Followup-For: Bug #1039472 X-Debbugs-Cc: t...@security.debian.org Control: found -1 20190909 Control: tag -1 patch
This affects bullseye as well: bullseye# apt-get install openjdk-17-jre-headless=17.0.7+7-1~deb11u1 fails with ... Setting up ca-certificates-java (20190909) ... head: cannot open '/etc/ssl/certs/java/cacerts' for reading: No such file or directory Exception in thread "main" java.lang.InternalError: Error loading java.security file at java.base/java.security.Security.initialize(Security.java:106) at java.base/java.security.Security$1.run(Security.java:84) at java.base/java.security.Security$1.run(Security.java:82) at java.base/java.security.AccessController.doPrivileged(AccessController.java:318) at java.base/java.security.Security.<clinit>(Security.java:82) at java.base/sun.security.jca.ProviderList.<init>(ProviderList.java:178) at java.base/sun.security.jca.ProviderList$2.run(ProviderList.java:96) at java.base/sun.security.jca.ProviderList$2.run(ProviderList.java:94) at java.base/java.security.AccessController.doPrivileged(AccessController.java:318) at java.base/sun.security.jca.ProviderList.fromSecurityProperties(ProviderList.java:93) at java.base/sun.security.jca.Providers.<clinit>(Providers.java:55) at java.base/sun.security.jca.GetInstance.getInstance(GetInstance.java:156) at java.base/java.security.cert.CertificateFactory.getInstance(CertificateFactory.java:193) at org.debian.security.KeyStoreHandler.<init>(KeyStoreHandler.java:50) at org.debian.security.UpdateCertificates.<init>(UpdateCertificates.java:65) at org.debian.security.UpdateCertificates.main(UpdateCertificates.java:51) dpkg: error processing package ca-certificates-java (--configure): installed ca-certificates-java package post-installation script subprocess returned error exit status 1 dpkg: dependency problems prevent configuration of openjdk-17-jre-headless:amd64: openjdk-17-jre-headless:amd64 depends on ca-certificates-java (>= 20190405~); however: Package ca-certificates-java is not configured yet. dpkg: error processing package openjdk-17-jre-headless:amd64 (--configure): dependency problems - leaving unconfigured Processing triggers for libc-bin (2.31-13+deb11u6) ... Processing triggers for ca-certificates (20210119) ... Updating certificates in /etc/ssl/certs... 0 added, 0 removed; done. Running hooks in /etc/ca-certificates/update.d... /etc/ca-certificates/update.d/jks-keystore: 82: java: not found E: /etc/ca-certificates/update.d/jks-keystore exited with code 1. done. Errors were encountered while processing: ca-certificates-java openjdk-17-jre-headless:amd64 And for the reference, bookworm# apt-get install openjdk-17-jre=17.0.7+7-1~deb12u1 fails with ... Setting up ca-certificates-java (20230103) ... Exception in thread "main" java.lang.InternalError: Error loading java.security file at java.base/java.security.Security.initialize(Security.java:106) at java.base/java.security.Security$1.run(Security.java:84) at java.base/java.security.Security$1.run(Security.java:82) at java.base/java.security.AccessController.doPrivileged(AccessController.java:318) at java.base/java.security.Security.<clinit>(Security.java:82) at java.base/sun.security.jca.ProviderList.<init>(ProviderList.java:178) at java.base/sun.security.jca.ProviderList$2.run(ProviderList.java:96) at java.base/sun.security.jca.ProviderList$2.run(ProviderList.java:94) at java.base/java.security.AccessController.doPrivileged(AccessController.java:318) at java.base/sun.security.jca.ProviderList.fromSecurityProperties(ProviderList.java:93) at java.base/sun.security.jca.Providers.<clinit>(Providers.java:55) at java.base/sun.security.jca.GetInstance.getInstance(GetInstance.java:156) at java.base/java.security.cert.CertificateFactory.getInstance(CertificateFactory.java:193) at org.debian.security.KeyStoreHandler.<init>(KeyStoreHandler.java:50) at org.debian.security.UpdateCertificates.