Loading...

Linking RHIVOS CVEs to...

Migration: Automation ...

SWIFT: Generate New Ti...

SWIFT: POC Conversion

Sync from "Extern...

XML

Word

Printable

Type: Bug
Resolution: Unresolved
Priority: Minor
Fix Version/s: rhel-9.7
Affects Version/s: rhel-9.6
Component/s: curl
Labels:
- MigratedToJIRA
- fixversion_clear_9.4

Fixed in Build:
curl-7.76.1-32.el9
Regression:
Yes
Severity:
Critical
Keywords:

ZStream
sprint_count:
2

AssignedTeam:
rhel-plumbers
Sub-System Group:

ssg_core_services

Internal Target Milestone:
26
Story Points:
2
Blocked:
False
Ready:
False
Blocked Reason:

Hide

None

Show
None
Product Documentation Required:
None
Sprint:
Plumbers Sprint 2, Plumbers Sprint 3
Release Blocker:
Approved Blocker

Preliminary Testing:
Pass
Errata Link:
https://errata.engineering.redhat.com/advisory/154075
Test Coverage:

Automated

Release Note Type:
Bug Fix
Release Note Text:

Hide
.The `curl` utility now correctly validates wildcard SSL/TLS certificates

Before this update, an incomplete patch related to hostname wildcard certificate checking caused the certificate validation function (`Curl_cert_hostcheck`) to fail. Consequently, `curl` incorrectly failed to validate wildcard SSL/TLS certificates for certain hostname formats (for example, matching `*.e.llo` against `h.e.llo`), which could prevent secure HTTPS connections.

With this update, the patch for hostname wildcard checking has been completed to ensure proper validation of wildcard patterns according to RFC standards.

As a result, `curl` correctly matches wildcard certificates against all hostname formats, ensuring reliable and secure certificate validation for HTTPS connections.

Show
.The `curl` utility now correctly validates wildcard SSL/TLS certificates Before this update, an incomplete patch related to hostname wildcard certificate checking caused the certificate validation function (`Curl_cert_hostcheck`) to fail. Consequently, `curl` incorrectly failed to validate wildcard SSL/TLS certificates for certain hostname formats (for example, matching `*.e.llo` against `h.e.llo`), which could prevent secure HTTPS connections. With this update, the patch for hostname wildcard checking has been completed to ensure proper validation of wildcard patterns according to RFC standards. As a result, `curl` correctly matches wildcard certificates against all hostname formats, ensuring reliable and secure certificate validation for HTTPS connections.
Release Note Status:
In Progress

Experience:
Architecture:

Unspecified
Bugzilla Bug:
RHBZ: 2237228

PX Impact Score:
SFDC Cases Counter:
SFDC Cases Open:
SFDC Cases Links:

Planning:
None
Internal Target Milestone numeric:
57,005

Description of problem:
While testing a patch of BZ#2233497 using the upstream unit test 1397 I've discovered that the current patch may be incomplete – the unit1397 test fails without the patch attached.

Version-Release number of selected component (if applicable):
7.76.1-23.el9_2.2 (rhel-9.2)
7.76.1-26 (rhel-9)
7.76.1-23.el9_2.2 (rhel-8.8)

How reproducible:
Always

Steps to Reproduce:
1. Build curl with --enable-debug (triggers unit testing)
2. Wait for unit test 1397 to run.
3. Inspect build log.

Actual results:

test 1397...[Curl_cert_hostcheck unit tests]
../libtool --mode=execute /usr/bin/valgrind --tool=memcheck --quiet --leak-check=yes --suppressions=../../tests/valgrind.supp --num-callers=16 --log-file=log/valgrind1397 ./unit/unit1397 - >log/stdout1397 2>log/stderr1397
CMD (1536): ../libtool --mode=execute /usr/bin/valgrind --tool=memcheck --quiet --leak-check=yes --suppressions=../../tests/valgrind.supp --num-callers=16 --log-file=log/valgrind1397 ./unit/unit1397 - >log/stdout1397 2>log/stderr1397
unit1397 returned 6, when expecting 0
exit FAILED
== Contents of files in the log/ dir after test 1397
=== Start of file commands.log
../libtool --mode=execute /usr/bin/valgrind --tool=memcheck --quiet --leak-check=yes --suppressions=../../tests/valgrind.supp --num-callers=16 --log-file=log/valgrind1397 ./unit/unit1397 - >log/stdout1397 2>log/stderr1397
=== End of file commands.log
=== Start of file ftpserver.cmd
Testnum 1397
=== End of file ftpserver.cmd
=== Start of file stderr1397
URL: -
HOST: h.e.llo.
PTRN: *.e.llo
did NOT MATCH
HOST: *.e.llo.
PTRN: *.e.llo
did NOT MATCH
HOST: ************.e.llo.
PTRN: *.e.llo
did NOT MATCH
HOST: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEE.e.llo.
PTRN: *.e.llo
did NOT MATCH
HOST: ��.e.llo.
PTRN: *.e.llo
did NOT MATCH
HOST: h.e.llo
PTRN: *.e.llo.
did NOT MATCH
=== End of file stderr1397

Expected results:
Test passes.

Additional info:

blocks

RHEL-5674 curl: Incomplete patch for host name wildcard checking [rhel-8.8.0.z]

Closed

RHEL-5680 curl: Incomplete patch for host name wildcard checking [8.10.z]

Closed

RHEL-5676 curl: Incomplete patch for host name wildcard checking [9.5.z]

Closed

external trackers

PnT-DevOps Jira RHELPLAN-159450

Red Hat Issue Tracker RHELPLAN-167288

links to

RHBA-2025:154075 curl update

(1 links to)

Assignee:: Jacek Migacz

Reporter:: Stepan Broz

Developer:: Jacek Migacz

QA Contact:: Daniel Rusek

Doc Contact:: Michal Stubna

Votes:: 0 Vote for this issue

Watchers:: 12 Start watching this issue

Created:: 2023/09/20 7:50 PM

Updated:: 2025/11/05 9:08 AM

Target end:: 2025/08/25

Next Planned Release Date:: 2025/11/11

Details

Description

Attachments

Issue Links

Easy Agile Planning Poker

Activity

People

Dates

Hide