A/rXC4OFzRrhW5w+wG2LK/+J96ehvuPvZE+FfGUZKBBqvaaAfPf8Cf5nvjCWyhoZ\n hyUol838tBJSqYa0dtvofl+88Gb/9URgxnGt0JV0v2qApNRrq1LlLFNh//7QMAOoyQgg\n vwSc8X2cee49El+LY2SV6jq7B1iWBMbUQeW1UJpd4CWzoeubpc127/DSajHuYf9Qxe0T\n nFGw==", "X-Gm-Message-State": "AOJu0YzvwiLHZSZ0nL4osJ9b6tLXPqEY4yoRD8H3xbNI2rpuS2Ab/f0I\n 9HoctBm/hraquaDeu71SY8oITrMix5ISwjuGUbfuyBqCpNzp3OyiBZQpOTbC8s6o0DuuayUKbCp\n LHGn4X2M=", "X-Gm-Gg": "ATEYQzwxD8bLqWkQUmCPxzTDquGSD+c75Tua3JkzBdc8IOvfv/5VH9Uba3sDBvwZfDV\n x6NR5KnyOH4dkHAs7NQhB93h4XiUFAO3xHbbGDcGMhsrr1Qz4rMVZnjgmznR7HdZIbkuQGZ5Okd\n KB3LMkzZgA3TKHEPGRYp9RVHiWLcQn96dYiJCKyWzW0+ZMQzQOoE4zTgbrsmPDm2NXstCS0E0EM\n KjO8lrOXapUWtkDrkYwt6mPDP5KgAR0Tmtgj7vpDkwACDXQvwwoMmf8qKC/TO28tCTAhXHXrvC8\n RASra1/bX994Xgk2uAy7+oNkFvtN7Lu9lpkEyblwn09KyXJvSTdEy3SY4MRSANcjncGE/EkBY+u\n f+I8Bs6NWW9nn21VXSzxTaiuRjPg4zGpvKHtSGMUlVxcOtjz1z00toE5wbwV3U/3yVDtF+fT4HB\n Q2Vz7BFbRY/NCj++zbEiuibS5wfF63EGdo5RnE5AOPFOmyQsRAKXRBbnT5IyNGz6eBHA==", "X-Received": "by 2002:a05:600c:6386:b0:485:3ff1:d5ed with SMTP id\n 5b1f17b1804b1-48727ee5720mr206395705e9.1.1774883169430;\n Mon, 30 Mar 2026 08:06:09 -0700 (PDT)", "To": "buildroot@buildroot.org", "Cc": "Aleksandr Makarov <aleksandr.o.makarov@gmail.com>", "Date": "Mon, 30 Mar 2026 17:06:04 +0200", "Message-ID": "<20260330150605.300571-1-titouan.christophe@mind.be>", "X-Mailer": "git-send-email 2.53.0", "MIME-Version": "1.0", "X-Mailman-Original-DKIM-Signature": "v=1; a=rsa-sha256; c=relaxed/relaxed;\n d=mind.be; s=google; t=1774883170; x=1775487970; darn=buildroot.org;\n h=content-transfer-encoding:mime-version:message-id:date:subject:cc\n :to:from:from:to:cc:subject:date:message-id:reply-to;\n bh=Np88fNcdBW/AjO5AvYpDUN6b8WdwZMqV7YqRkpMqSZo=;\n b=Lf79Fa1bG0eOJlCAMCNAYfEHO2WAP6M2y9hlvEtJfgwSDJ8lGc4O2scdj0TXj4l/Ad\n Xj037ft3OcT2Oybo7ohZzpNXV0b+BT09iCPS+eJtEkQa9OLbH+SLuCheTMulwgFiRICF\n zIJ/IMeCRaMJKpd2PELPigSI4/hWEBblzyyUPNGh4xVAEqafNiwafd3VL97atvmuT/cF\n M3Ssk5/MDGSNPPvG0TajkRCtACyTQTJRh2UhzfVAgm9z/Yjr082Rr1yDc1zm+QuUrgkQ\n soycXibdqTdWhgM8SvHlV2wL3n3b/u/meecmOslFUG97fk9xzBCCMYggb4pflvxk3ydZ\n VAvg==", "X-Mailman-Original-Authentication-Results": [ "smtp2.osuosl.org;\n dmarc=pass (p=quarantine dis=none)\n header.from=mind.be", "smtp2.osuosl.org;\n dkim=pass (2048-bit key) header.d=mind.be header.i=@mind.be\n header.a=rsa-sha256 header.s=google header.b=Lf79Fa1b" ], "Subject": "[Buildroot] [PATCH 1/2] package/cpp-httplib: security bump to\n v0.37.2", "X-BeenThere": "buildroot@buildroot.org", "X-Mailman-Version": "2.1.30", "Precedence": "list", "List-Id": "Discussion and development of buildroot <buildroot.buildroot.org>", "List-Unsubscribe": "<https://lists.buildroot.org/mailman/options/buildroot>,\n <mailto:buildroot-request@buildroot.org?subject=unsubscribe>", "List-Archive": "<http://lists.buildroot.org/pipermail/buildroot/>", "List-Post": "<mailto:buildroot@buildroot.org>", "List-Help": "<mailto:buildroot-request@buildroot.org?subject=help>", "List-Subscribe": "<https://lists.buildroot.org/mailman/listinfo/buildroot>,\n <mailto:buildroot-request@buildroot.org?subject=subscribe>", "From": "Titouan Christophe via buildroot <buildroot@buildroot.org>", "Reply-To": "Titouan Christophe <titouan.christophe@mind.be>", "Content-Type": "text/plain; charset=\"utf-8\"", "Content-Transfer-Encoding": "base64", "Errors-To": "buildroot-bounces@buildroot.org", "Sender": "\"buildroot\" <buildroot-bounces@buildroot.org>" }, "content": "See the release notes of intermediate