Home Can't run curl on ubuntu:latest docker image with some https urls – SSL: no alternative certificate subject name matches target host name

Questions

Can't run curl on ubuntu:latest docker image with some https urls – SSL: no alternative certificate subject name matches target host name

byMR

July 19, 2023

Today I found that curl stopped recognizing some SSL certificates as valid ones, despite the fact that firefox and wget are able to handle them properly as well as openssl’s s_client.

In order to reproduce it:

docker run -it ubuntu:latest /bin/bash
And then in in-container bash: apt update && apt install curl ca-certificates -y -qq && curl -I -vvv https://google.com && curl -I -vvv https://download.docker.com

For google.com it works as expected(I’ve cut out non interesting stuff)

/stuff here/
* ALPN, server accepted to use h2
* Server certificate:
*  subject: CN=*.google.com
*  start date: Jul  3 08:19:15 2023 GMT
*  expire date: Sep 25 08:19:14 2023 GMT
*  subjectAltName: host "google.com" matched cert's "google.com"
*  issuer: C=US; O=Google Trust Services LLC; CN=GTS CA 1C3
*  SSL certificate verify ok.
* Using HTTP2, server supports multiplexing
* Connection state changed (HTTP/2 confirmed)
* Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0
* TLSv1.2 (OUT), TLS header, Supplemental data (23):
* TLSv1.2 (OUT), TLS header, Supplemental data (23):
* TLSv1.2 (OUT), TLS header, Supplemental data (23):
* Using Stream ID: 1 (easy handle 0x561f0ab84e90)
* TLSv1.2 (OUT), TLS header, Supplemental data (23):
> HEAD / HTTP/2
> Host: google.com
> user-agent: curl/7.81.0
> accept: */*
> 
* TLSv1.2 (IN), TLS header, Supplemental data (23):
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* old SSL session ID is stale, removing
* TLSv1.2 (IN), TLS header, Supplemental data (23):
* TLSv1.2 (OUT), TLS header, Supplemental data (23):
* TLSv1.2 (IN), TLS header, Supplemental data (23):
* TLSv1.2 (IN), TLS header, Supplemental data (23):
* TLSv1.2 (OUT), TLS header, Supplemental data (23):
< HTTP/2 301 
HTTP/2 301
< location: https://www.google.com/
location: https://www.google.com/
< content-type: text/html; charset=UTF-8
content-type: text/html; charset=UTF-8
< content-security-policy-report-only: object-src 'none';base-uri 'self';script-src 'nonce-rYqyrna6LnqByUwO50wixQ' 'strict-dynamic' 'report-sample' 'unsafe-eval' 'unsafe-inline' https: http:;report-uri https://csp.withgoogle.com/csp/gws/other-hp
content-security-policy-report-only: object-src 'none';base-uri 'self';script-src 'nonce-rYqyrna6LnqByUwO50wixQ' 'strict-dynamic' 'report-sample' 'unsafe-eval' 'unsafe-inline' https: http:;report-uri https://csp.withgoogle.com/csp/gws/other-hp
< date: Wed, 19 Jul 2023 18:33:24 GMT
date: Wed, 19 Jul 2023 18:33:24 GMT
< expires: Wed, 19 Jul 2023 18:33:24 GMT
expires: Wed, 19 Jul 2023 18:33:24 GMT
< cache-control: private, max-age=2592000
cache-control: private, max-age=2592000
/rest here/

For download.docker.com:

