Bug#1039472: ca-certificates-java: openjdk-17 update caused install regressions
Andreas Beckmann
anbe at debian.org
Tue Jun 27 02:05:05 BST 2023
Followup-For: Bug #1039472
X-Debbugs-Cc: team at security.debian.org
Control: found -1 20190909
Control: tag -1 patch
This affects bullseye as well:
bullseye# apt-get install openjdk-17-jre-headless=17.0.7+7-1~deb11u1
fails with
...
Setting up ca-certificates-java (20190909) ...
head: cannot open '/etc/ssl/certs/java/cacerts' for reading: No such file or directory
Exception in thread "main" java.lang.InternalError: Error loading java.security file
at java.base/java.security.Security.initialize(Security.java:106)
at java.base/java.security.Security$1.run(Security.java:84)
at java.base/java.security.Security$1.run(Security.java:82)
at java.base/java.security.AccessController.doPrivileged(AccessController.java:318)
at java.base/java.security.Security.<clinit>(Security.java:82)
at java.base/sun.security.jca.ProviderList.<init>(ProviderList.java:178)
at java.base/sun.security.jca.ProviderList$2.run(ProviderList.java:96)
at java.base/sun.security.jca.ProviderList$2.run(ProviderList.java:94)
at java.base/java.security.AccessController.doPrivileged(AccessController.java:318)
at java.base/sun.security.jca.ProviderList.fromSecurityProperties(ProviderList.java:93)
at java.base/sun.security.jca.Providers.<clinit>(Providers.java:55)
at java.base/sun.security.jca.GetInstance.getInstance(GetInstance.java:156)
at java.base/java.security.cert.CertificateFactory.getInstance(CertificateFactory.java:193)
at org.debian.security.KeyStoreHandler.<init>(KeyStoreHandler.java:50)
at org.debian.security.UpdateCertificates.<init>(UpdateCertificates.java:65)
at org.debian.security.UpdateCertificates.main(UpdateCertificates.java:51)
dpkg: error processing package ca-certificates-java (--configure):
installed ca-certificates-java package post-installation script subprocess returned error exit status 1
dpkg: dependency problems prevent configuration of openjdk-17-jre-headless:amd64:
openjdk-17-jre-headless:amd64 depends on ca-certificates-java (>= 20190405~); however:
Package ca-certificates-java is not configured yet.
dpkg: error processing package openjdk-17-jre-headless:amd64 (--configure):
dependency problems - leaving unconfigured
Processing triggers for libc-bin (2.31-13+deb11u6) ...
Processing triggers for ca-certificates (20210119) ...
Updating certificates in /etc/ssl/certs...
0 added, 0 removed; done.
Running hooks in /etc/ca-certificates/update.d...
/etc/ca-certificates/update.d/jks-keystore: 82: java: not found
E: /etc/ca-certificates/update.d/jks-keystore exited with code 1.
done.
Errors were encountered while processing:
ca-certificates-java
openjdk-17-jre-headless:amd64
And for the reference,
bookworm# apt-get install openjdk-17-jre=17.0.7+7-1~deb12u1
fails with
...
Setting up ca-certificates-java (20230103) ...
Exception in thread "main" java.lang.InternalError: Error loading java.security file
at java.base/java.security.Security.initialize(Security.java:106)
at java.base/java.security.Security$1.run(Security.java:84)
at java.base/java.security.Security$1.run(Security.java:82)
at java.base/java.security.AccessController.doPrivileged(AccessController.java:318)
at java.base/java.security.Security.<clinit>(Security.java:82)
at java.base/sun.security.jca.ProviderList.<init>(ProviderList.java:178)
at java.base/sun.security.jca.ProviderList$2.run(ProviderList.java:96)
at java.base/sun.security.jca.ProviderList$2.run(ProviderList.java:94)
at java.base/java.security.AccessController.doPrivileged(AccessController.java:318)
at java.base/sun.security.jca.ProviderList.fromSecurityProperties(ProviderList.java:93)
at java.base/sun.security.jca.Providers.<clinit>(Providers.java:55)
at java.base/sun.security.jca.GetInstance.getInstance(GetInstance.java:156)
at java.base/java.security.cert.CertificateFactory.getInstance(CertificateFactory.java:193)
at org.debian.security.KeyStoreHandler.<init>(KeyStoreHandler.java:50)
at org.debian.security.UpdateCertificates.<init>(UpdateCertificates.java:65)
at org.debian.security.UpdateCertificates.main(UpdateCertificates.java:51)
dpkg: error processing package ca-certificates-java (--configure):
installed ca-certificates-java package post-installation script subprocess returned error exit status 1
dpkg: dependency problems prevent configuration of openjdk-17-jre-headless:amd64:
openjdk-17-jre-headless:amd64 depends on ca-certificates-java (>= 20190405~); however:
Package ca-certificates-java is not configured yet.
dpkg: error processing package openjdk-17-jre-headless:amd64 (--configure):
dependency problems - leaving unconfigured
dpkg: dependency problems prevent configuration of openjdk-17-jre:amd64:
openjdk-17-jre:amd64 depends on openjdk-17-jre-headless (= 17.0.7+7-1~deb12u1); however:
Package openjdk-17-jre-headless:amd64 is not configured yet.
dpkg: error processing package openjdk-17-jre:amd64 (--configure):
dependency problems - leaving unconfigured
Processing triggers for libc-bin (2.36-9) ...