versions:\n- https://github.com/yhirose/cpp-httplib/releases/tag/v0.28.0\n- https://github.com/yhirose/cpp-httplib/releases/tag/v0.29.0\n- https://github.com/yhirose/cpp-httplib/releases/tag/v0.30.0\n- https://github.com/yhirose/cpp-httplib/releases/tag/v0.30.1\n- https://github.com/yhirose/cpp-httplib/releases/tag/v0.30.2\n- https://github.com/yhirose/cpp-httplib/releases/tag/v0.31.0\n- https://github.com/yhirose/cpp-httplib/releases/tag/v0.32.0\n- https://github.com/yhirose/cpp-httplib/releases/tag/v0.33.0\n- https://github.com/yhirose/cpp-httplib/releases/tag/v0.33.1\n- https://github.com/yhirose/cpp-httplib/releases/tag/v0.34.0\n- https://github.com/yhirose/cpp-httplib/releases/tag/v0.35.0\n- https://github.com/yhirose/cpp-httplib/releases/tag/v0.36.0\n- https://github.com/yhirose/cpp-httplib/releases/tag/v0.37.0\n- https://github.com/yhirose/cpp-httplib/releases/tag/v0.37.1\n- https://github.com/yhirose/cpp-httplib/releases/tag/v0.37.2\n\nThis fixes numerous vulnerabilities:\n\n- CVE-2026-21428:\n cpp-httplib is a C++11 single-file header-only cross platform\n HTTP/HTTPS library. Prior to version 0.30.0, the ``write_headers``\n function does not check for CR & LF characters in user supplied\n headers, allowing untrusted header value to escape header lines. This\n vulnerability allows attackers to add extra headers, modify request\n body unexpectedly & trigger an SSRF attack. When combined with a\n server that supports http1.1 pipelining (springboot, python twisted\n etc), this can be used for server side request forgery (SSRF). Version\n 0.30.0 fixes this issue.\n https://www.cve.org/CVERecord?id=CVE-2026-21428\n\n- CVE-2026-22776:\n cpp-httplib is a C++11 single-file header-only cross platform\n HTTP/HTTPS library. Prior to version 0.30.1, a Denial of Service (DoS)\n vulnerability exists in cpp-httplib due to the unsafe handling of\n compressed HTTP request bodies (Content-Encoding: gzip, br, etc.). The\n library validates the payload_max_length against the compressed data\n size received from the network, but does not limit the size of the\n decompressed data stored in memory.\n https://www.cve.org/CVERecord?id=CVE-2026-22776\n\n- CVE-2026-28434:\n cpp-httplib is a C++11 single-file header-only cross platform\n HTTP/HTTPS library. Prior to 0.35.0, when a request handler throws a\n C++ exception and the application has not registered a custom\n exception handler via set_exception_handler(), the library catches the\n exception and writes its message directly into the HTTP response as a\n header named EXCEPTION_WHAT. This header is sent to whoever made the\n request, with no authentication check and no special configuration\n required to trigger it. The behavior is on by default. A developer who\n does not know to opt in to set_exception_handler() will ship a server\n that leaks internal exception messages to any client. This\n vulnerability is fixed in 0.35.0.\n https://www.cve.org/CVERecord?id=CVE-2026-28434\n\n- CVE-2026-28435:\n cpp-httplib is a C++11 single-file header-only cross platform\n HTTP/HTTPS library. Prior to 0.35.0, cpp-httplib (httplib.h) does not\n enforce Server::set_payload_max_length() on the decompressed request\n body when using HandlerWithContentReader (streaming ContentReader)\n with Content-Encoding: gzip (or other supported encodings). A small\n compressed payload can expand beyond the configured payload limit and\n be processed by the application, enabling a payload size limit bypass\n and potential denial of service (CPU/memory exhaustion). This\n vulnerability is fixed in 0.35.0.