 
* Connected to download.docker.com (18.66.26.34) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
*  CAfile: /etc/ssl/certs/ca-certificates.crt
*  CApath: /etc/ssl/certs
* TLSv1.0 (OUT), TLS header, Certificate Status (22):
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.2 (IN), TLS header, Certificate Status (22):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS header, Finished (20):
* TLSv1.2 (IN), TLS header, Supplemental data (23):
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
* TLSv1.2 (IN), TLS header, Supplemental data (23):
* TLSv1.3 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS header, Supplemental data (23):
* TLSv1.3 (IN), TLS handshake, CERT verify (15):
* TLSv1.2 (IN), TLS header, Supplemental data (23):
* TLSv1.3 (IN), TLS handshake, Finished (20):
* TLSv1.2 (OUT), TLS header, Finished (20):
* TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.2 (OUT), TLS header, Supplemental data (23):
* TLSv1.3 (OUT), TLS handshake, Finished (20):
* SSL connection using TLSv1.3 / TLS_AES_128_GCM_SHA256
* ALPN, server accepted to use h2
* Server certificate:
*  subject: CN=*.docker.com
*  start date: Feb 22 00:00:00 2023 GMT
*  expire date: Nov 30 23:59:59 2023 GMT
*  subjectAltName does not match download.docker.com
* SSL: no alternative certificate subject name matches target host name 'download.docker.com'
* Closing connection 0
* TLSv1.2 (OUT), TLS header, Supplemental data (23):
* TLSv1.3 (OUT), TLS alert, close notify (256):
curl: (60) SSL: no alternative certificate subject name matches target host name 'download.docker.com'
More details here: https://curl.se/docs/sslcerts.html

