Package: curl
Version: 7.50.1-1
Severity: important
Public key verification fails on many legitimate URLs, one example:
{{{
$ curl -I https://duckduckgo.com
curl: (35) gnutls_handshake() failed: Public key signature verification has
failed.
$ curl --version
curl 7.50.1 (x86_64-pc-linux-gnu) libcurl/7.50.1 GnuTLS/3.5.3 zlib/1.2.8
libidn/1.33 libssh2/1.7.0 nghttp2/1.13.0 librtmp/2.3
Protocols: dict file ftp ftps gopher http https imap imaps ldap ldaps pop3
pop3s rtmp rtsp scp sftp smb smbs smtp smtps telnet tftp
Features: AsynchDNS IDN IPv6 Largefile GSS-API Kerberos SPNEGO NTLM
NTLM_WB SSL libz TLS-SRP HTTP2 UnixSockets
}}}
it works perfect if downgraded to 7.38.0-4+deb8u3:
{{{
$ curl -I https://duckduckgo.com
HTTP/1.1 200 OK
Server: nginx
Date: Thu, 18 Aug 2016 10:03:59 GMT
Content-Type: text/html; charset=UTF-8
Content-Length: 5009
Connection: keep-alive
ETag: "57b56e74-1391"
Expires: Thu, 18 Aug 2016 10:03:58 GMT
Cache-Control: no-cache
Strict-Transport-Security: max-age=31536000
Accept-Ranges: bytes
$ curl --version
curl 7.38.0 (x86_64-pc-linux-gnu) libcurl/7.38.0 OpenSSL/1.0.1t zlib/1.2.8
libidn/1.33 libssh2/1.4.3 librtmp/2.3
Protocols: dict file ftp ftps gopher http https imap imaps ldap ldaps pop3
pop3s rtmp rtsp scp sftp smtp smtps telnet tftp
Features: AsynchDNS IDN IPv6 Largefile GSS-API SPNEGO NTLM NTLM_WB SSL
libz TLS-SRP
}}}
-- System Information:
Debian Release: stretch/sid
APT prefers unstable
APT policy: (500, 'unstable'), (500, 'testing'), (500, 'stable')
Architecture: amd64 (x86_64)
Kernel: Linux 4.6.0-1-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
Versions of packages curl depends on:
ii libc6 2.23-4
ii libcurl3-gnutls 7.50.1-1
ii zlib1g 1:1.2.8.dfsg-2+b1
curl recommends no packages.
curl suggests no packages.
-- no debconf information
