Hi, I’m not sure whether debian-lts@ is the right place for a Jessie ELTS regression; please redirect me if there is a better Freexian ELTS contact.
After upgrading Jessie ELTS curl/libcurl from 7.38.0-4+deb8u28 to 7.38.0-4+deb8u29, curl rejects valid wildcard SAN certificates. Package: curl 7.38.0-4+deb8u29 libcurl3 7.38.0-4+deb8u29 OpenSSL 1.0.1t-1+deb8u22 Repro: $ curl -vI https://api.github.com/ Actual: subject: CN=*.github.com subjectAltName does not match api.github.com curl: (51) SSL: no alternative certificate subject name matches target host name 'api.github.com' Expected: *.github.com should match api.github.com. Another repro: $ curl -vI https://downloads.wordpress.org/ Actual: cert SAN includes DNS:*.wordpress.org, DNS:wordpress.org curl rejects downloads.wordpress.org. Control: $ curl -vI https://www.google.com/ works because the SAN is exact, not wildcard. The changelog for 7.38.0-4+deb8u29 includes: CVE-2023-28321.patch: IDN wildcard match This looks like a regression in the CVE-2023-28321 backport. Best Regards Sune