Meanwhile openssl s_client runs ok in same container

root@e4fec8ad4adf:/# openssl s_client -connect download.docker.com:443
CONNECTED(00000003)
depth=2 C = US, O = Amazon, CN = Amazon Root CA 1
verify return:1
depth=1 C = US, O = Amazon, CN = Amazon RSA 2048 M02
verify return:1
depth=0 CN = *.docker.com
verify return:1
---
Certificate chain
 0 s:CN = *.docker.com
   i:C = US, O = Amazon, CN = Amazon RSA 2048 M02
   a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA256
   v:NotBefore: Feb 22 00:00:00 2023 GMT; NotAfter: Nov 30 23:59:59 2023 GMT
 1 s:C = US, O = Amazon, CN = Amazon RSA 2048 M02
   i:C = US, O = Amazon, CN = Amazon Root CA 1
   a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA256
   v:NotBefore: Aug 23 22:25:30 2022 GMT; NotAfter: Aug 23 22:25:30 2030 GMT
 2 s:C = US, O = Amazon, CN = Amazon Root CA 1
   i:C = US, ST = Arizona, L = Scottsdale, O = "Starfield Technologies, Inc.", CN = Starfield Services Root Certificate Authority - G2
   a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA256
   v:NotBefore: May 25 12:00:00 2015 GMT; NotAfter: Dec 31 01:00:00 2037 GMT
 3 s:C = US, ST = Arizona, L = Scottsdale, O = "Starfield Technologies, Inc.", CN = Starfield Services Root Certificate Authority - G2
   i:C = US, O = "Starfield Technologies, Inc.", OU = Starfield Class 2 Certification Authority
   a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA256
   v:NotBefore: Sep  2 00:00:00 2009 GMT; NotAfter: Jun 28 17:39:16 2034 GMT
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIGXDCCBUSgAwIBAgIQAZEc5MRcvVjHUz3fE4R5SzANBgkqhkiG9w0BAQsFADA8
MQswCQYDVQQGEwJVUzEPMA0GA1UEChMGQW1hem9uMRwwGgYDVQQDExNBbWF6b24g
UlNBIDIwNDggTTAyMB4XDTIzMDIyMjAwMDAwMFoXDTIzMTEzMDIzNTk1OVowFzEV
MBMGA1UEAwwMKi5kb2NrZXIuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIB
CgKCAQEAyLUr9IFdiNhMGFrsGUYW56FCukkdapcxLT2++t+cOlCrCYsDqa8K8Q3o
yfiOksKxRBP1see4Z031epkFeZbO8J/XDWA6tCx4ewyCBlPWCdBWs1z+4TJL4Cvi
51JyzFS93X4FxSdHNmTTcsJOQHl6mR/TBgncZsK/YALEliQNmyWVhG50KGclBasN
HYud+pRhiqXFQ0wNDMjBfzzX9o2e99giO7fRT6siPOV/Ext4gEvEBcpFpZzOQZUQ
1DJlbFzFOLPyHB6zemG5mSlaE+b2kmxQ7wfXhlEPYnflbCJwEUbCBALi20IXD8/2
q/MugGzAD/yRnYi8CBEmzEvnfWWnNwIDAQABo4IDfTCCA3kwHwYDVR0jBBgwFoAU
wDFSzVpQw4J8dHHOy+mc+XrrguIwHQYDVR0OBBYEFLYYlOa0FFmYapvkOcH01D/a
kgzLMIGuBgNVHREEgaYwgaOCDCouZG9ja2VyLmNvbYIKZG9ja2VyLmNvbYIQKi5o
dWIuZG9ja2VyLmNvbYITKi5kb2NrZXJwcm9qZWN0Lm9yZ4IJZG9ja2VyLmlvggsq
LmRvY2tlci5pb4ISKi5jbG91ZC5kb2NrZXIuY29tghoqLm1hc3Rlci5kb2NrZXJw
cm9qZWN0Lm9yZ4IYKi5jbG91ZC1zdGFnZS5kb2NrZXIuY29tMA4GA1UdDwEB/wQE
AwIFoDAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwOwYDVR0fBDQwMjAw
oC6gLIYqaHR0cDovL2NybC5yMm0wMi5hbWF6b250cnVzdC5jb20vcjJtMDIuY3Js
MBMGA1UdIAQMMAowCAYGZ4EMAQIBMHUGCCsGAQUFBwEBBGkwZzAtBggrBgEFBQcw
AYYhaHR0cDovL29jc3AucjJtMDIuYW1hem9udHJ1c3QuY29tMDYGCCsGAQUFBzAC
hipodHRwOi8vY3J0LnIybTAyLmFtYXpvbnRydXN0LmNvbS9yMm0wMi5jZXIwDAYD
VR0TAQH/BAIwADCCAX4GCisGAQQB1nkCBAIEggFuBIIBagFoAHYA6D7Q2j71BjUy
51covIlryQPTy9ERa+zraeF3fW0GvW4AAAGGeMc3mwAABAMARzBFAiEAztgFNyaG
UHzuTrBt1dWV7GfkNGkL7HsLTKA7v05P8lwCIFlgVPQJYlgMflKL52kMUq3wfSy0
R2vSc64FVGHLQxRhAHcAs3N3B+GEUPhjhtYFqdwRCUp5LbFnDAuH3PADDnk2pZoA
AAGGeMc4DQAABAMASDBGAiEAtiLoobDXC5fPu70Iam9wXcNpVg90SuBvU5odNETX
msMCIQCPOmIkpAVug3nMKH/TWqaedw/9b2t+gfAXvvvV1qDy4AB1ALc++yTfnE26
dfI5xbpY9Gxd/ELPep81xJ4dCYEl7bSZAAABhnjHN74AAAQDAEYwRAIgf08PLq4L
TMLIik0XH7iIrE/3beMHDNXQ8p8dvnO7DhICIG9zjpArb+WyE6irWArlbRCLTJzz
FXMVz16L5Go7WMLUMA0GCSqGSIb3DQEBCwUAA4IBAQASfvNhv9sVS1O7W4sZjdeX
2R6ZArbWyu2x/LqRWXEMEsDsIvJJibs1QZA/Ta6omeF2z9N++ADb6H4GAvoRBIvC
64mNVwBIk0jmg4w7sGM6skvNiXwSvK5uadakSlO3Jd2DW+sE88wbJfsAkmHglDDk
tmI8kIELB8MKCdY6YM3Ue1kXXPhOuyghsCMTWrkIjjlJWFm0TkfhmIc7p9TA/ZEv
TdaNpO8FE8ToGNIbo1179rB4C8HWl2yuxfeK5ktd9P/RRB6NTbfmfxmtmOqeqiQ7
lI/5Fkd9hJuRcniU+1x127QxPAKCUDGJcFUEpX2SpVo2MBSIFLITr4L5wQgw5MeT
-----END CERTIFICATE-----
subject=CN = *.docker.com
issuer=C = US, O = Amazon, CN = Amazon RSA 2048 M02
---
No client certificate CA names sent
Peer signing digest: SHA256
Peer signature type: RSA-PSS
Server Temp Key: X25519, 253 bits
---
SSL handshake has read 5632 bytes and written 385 bytes
Verification: OK
---
New, TLSv1.3, Cipher is TLS_AES_128_GCM_SHA256
Server public key is 2048 bit
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)
---
---
Post-Handshake New Session Ticket arrived:
SSL-Session:
    Protocol  : TLSv1.3
    Cipher    : TLS_AES_128_GCM_SHA256
    Session-ID: B273720D995A9494B0393E22D63D265CDFFAEC69975BA108C90B600794789CC6
    Session-ID-ctx: 
    Resumption PSK: E2F2056DF95274055C7646F88CE444BF83941BED39D3C8FAF3CC27D94375AEFE
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    TLS session ticket lifetime hint: 86400 (seconds)
    TLS session ticket:
    0000 - 31 36 38 39 37 36 33 39-33 31 30 30 30 00 00 00   1689763931000...
    0010 - 12 8f d8 f7 a4 55 0a c3-cf 63 5b 34 d5 ff 62 d9   .....U...c[4..b.
    0020 - 6a 34 54 ef 99 d6 9f f2-e0 34 14 3d 9a 29 3f 04   j4T......4.=.)?.
    0030 - e8 3d d1 b4 48 13 1c 2b-19 88 7c ab 5b 0d 20 98   .=..H..+..|.[. .
    0040 - 9d 78 88 79 d1 32 18 8b-1f c7 12 eb 40 6f 14 ce   .x.y.2......@o..
    0050 - 4c 5a 7a cb 95 16 85 c6-b8 e1 06 9e e7 9c 13 a1   LZz.............
    0060 - f9 70 65 e8 e2 e2 83 91-16                        .pe......
 
