Package: ca-certificates Version: 20170531+nmu1 Severity: normal Dear Maintainer,
update-ca-certificates -f does not pass removed certificates to the update hooks. See the "remove" function in /usr/sbin/update-ca-certificates - the test always fails if -f was passed because the symlinks were deleted earlier in the script. This happens when a certificate is removed from /usr/share/ca-certificates, e.g.: for the update due to https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=858539, which removed untrusted startcom and wosign certificates. If ca-certificates-java is installed, the jks-keystore hook is not told about the removed certificates, and they are still in /etc/ssl/certs/java/keystore. I beleive this is a critical security issue as any Java application will accept certificates that Debian has removed. There is a bug (reported by me a few years ago) against ca-certificates-java (https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=767272) that is not a bug in that package, but a result of this bug.