\n https://www.cve.org/CVERecord?id=CVE-2026-28435\n\n- CVE-2026-29076:\n cpp-httplib is a C++11 single-file header-only cross platform\n HTTP/HTTPS library. Prior to version 0.37.0, cpp-httplib uses\n std::regex (libstdc++) to parse RFC 5987 encoded filename* values in\n multipart Content-Disposition headers. The regex engine in libstdc++\n implements backtracking via deep recursion, consuming one stack frame\n per input character. An attacker can send a single HTTP POST request\n with a crafted filename* parameter that causes uncontrolled stack\n growth, resulting in a stack overflow (SIGSEGV) that crashes the\n server process. This issue has been patched in version 0.37.0.\n https://www.cve.org/CVERecord?id=CVE-2026-29076\n\n- CVE-2026-31870:\n cpp-httplib is a C++11 single-file header-only cross platform\n HTTP/HTTPS library. Prior to 0.37.1, when a cpp-httplib client uses\n the streaming API (httplib::stream::Get, httplib::stream::Post, etc.),\n the library calls std::stoull() directly on the Content-Length header\n value received from the server with no input validation and no\n exception handling. std::stoull throws std::invalid_argument for non-\n numeric strings and std::out_of_range for values exceeding ULLONG_MAX.\n Since nothing catches these exceptions, the C++ runtime calls\n std::terminate(), which kills the process with SIGABRT. Any server the\n client connects to — including servers reached via HTTP redirects,\n third-party APIs, or man-in-the-middle positions can crash the client\n application with a single HTTP response. No authentication is\n required. No interaction from the end user is required. The crash is\n deterministic and immediate. This vulnerability is fixed in 0.37.1.\n https://www.cve.org/CVERecord?id=CVE-2026-31870\n\n- CVE-2026-32627:\n cpp-httplib is a C++11 single-file header-only cross platform\n HTTP/HTTPS library. Prior to 0.37.2, when a cpp-httplib client is\n configured with a proxy and set_follow_location(true), any HTTPS\n redirect it follows will have TLS certificate and hostname\n verification silently disabled on the new connection. The client will\n accept any certificate presented by the redirect target — expired,\n self-signed, or forged — without raising an error or notifying the\n application. A network attacker in a position to return a redirect\n response can fully intercept the follow-up HTTPS connection, including\n any credentials or session tokens in flight. This vulnerability is\n fixed in 0.37.2.\n https://www.cve.org/CVERecord?id=CVE-2026-32627\n\nSigned-off-by: Titouan Christophe <titouan.christophe@mind.be>\n---\n package/cpp-httplib/cpp-httplib.hash | 2 +-\n package/cpp-httplib/cpp-httplib.mk | 2 +-\n 2 files changed, 2 insertions(+), 2 deletions(-)", "diff": "diff --git a/package/cpp-httplib/cpp-httplib.hash b/package/cpp-httplib/cpp-httplib.hash\nindex 904bca6d02..076b30cfa1 100644\n--- a/package/cpp-httplib/cpp-httplib.hash\n+++ b/package/cpp-httplib/cpp-httplib.hash\n@@ -1,3 +1,3 @@\n # Locally computed:\n-sha256 cc57615af359efda816122dcfca37bcbb9f1591396f50a1fd1ad70bbe6050581 cpp-httplib-0.27.0.tar.gz\n+sha256 909766cd7697153c9e588b0f96defe1868b7bb11d94b8d4f0c83bb4875bc9066 cpp-httplib-0.37.2.tar.gz\n sha256 4b45cbe16d7b71b89ae6127e26e0d90a029198ca5e958ad8e3d0b8bbed364d8b LICENSE\ndiff --git a/package/cpp-httplib/cpp-httplib.mk b/package/cpp-httplib/cpp-httplib.mk\nindex ed5c33d2a5..56e8c27fc4 100644\n--- a/package/cpp-httplib/cpp-httplib.mk\n+++ b/package/cpp-httplib/cpp-httplib.mk\n@@ -4,7 +4,7 @@\n #\n ################################################################################\n \n-CPP_HTTPLIB_VERSION = 0.27.0\n+CPP_HTTPLIB_VERSION = 0.37.2\n CPP_HTTPLIB_SITE = $(call github,yhirose,cpp-httplib,v$(CPP_HTTPLIB_VERSION))\n CPP_HTTPLIB_LICENSE = MIT\n CPP_HTTPLIB_LICENSE_FILES = LICENSE\n", "prefixes": [ "1/2" ] }