    Start Time: 1689792073
    Timeout   : 7200 (sec)
    Verify return code: 0 (ok)
    Extended master secret: no
    Max Early Data: 0
---
read R BLOCK
asdf
HTTP/1.1 400 Bad Request
Server: CloudFront
Date: Wed, 19 Jul 2023 18:41:55 GMT
Content-Type: text/html
Content-Length: 915
Connection: close
X-Cache: Error from cloudfront
Via: 1.1 eadf79e9c2d5c2d1c323c9bb914a92d4.cloudfront.net (CloudFront)
X-Amz-Cf-Pop: LHR61-P2
X-Amz-Cf-Id: dTRRSDK4LH1iDVJMsgMiIxNY8yl19xFmDAYzM7cRFgDg5GE_04Nbrg==
 
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<HTML><HEAD><META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=iso-8859-1">
<TITLE>ERROR: The request could not be satisfied</TITLE>
</HEAD><BODY>
<H1>400 ERROR</H1>
<H2>The request could not be satisfied.</H2>
<HR noshade size="1px">
Bad request.
We can't connect to the server for this app or website at this time. There might be too much traffic or a configuration error. Try again later, or contact the app or website owner.
<BR clear="all">
If you provide content to customers through CloudFront, you can find steps to troubleshoot and help prevent this error by reviewing the CloudFront documentation.
<BR clear="all">
<HR noshade size="1px">
<PRE>
Generated by cloudfront (CloudFront)
Request ID: dTRRSDK4LH1iDVJMsgMiIxNY8yl19xFmDAYzM7cRFgDg5GE_04Nbrg==
</PRE>
<ADDRESS>
</ADDRESS>
</BODY></HTML>802B2B66CB7F0000:error:0A000126:SSL routines:ssl3_read_n:unexpected eof while reading:../ssl/record/rec_layer_s3.c:308:

And for sake of completness here is curl --inscure output.

