Package: ca-certificates-java
Version: 20240118
Severity: serious
Tags: security
Justification: obsolete root CAs for Java applications
X-Debbugs-Cc: Debian Security Team <[email protected]>
Hi,
I'm helping a number of customers upgrade their Debian systems from
stable releases to stable releases, and I have a compare-etc script that
checks how /etc compare between a fresh Debian 13 system and a system
upgraded from Debian 12.
On the ca-certificates side, everything looks good: ca-certificates.crt
is identical (modulo the order in which certificates appear).
On the ca-certificates-java side, that's not the case: cacerts has been
left unchanged by the upgrade.
This doesn't appear to be specific to those specific systems, as I'm
able to reproduce the bug with a fresh bookworm debootstrap, installing
ca-certificates{,-java}, switching apt configuration to trixie, and
upgrading both packages. The cacerts file is left unchanged, and
comparing the certificates between upgraded bookworm and fresh trixie
gives the same number of additions/deletions as reported by
ca-certificates during the upgrade.
To reproduce:
- install bookworm:
cd /tmp
sudo debootstrap bookworm bookworm
sudo mount --bind /proc bookworm/proc
sudo chroot bookworm apt-get install -y default-jre ca-certificates-java
- partial upgrade from bookworm to trixie:
sudo sed s/bookworm/trixie/ -i bookworm/etc/apt/sources.list
sudo chroot bookworm apt-get update
sudo chroot bookworm apt-get install -y ca-certificates ca-certificates-java
- upgrade output:
Preparing to unpack .../ca-certificates_20250419_all.deb ...
Unpacking ca-certificates (20250419) over (20230311+deb12u1) ...
Preparing to unpack .../ca-certificates-java_20240118_all.deb ...
Unpacking ca-certificates-java (20240118) over (20230710~deb12u1) ...
Setting up ca-certificates (20250419) ...
Updating certificates in /etc/ssl/certs...
rehash: warning: skipping ca-certificates.crt,it does not contain exactly
one certificate or CRL
21 added, 13 removed; done.
Setting up ca-certificates-java (20240118) ...
done.
Processing triggers for ca-certificates (20250419) ...
Updating certificates in /etc/ssl/certs...
0 added, 0 removed; done.
Running hooks in /etc/ca-certificates/update.d...
done.
Processing triggers for ca-certificates-java (20240118) ...
done.
- install trixie:
cd /tmp
sudo debootstrap trixie trixie
sudo mount --bind /proc trixie/proc
sudo chroot trixie apt-get install -y default-jre ca-certificates-java
To compare:
echo changeit | sudo chroot bookworm keytool -list -keystore
/etc/ssl/certs/java/cacerts 2>/dev/null | grep ^Certificate | sort >
bookworm.txt
echo changeit | sudo chroot trixie keytool -list -keystore
/etc/ssl/certs/java/cacerts 2>/dev/null | grep ^Certificate | sort > trixie.txt
diff -u bookworm.txt trixie.txt|tail -n +3|grep -c ^+
diff -u bookworm.txt trixie.txt|tail -n +3|grep -c ^-
which yields 21 additions and 13 deletions, which matches what's
happening at the ca-certificates level when upgrading.
According to my notes, we already had to implement a workaround when
upgrading from Debian 10 to Debian 11 (tracked as #922981), but that
wasn't the case when upgrading from Debian 11 to Debian 12.
I haven't tried to understand exactly what's happening here yet, the
levels of indirection are a little intimidating…
Cheers,
--
Cyril Brulebois -- Debian Consultant @ DEBAMAX -- https://debamax.com/
__
This is the maintainer address of Debian's Java team
<https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-java-maintainers>.
Please use
[email protected] for discussions and questions.