Hi,

I’m not sure whether debian-lts@ is the right place for a Jessie ELTS
regression;
please redirect me if there is a better Freexian ELTS contact.

After upgrading Jessie ELTS curl/libcurl from 7.38.0-4+deb8u28 to
7.38.0-4+deb8u29, curl rejects valid wildcard SAN certificates.

Package:
curl 7.38.0-4+deb8u29
libcurl3 7.38.0-4+deb8u29
OpenSSL 1.0.1t-1+deb8u22

Repro:
$ curl -vI https://api.github.com/

Actual:
subject: CN=*.github.com
subjectAltName does not match api.github.com
curl: (51) SSL: no alternative certificate subject name matches target host
name 'api.github.com'

Expected:
*.github.com should match api.github.com.

Another repro:
$ curl -vI https://downloads.wordpress.org/

Actual:
cert SAN includes DNS:*.wordpress.org, DNS:wordpress.org
curl rejects downloads.wordpress.org.

Control:
$ curl -vI https://www.google.com/ works because the SAN is exact, not
wildcard.

The changelog for 7.38.0-4+deb8u29 includes:
CVE-2023-28321.patch: IDN wildcard match

This looks like a regression in the CVE-2023-28321 backport.

Best Regards
Sune

Reply via email to