Hi,

According to:
https://wiki.debian.org/LTS/Extended
jessie is fully out of support since June 2025.

Consequently there won't be any further update to jessie.

Sylvain Beucler
Debian LTS Team

On 04/05/2026 21:07, sunebeck wrote:
I’m not sure whether debian-lts@ is the right place for a Jessie ELTS regression;
please redirect me if there is a better Freexian ELTS contact.

After upgrading Jessie ELTS curl/libcurl from 7.38.0-4+deb8u28 to 7.38.0-4+deb8u29, curl rejects valid wildcard SAN certificates.

Package:
curl 7.38.0-4+deb8u29
libcurl3 7.38.0-4+deb8u29
OpenSSL 1.0.1t-1+deb8u22

Repro:
$ curl -vI https://api.github.com/ <https://api.github.com/>

Actual:
subject: CN=*.github.com <http://github.com>
subjectAltName does not match api.github.com <http://api.github.com>
curl: (51) SSL: no alternative certificate subject name matches target host name 'api.github.com <http://api.github.com>'

Expected:
*.github.com <http://github.com> should match api.github.com <http:// api.github.com>.

Another repro:
$ curl -vI https://downloads.wordpress.org/ <https:// downloads.wordpress.org/>

Actual:
cert SAN includes DNS:*.wordpress.org <http://wordpress.org>, DNS:wordpress.org <http://wordpress.org>
curl rejects downloads.wordpress.org <http://downloads.wordpress.org>.

Control:
$ curl -vI https://www.google.com/ <https://www.google.com/> works because the SAN is exact, not wildcard.

The changelog for 7.38.0-4+deb8u29 includes:
CVE-2023-28321.patch: IDN wildcard match

This looks like a regression in the CVE-2023-28321 backport.

Reply via email to