root@e4fec8ad4adf:/# curl --insecure -I -vvv https://download.docker.com
*   Trying 108.138.51.102:443...
* Connected to download.docker.com (108.138.51.102) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* TLSv1.0 (OUT), TLS header, Certificate Status (22):
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.2 (IN), TLS header, Certificate Status (22):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS header, Finished (20):
* TLSv1.2 (IN), TLS header, Supplemental data (23):
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
* TLSv1.2 (IN), TLS header, Supplemental data (23):
* TLSv1.3 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS header, Supplemental data (23):
* TLSv1.3 (IN), TLS handshake, CERT verify (15):
* TLSv1.2 (IN), TLS header, Supplemental data (23):
* TLSv1.3 (IN), TLS handshake, Finished (20):
* TLSv1.2 (OUT), TLS header, Finished (20):
* TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.2 (OUT), TLS header, Supplemental data (23):
* TLSv1.3 (OUT), TLS handshake, Finished (20):
* SSL connection using TLSv1.3 / TLS_AES_128_GCM_SHA256
* ALPN, server accepted to use h2
* Server certificate:
*  subject: CN=*.docker.com
*  start date: Feb 22 00:00:00 2023 GMT
*  expire date: Nov 30 23:59:59 2023 GMT
*  issuer: C=US; O=Amazon; CN=Amazon RSA 2048 M02
*  SSL certificate verify result: unable to get local issuer certificate (20), continuing anyway.
* Using HTTP2, server supports multiplexing
* Connection state changed (HTTP/2 confirmed)
* Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0
* TLSv1.2 (OUT), TLS header, Supplemental data (23):
* TLSv1.2 (OUT), TLS header, Supplemental data (23):
* TLSv1.2 (OUT), TLS header, Supplemental data (23):
* Using Stream ID: 1 (easy handle 0x558f43654e90)
* TLSv1.2 (OUT), TLS header, Supplemental data (23):
> HEAD / HTTP/2
> Host: download.docker.com
> user-agent: curl/7.81.0
> accept: */*
> 
* TLSv1.2 (IN), TLS header, Supplemental data (23):
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* TLSv1.2 (IN), TLS header, Supplemental data (23):
* Connection state changed (MAX_CONCURRENT_STREAMS == 128)!
* TLSv1.2 (OUT), TLS header, Supplemental data (23):
* TLSv1.2 (IN), TLS header, Supplemental data (23):
* TLSv1.2 (IN), TLS header, Supplemental data (23):
< HTTP/2 200 
HTTP/2 200 
< content-type: text/html
content-type: text/html
< content-length: 223
content-length: 223
< date: Wed, 19 Jul 2023 02:52:10 GMT
date: Wed, 19 Jul 2023 02:52:10 GMT
< last-modified: Fri, 07 Jul 2023 20:46:33 GMT
last-modified: Fri, 07 Jul 2023 20:46:33 GMT
< etag: "5a2449544577bdf952c47cdc248220b4"
etag: "5a2449544577bdf952c47cdc248220b4"
< server: AmazonS3
server: AmazonS3
< x-cache: Hit from cloudfront
x-cache: Hit from cloudfront
< via: 1.1 45475ab9ce2a228a3ebbe21b677a304a.cloudfront.net (CloudFront)
via: 1.1 45475ab9ce2a228a3ebbe21b677a304a.cloudfront.net (CloudFront)
< x-amz-cf-pop: WAW51-P2
x-amz-cf-pop: WAW51-P2
< x-amz-cf-id: WUZsGV_LOe8zMns-I68z7MTJ2qpWZP-7uMhrR2uS4ec4DBHq_4tPCw==
x-amz-cf-id: WUZsGV_LOe8zMns-I68z7MTJ2qpWZP-7uMhrR2uS4ec4DBHq_4tPCw==
< age: 58017
age: 58017
 
< 
* Connection #0 to host download.docker.com left intact

Wget works as well

root@e4fec8ad4adf:/# wget https://download.docker.com
--2023-07-19 19:02:01--  https://download.docker.com/
Resolving download.docker.com (download.docker.com)... 108.138.51.126, 108.138.51.60, 108.138.51.102, ...
Connecting to download.docker.com (download.docker.com)|108.138.51.126|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 223 [text/html]
Saving to: 'index.html.1'
 
index.html.1             100%[==================================>]     223  --.-KB/s    in 0s      
 
2023-07-19 19:02:01 (125 MB/s) - 'index.html.1' saved [223/223]

It looks like problem exists since recently. I just (Wednesday, July 19, 2023 ~20:00 CEST) ran apt upgrade and problem is reproducible on my ubuntu host as well.

