diff options
| author | Michael Shuler <michael@pbandjelly.org> | 2011-10-24 19:03:59 -0500 |
|---|---|---|
| committer | Michael Shuler <michael@pbandjelly.org> | 2011-10-24 19:03:59 -0500 |
| commit | 26c8042c69f3424e5c3d7e93a9915725fee6742a (patch) | |
| tree | 6ad3533d5ad545368b8878bd773f6ec53be62d12 | |
| parent | 4635b054434a5d3df5d50b07cb7b323d0a830384 (diff) | |
| download | ca-certificates-26c8042c69f3424e5c3d7e93a9915725fee6742a.tar.gz | |
Broken symlinks on upgrade due to plain c_rehash call #643667
| -rw-r--r-- | debian/changelog | 15 | ||||
| -rw-r--r-- | debian/postinst | 13 | ||||
| -rwxr-xr-x | sbin/update-ca-certificates | 6 |
3 files changed, 25 insertions, 9 deletions
diff --git a/debian/changelog b/debian/changelog index c92416d..b4e956d 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,18 @@ +ca-certificates (20111024) UNRELEASED; urgency=low + + [ Steve Langasek ] + * sbin/update-ca-certificates: move the ca-certificates.crt bundle out of + the way before calling c_rehash, so that symlinks don't accidentally get + pointed here, breaking openssl certificate verification LP: #854927 + + [ Loïc Minier ] + * Drop bogus c_rehash on upgrades, which caused issue when + ca-certificates.crt was still in place; instead, call + update-ca-certificates --fresh on upgrades to this version, and + the usual update-ca-certificates otherwise Closes: #643667 + + -- Michael Shuler <michael@pbandjelly.org> Mon, 24 Oct 2011 18:44:13 -0500 + ca-certificates (20111023) unstable; urgency=low * Add 3.0 (native) source format diff --git a/debian/postinst b/debian/postinst index b277281..21d1b94 100644 --- a/debian/postinst +++ b/debian/postinst @@ -137,13 +137,12 @@ EOF -e 's/^[[:space:]]*1[[:space:]]*/!/' \ >> /etc/ca-certificates.conf fi - update-ca-certificates - # Call c_rehash when upgrading from older versions to that we - # have both the old and new style of symlink - if [ ! -z "$2" ]; then - if dpkg --compare-versions "$2" le 20090814+nmu3; then - c_rehash - fi + # fix bogus symlink to ca-certificates.crt on upgrades; see + # Debian #643667; drop after wheezy + if dpkg --compare-versions "$2" lt-nl 20110502+nmu2+643667; then + update-ca-certificates --fresh + else + update-ca-certificates fi ;; diff --git a/sbin/update-ca-certificates b/sbin/update-ca-certificates index fc083d7..5375950 100755 --- a/sbin/update-ca-certificates +++ b/sbin/update-ca-certificates @@ -127,8 +127,7 @@ then done fi -chmod 0644 "$TEMPBUNDLE" -mv -f "$TEMPBUNDLE" "$CERTBUNDLE" +rm -f "$CERTBUNDLE" ADDED_CNT=$(wc -l < "$ADDED") REMOVED_CNT=$(wc -l < "$REMOVED") @@ -144,6 +143,9 @@ then fi fi +chmod 0644 "$TEMPBUNDLE" +mv -f "$TEMPBUNDLE" "$CERTBUNDLE" + echo "$ADDED_CNT added, $REMOVED_CNT removed; done." HOOKSDIR=/etc/ca-certificates/update.d |