<init>(UpdateCertificates.java:65) at org.debian.security.UpdateCertificates.main(UpdateCertificates.java:51) dpkg: error processing package ca-certificates-java (--configure): installed ca-certificates-java package post-installation script subprocess returned error exit status 1 dpkg: dependency problems prevent configuration of openjdk-17-jre-headless:amd64: openjdk-17-jre-headless:amd64 depends on ca-certificates-java (>= 20190405~); however: Package ca-certificates-java is not configured yet. dpkg: error processing package openjdk-17-jre-headless:amd64 (--configure): dependency problems - leaving unconfigured dpkg: dependency problems prevent configuration of openjdk-17-jre:amd64: openjdk-17-jre:amd64 depends on openjdk-17-jre-headless (= 17.0.7+7-1~deb12u1); however: Package openjdk-17-jre-headless:amd64 is not configured yet. dpkg: error processing package openjdk-17-jre:amd64 (--configure): dependency problems - leaving unconfigured Processing triggers for libc-bin (2.36-9) ... Processing triggers for ca-certificates (20230311) ... Updating certificates in /etc/ssl/certs... 0 added, 0 removed; done. Running hooks in /etc/ca-certificates/update.d... done. Errors were encountered while processing: ca-certificates-java openjdk-17-jre-headless:amd64 openjdk-17-jre:amd64 I'm attaching two patches with the backported changes from sid that seem to fix this issue. More installation and upgrade tests are running. Andreas
openjdk-17-jre-headless_17.0.7+7-1~deb11u1.log.gz
Description: application/gzip
openjdk-17-jre_17.0.7+7-1~deb12u1.log.gz
Description: application/gzip
>From f020db198e9e96dbc9ddaf4b3dbe3d9247b85ae5 Mon Sep 17 00:00:00 2001 From: Matthias Klose <d...@ubuntu.com> Date: Tue, 20 Jun 2023 06:13:02 +0200 Subject: [PATCH] [ Vladimir Petko ] * d/ca-certificates-java.postinst: Work-around not yet configured jre. (cherry picked from commit 561054ed46afe59b5996974e168418362c872d20) --- debian/changelog | 8 ++++++++ debian/postinst | 7 +++++++ 2 files changed, 15 insertions(+) diff --git a/debian/changelog b/debian/changelog index e35274e..a49805a 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,11 @@ +ca-certificates-java (20190909+deb11u1) bullseye; urgency=medium + + [ Vladimir Petko ] + * d/ca-certificates-java.postinst: Work-around not yet configured jre. + (Closes: #1039472) + + -- Andreas Beckmann <a...@debian.org> Tue, 27 Jun 2023 01:12:19 +0200 + ca-certificates-java (20190909) unstable; urgency=medium * Team upload. diff --git a/debian/postinst b/debian/postinst index 555f87b..7d68036 100644 --- a/debian/postinst +++ b/debian/postinst @@ -50,6 +50,13 @@ setup_path() if [ -x /usr/lib/jvm/$jvm/bin/java ]; then export JAVA_HOME=/usr/lib/jvm/$jvm PATH=$JAVA_HOME/bin:$PATH + # copy java.security to allow import to function + security_conf=/etc/${jvm%-${arch}}/security + if [ -f ${security_conf}/java.security.dpkg-new ] \ + && [ ! -f ${security_conf}/java.security ]; then + cp -v ${security_conf}/java.security.dpkg-new \ + ${security_conf}/java.security + fi break fi done -- 2.20.1
>From 5e28251b06c164dff5e25f7429157285caac8d0d Mon Sep 17 00:00:00 2001 From: Matthias Klose <d...@ubuntu.com> Date: Tue, 20 Jun 2023 06:13:02 +0200 Subject: [PATCH] [ Vladimir Petko ] * d/ca-certificates-java.postinst: Work-around not yet configured jre. (cherry picked from commit 561054ed46afe59b5996974e168418362c872d20) --- debian/ca-certificates-java.postinst | 7 +++++++ debian/changelog | 8 ++++++++ 2 files changed, 15 insertions(+) diff --git a/debian/ca-certificates-java.postinst b/debian/ca-certificates-java.postinst index 94c6c03..2c37582 100644 --- a/debian/ca-certificates-java.postinst +++ b/debian/ca-certificates-java.postinst @@ -31,6 +31,13 @@ setup_path() if [ -x /usr/lib/jvm/$jvm/bin/java ]; then export JAVA_HOME=/usr/lib/jvm/$jvm PATH=$JAVA_HOME/bin:$PATH + # copy java.security to allow import to function + security_conf=/etc/${jvm%-${arch}}/security + if [ -f ${security_conf}/java.security.dpkg-new ] \ + && [ ! -f ${security_conf}/java.security ]; then + cp -v ${security_conf}/java.security.dpkg-new \ + ${security_conf}/java.security + fi break 2 fi done diff --git a/debian/changelog b/debian/changelog index c316775..6e242fe 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,11 @@ +ca-certificates-java (20230103+deb12u1) bookworm; urgency=medium + + [ Vladimir Petko ] + * d/ca-certificates-java.postinst: Work-around not yet configured jre. + (Closes: #1039472) + + -- Andreas Beckmann <a...@debian.org> Tue, 27 Jun 2023 01:57:21 +0200 + ca-certificates-java (20230103) unstable; urgency=medium * Promote again the JRE recommendation to a dependency. Otherwise -- 2.20.1