With 4636027 we introduced an extended key usage check in CA certificates. If they contain the EKU extension, they are only allowed if they include the anyExtendedKeyUsage value. This was in response to changes in PKIX RFC3280.

It turns out that this is an incorrect interpretation of RFC3280, which is somewhat unclear in this respect. One of the authors (Russ Housley) clarified that the EKU extension should be ignored in CA certificates.