Processing triggers for ca-certificates (20230311) ...
Updating certificates in /etc/ssl/certs...
0 added, 0 removed; done.
Running hooks in /etc/ca-certificates/update.d...
done.
Errors were encountered while processing:
ca-certificates-java
openjdk-17-jre-headless:amd64
openjdk-17-jre:amd64
I'm attaching two patches with the backported changes from sid that seem
to fix this issue. More installation and upgrade tests are running.
Andreas
-------------- next part --------------
A non-text attachment was scrubbed...
Name: openjdk-17-jre-headless_17.0.7+7-1~deb11u1.log.gz
Type: application/gzip
Size: 10795 bytes
Desc: not available
URL: <http://alioth-lists.debian.net/pipermail/pkg-java-maintainers/attachments/20230627/eb6491b5/attachment-0002.gz>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: openjdk-17-jre_17.0.7+7-1~deb12u1.log.gz
Type: application/gzip
Size: 20181 bytes
Desc: not available
URL: <http://alioth-lists.debian.net/pipermail/pkg-java-maintainers/attachments/20230627/eb6491b5/attachment-0003.gz>
-------------- next part --------------
>From f020db198e9e96dbc9ddaf4b3dbe3d9247b85ae5 Mon Sep 17 00:00:00 2001
From: Matthias Klose <doko at ubuntu.com>
Date: Tue, 20 Jun 2023 06:13:02 +0200
Subject: [PATCH] [ Vladimir Petko ] * d/ca-certificates-java.postinst:
Work-around not yet configured jre.
(cherry picked from commit 561054ed46afe59b5996974e168418362c872d20)
---
debian/changelog | 8 ++++++++
debian/postinst | 7 +++++++
2 files changed, 15 insertions(+)
diff --git a/debian/changelog b/debian/changelog
index e35274e..a49805a 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,11 @@
+ca-certificates-java (20190909+deb11u1) bullseye; urgency=medium
+
+ [ Vladimir Petko ]
+ * d/ca-certificates-java.postinst: Work-around not yet configured jre.
+ (Closes: #1039472)
+
+ -- Andreas Beckmann <anbe at debian.org> Tue, 27 Jun 2023 01:12:19 +0200
+
ca-certificates-java (20190909) unstable; urgency=medium
* Team upload.
diff --git a/debian/postinst b/debian/postinst
index 555f87b..7d68036 100644
--- a/debian/postinst
+++ b/debian/postinst
@@ -50,6 +50,13 @@ setup_path()
if [ -x /usr/lib/jvm/$jvm/bin/java ]; then
export JAVA_HOME=/usr/lib/jvm/$jvm
PATH=$JAVA_HOME/bin:$PATH
+ # copy java.security to allow import to function
+ security_conf=/etc/${jvm%-${arch}}/security
+ if [ -f ${security_conf}/java.security.dpkg-new ] \
+ && [ ! -f ${security_conf}/java.security ]; then
+ cp -v ${security_conf}/java.security.dpkg-new \
+ ${security_conf}/java.security
+ fi
break
fi
done
--
2.20.1
-------------- next part --------------
>From 5e28251b06c164dff5e25f7429157285caac8d0d Mon Sep 17 00:00:00 2001
From: Matthias Klose <doko at ubuntu.com>
Date: Tue, 20 Jun 2023 06:13:02 +0200
Subject: [PATCH] [ Vladimir Petko ] * d/ca-certificates-java.postinst:
Work-around not yet configured jre.
(cherry picked from commit 561054ed46afe59b5996974e168418362c872d20)
---
debian/ca-certificates-java.postinst | 7 +++++++
debian/changelog | 8 ++++++++
2 files changed, 15 insertions(+)
diff --git a/debian/ca-certificates-java.postinst b/debian/ca-certificates-java.postinst
index 94c6c03..2c37582 100644
--- a/debian/ca-certificates-java.postinst
+++ b/debian/ca-certificates-java.postinst
@@ -31,6 +31,13 @@ setup_path()
if [ -x /usr/lib/jvm/$jvm/bin/java ]; then
export JAVA_HOME=/usr/lib/jvm/$jvm
PATH=$JAVA_HOME/bin:$PATH
+ # copy java.security to allow import to function
+ security_conf=/etc/${jvm%-${arch}}/security
+ if [ -f ${security_conf}/java.security.dpkg-new ] \
+ && [ ! -f ${security_conf}/java.security ]; then
+ cp -v ${security_conf}/java.security.dpkg-new \
+ ${security_conf}/java.security
+ fi
break 2
fi
done
diff --git a/debian/changelog b/debian/changelog
index c316775..6e242fe 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,11 @@
+ca-certificates-java (20230103+deb12u1) bookworm; urgency=medium
+
+ [ Vladimir Petko ]
+ * d/ca-certificates-java.postinst: Work-around not yet configured jre.
+ (Closes: #1039472)
+
+ -- Andreas Beckmann <anbe at debian.org> Tue, 27 Jun 2023 01:57:21 +0200
+
ca-certificates-java (20230103) unstable; urgency=medium
* Promote again the JRE recommendation to a dependency. Otherwise
--
2.20.1
More information about the pkg-java-maintainers
mailing list