Followup-For: Bug #1039472 X-Debbugs-Cc: t...@security.debian.org Control: found -1 20190909 Control: tag -1 patch
This affects bullseye as well:
bullseye# apt-get install openjdk-17-jre-headless=17.0.7+7-1~deb11u1
fails with
...
Setting up ca-certificates-java (20190909) ...
head: cannot open '/etc/ssl/certs/java/cacerts' for reading: No such file or
directory
Exception in thread "main" java.lang.InternalError: Error loading
java.security file
at java.base/java.security.Security.initialize(Security.java:106)
at java.base/java.security.Security$1.run(Security.java:84)
at java.base/java.security.Security$1.run(Security.java:82)
at
java.base/java.security.AccessController.doPrivileged(AccessController.java:318)
at java.base/java.security.Security.<clinit>(Security.java:82)
at java.base/sun.security.jca.ProviderList.<init>(ProviderList.java:178)
at java.base/sun.security.jca.ProviderList$2.run(ProviderList.java:96)
at java.base/sun.security.jca.ProviderList$2.run(ProviderList.java:94)
at
java.base/java.security.AccessController.doPrivileged(AccessController.java:318)
at
java.base/sun.security.jca.ProviderList.fromSecurityProperties(ProviderList.java:93)
at java.base/sun.security.jca.Providers.<clinit>(Providers.java:55)
at
java.base/sun.security.jca.GetInstance.getInstance(GetInstance.java:156)
at
java.base/java.security.cert.CertificateFactory.getInstance(CertificateFactory.java:193)
at org.debian.security.KeyStoreHandler.<init>(KeyStoreHandler.java:50)
at
org.debian.security.UpdateCertificates.<init>(UpdateCertificates.java:65)
at
org.debian.security.UpdateCertificates.main(UpdateCertificates.java:51)
dpkg: error processing package ca-certificates-java (--configure):
installed ca-certificates-java package post-installation script subprocess
returned error exit status 1
dpkg: dependency problems prevent configuration of
openjdk-17-jre-headless:amd64:
openjdk-17-jre-headless:amd64 depends on ca-certificates-java (>=
20190405~); however:
Package ca-certificates-java is not configured yet.
dpkg: error processing package openjdk-17-jre-headless:amd64 (--configure):
dependency problems - leaving unconfigured
Processing triggers for libc-bin (2.31-13+deb11u6) ...
Processing triggers for ca-certificates (20210119) ...
Updating certificates in /etc/ssl/certs...
0 added, 0 removed; done.
Running hooks in /etc/ca-certificates/update.d...
/etc/ca-certificates/update.d/jks-keystore: 82: java: not found
E: /etc/ca-certificates/update.d/jks-keystore exited with code 1.
done.
Errors were encountered while processing:
ca-certificates-java
openjdk-17-jre-headless:amd64
And for the reference,
bookworm# apt-get install openjdk-17-jre=17.0.7+7-1~deb12u1
fails with
...
Setting up ca-certificates-java (20230103) ...
Exception in thread "main" java.lang.InternalError: Error loading
java.security file
at java.base/java.security.Security.initialize(Security.java:106)
at java.base/java.security.Security$1.run(Security.java:84)
at java.base/java.security.Security$1.run(Security.java:82)
at
java.base/java.security.AccessController.doPrivileged(AccessController.java:318)
at java.base/java.security.Security.<clinit>(Security.java:82)
at java.base/sun.security.jca.ProviderList.<init>(ProviderList.java:178)
at java.base/sun.security.jca.ProviderList$2.run(ProviderList.java:96)
at java.base/sun.security.jca.ProviderList$2.run(ProviderList.java:94)
at
java.base/java.security.AccessController.doPrivileged(AccessController.java:318)
at
java.base/sun.security.jca.ProviderList.fromSecurityProperties(ProviderList.java:93)
at java.base/sun.security.jca.Providers.<clinit>(Providers.java:55)
at
java.base/sun.security.jca.GetInstance.getInstance(GetInstance.java:156)
at
java.base/java.security.cert.CertificateFactory.getInstance(CertificateFactory.java:193)
at org.debian.security.KeyStoreHandler.<init>(KeyStoreHandler.java:50)
at
org.debian.security.UpdateCertificates.<init>(UpdateCertificates.java:65)
at
org.debian.security.UpdateCertificates.main(UpdateCertificates.java:51)
dpkg: error processing package ca-certificates-java (--configure):
installed ca-certificates-java package post-installation script subprocess
returned error exit status 1
dpkg: dependency problems prevent configuration of
openjdk-17-jre-headless:amd64:
openjdk-17-jre-headless:amd64 depends on ca-certificates-java (>=
20190405~); however:
Package ca-certificates-java is not configured yet.
dpkg: error processing package openjdk-17-jre-headless:amd64 (--configure):
dependency problems - leaving unconfigured
dpkg: dependency problems prevent configuration of openjdk-17-jre:amd64:
openjdk-17-jre:amd64 depends on openjdk-17-jre-headless (=
17.0.7+7-1~deb12u1); however:
Package openjdk-17-jre-headless:amd64 is not configured yet.
dpkg: error processing package openjdk-17-jre:amd64 (--configure):
dependency problems - leaving unconfigured
Processing triggers for libc-bin (2.36-9) ...
