Hi,
According to:
https://wiki.debian.org/LTS/Extended
jessie is fully out of support since June 2025.
Consequently there won't be any further update to jessie.
Sylvain Beucler
Debian LTS Team
On 04/05/2026 21:07, sunebeck wrote:
I’m not sure whether debian-lts@ is the right place for a Jessie ELTS
regression;
please redirect me if there is a better Freexian ELTS contact.
After upgrading Jessie ELTS curl/libcurl from 7.38.0-4+deb8u28 to
7.38.0-4+deb8u29, curl rejects valid wildcard SAN certificates.
Package:
curl 7.38.0-4+deb8u29
libcurl3 7.38.0-4+deb8u29
OpenSSL 1.0.1t-1+deb8u22
Repro:
$ curl -vI https://api.github.com/ <https://api.github.com/>
Actual:
subject: CN=*.github.com <http://github.com>
subjectAltName does not match api.github.com <http://api.github.com>
curl: (51) SSL: no alternative certificate subject name matches target
host name 'api.github.com <http://api.github.com>'
Expected:
*.github.com <http://github.com> should match api.github.com <http://
api.github.com>.
Another repro:
$ curl -vI https://downloads.wordpress.org/ <https://
downloads.wordpress.org/>
Actual:
cert SAN includes DNS:*.wordpress.org <http://wordpress.org>,
DNS:wordpress.org <http://wordpress.org>
curl rejects downloads.wordpress.org <http://downloads.wordpress.org>.
Control:
$ curl -vI https://www.google.com/ <https://www.google.com/> works
because the SAN is exact, not wildcard.
The changelog for 7.38.0-4+deb8u29 includes:
CVE-2023-28321.patch: IDN wildcard match
This looks like a regression in the CVE-2023-28321 backport.