And just to clarify: Wget and openssl s_client do work on host as well.

Interestingly I ran curl --version on host BEFORE apt upgrade and I was able to scroll terminal.
To clarify: apt has shown curl as one of updated packages

curl 7.81.0 (x86_64-pc-linux-gnu) libcurl/7.81.0 OpenSSL/3.0.2 zlib/1.2.11 brotli/1.0.9 zstd/1.4.8 libidn2/2.3.2 libpsl/0.21.0 (+libidn2/2.3.2) libssh/0.9.6/openssl/zlib nghttp2/1.43.0 librtmp/2.3 OpenLDAP/2.5.14
Release-Date: 2022-01-05
Protocols: dict file ftp ftps gopher gophers http https imap imaps ldap ldaps mqtt pop3 pop3s rtmp rtsp scp sftp smb smbs smtp smtps telnet tftp 
Features: alt-svc AsynchDNS brotli GSS-API HSTS HTTP2 HTTPS-proxy IDN IPv6 Kerberos Largefile libz NTLM NTLM_WB PSL SPNEGO SSL TLS-SRP UnixSockets zstd

And it didn’t seem to change(below is after update curl --version output that I’ve just copied)

curl 7.81.0 (x86_64-pc-linux-gnu) libcurl/7.81.0 OpenSSL/3.0.2 zlib/1.2.11 brotli/1.0.9 zstd/1.4.8 libidn2/2.3.2 libpsl/0.21.0 (+libidn2/2.3.2) libssh/0.9.6/openssl/zlib nghttp2/1.43.0 librtmp/2.3 OpenLDAP/2.5.14
Release-Date: 2022-01-05
Protocols: dict file ftp ftps gopher gophers http https imap imaps ldap ldaps mqtt pop3 pop3s rtmp rtsp scp sftp smb smbs smtp smtps telnet tftp 
Features: alt-svc AsynchDNS brotli GSS-API HSTS HTTP2 HTTPS-proxy IDN IPv6 Kerberos Largefile libz NTLM NTLM_WB PSL SPNEGO SSL TLS-SRP UnixSockets zstd

I was also able to reproduce issue with https://objects.githubusercontent.com as well.

How do I make curl work in ubuntu docker conainers and my host without --insecure flag and without some obscure downgrading(I didn’t test downgrading specifically yet)?

>Solution :

There was a broken backport for a security fix which was introduced in an update to curl a few days ago. This bug is about certificate validation when wildcard certificates are used – thus relevant when checking download.docker.com but not when checking google.com.

Should be fixed in 7.81.0-1ubuntu1.13 which fixes 7.81.0-1ubuntu1.11. From https://launchpad.net/ubuntu/jammy/+source/curl/+changelog:

curl (7.81.0-1ubuntu1.13) jammy-security; urgency=medium

  * SECURITY REGRESSION: broken ssl cert wildcard handling (LP: #2028170)
    - debian/patches/CVE-2023-28321.patch: fix missing line in backport.

 -- Marc Deslauriers <email address hidden>  Wed, 19 Jul 2023 12:23:36 -0400
curl (7.81.0-1ubuntu1.11) jammy-security; urgency=medium

  * SECURITY UPDATE: improper certificate validation vulnerability
    - debian/patches/CVE-2023-28321.patch: fix host name wildcard checking
      in lib/hostcheck.c, tests/data/test1397, tests/unit/unit1397.c.
    - CVE-2023-28321