Processing triggers for ca-certificates (20230311) ...
Updating certificates in /etc/ssl/certs...
0 added, 0 removed; done.
Running hooks in /etc/ca-certificates/update.d...
done.
Errors were encountered while processing:
ca-certificates-java
openjdk-17-jre-headless:amd64
openjdk-17-jre:amd64
I'm attaching two patches with the backported changes from sid that seem
to fix this issue. More installation and upgrade tests are running.
Andreas
openjdk-17-jre-headless_17.0.7+7-1~deb11u1.log.gz
Description: application/gzip
openjdk-17-jre_17.0.7+7-1~deb12u1.log.gz
Description: application/gzip
>From f020db198e9e96dbc9ddaf4b3dbe3d9247b85ae5 Mon Sep 17 00:00:00 2001
From: Matthias Klose <d...@ubuntu.com>
Date: Tue, 20 Jun 2023 06:13:02 +0200
Subject: [PATCH] [ Vladimir Petko ] * d/ca-certificates-java.postinst:
Work-around not yet configured jre.
(cherry picked from commit 561054ed46afe59b5996974e168418362c872d20)
---
debian/changelog | 8 ++++++++
debian/postinst | 7 +++++++
2 files changed, 15 insertions(+)
diff --git a/debian/changelog b/debian/changelog
index e35274e..a49805a 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,11 @@
+ca-certificates-java (20190909+deb11u1) bullseye; urgency=medium
+
+ [ Vladimir Petko ]
+ * d/ca-certificates-java.postinst: Work-around not yet configured jre.
+ (Closes: #1039472)
+
+ -- Andreas Beckmann <a...@debian.org> Tue, 27 Jun 2023 01:12:19 +0200
+
ca-certificates-java (20190909) unstable; urgency=medium
* Team upload.
diff --git a/debian/postinst b/debian/postinst
index 555f87b..7d68036 100644
--- a/debian/postinst
+++ b/debian/postinst
@@ -50,6 +50,13 @@ setup_path()
if [ -x /usr/lib/jvm/$jvm/bin/java ]; then
export JAVA_HOME=/usr/lib/jvm/$jvm
PATH=$JAVA_HOME/bin:$PATH
+ # copy java.security to allow import to function
+ security_conf=/etc/${jvm%-${arch}}/security
+ if [ -f ${security_conf}/java.security.dpkg-new ] \
+ && [ ! -f ${security_conf}/java.security ]; then
+ cp -v ${security_conf}/java.security.dpkg-new \
+ ${security_conf}/java.security
+ fi
break
fi
done
--
2.20.1
>From 5e28251b06c164dff5e25f7429157285caac8d0d Mon Sep 17 00:00:00 2001
From: Matthias Klose <d...@ubuntu.com>
Date: Tue, 20 Jun 2023 06:13:02 +0200
Subject: [PATCH] [ Vladimir Petko ] * d/ca-certificates-java.postinst:
Work-around not yet configured jre.
(cherry picked from commit 561054ed46afe59b5996974e168418362c872d20)
---
debian/ca-certificates-java.postinst | 7 +++++++
debian/changelog | 8 ++++++++
2 files changed, 15 insertions(+)
diff --git a/debian/ca-certificates-java.postinst
b/debian/ca-certificates-java.postinst
index 94c6c03..2c37582 100644
--- a/debian/ca-certificates-java.postinst
+++ b/debian/ca-certificates-java.postinst
@@ -31,6 +31,13 @@ setup_path()
if [ -x /usr/lib/jvm/$jvm/bin/java ]; then
export JAVA_HOME=/usr/lib/jvm/$jvm
PATH=$JAVA_HOME/bin:$PATH
+ # copy java.security to allow import to function
+ security_conf=/etc/${jvm%-${arch}}/security
+ if [ -f ${security_conf}/java.security.dpkg-new
] \
+ && [ ! -f
${security_conf}/java.security ]; then
+ cp -v
${security_conf}/java.security.dpkg-new \
+
${security_conf}/java.security
+ fi
break 2
fi
done
diff --git a/debian/changelog b/debian/changelog
index c316775..6e242fe 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,11 @@
+ca-certificates-java (20230103+deb12u1) bookworm; urgency=medium
+
+ [ Vladimir Petko ]
+ * d/ca-certificates-java.postinst: Work-around not yet configured jre.
+ (Closes: #1039472)
+
+ -- Andreas Beckmann <a...@debian.org> Tue, 27 Jun 2023 01:57:21 +0200
+
ca-certificates-java (20230103) unstable; urgency=medium
* Promote again the JRE recommendation to a dependency. Otherwise
--
2.20.1
