diff options
author | Michael Shuler <michael@pbandjelly.org> | 2018-12-20 18:35:11 -0600 |
---|---|---|
committer | Michael Shuler <michael@pbandjelly.org> | 2018-12-20 18:35:11 -0600 |
commit | cfe7064cb707ed2e8ac587877c1153029d46dc28 (patch) | |
tree | db54a9c2737ece9fc35076c1fd7722e6dd8898e0 | |
parent | 190e13219ea079e08cb4e13394df8c5560744d70 (diff) | |
download | ca-certificates-cfe7064cb707ed2e8ac587877c1153029d46dc28.tar.gz |
Remove orphan symlinks found in /etc/ssl/certs
This should prevent `openssl rehash` from exiting with an error on a
symlink with nonexistent target, since the behavior changed from c_rehash.
See #895482, #895473.
-rw-r--r-- | debian/changelog | 3 | ||||
-rwxr-xr-x | sbin/update-ca-certificates | 11 |
2 files changed, 13 insertions, 1 deletions
diff --git a/debian/changelog b/debian/changelog index bec0b2d..03d0467 100644 --- a/debian/changelog +++ b/debian/changelog @@ -3,6 +3,9 @@ ca-certificates (20181220) UNRELEASED; urgency=medium * debian/ca-certificates.postinst: Fix permissions on /usr/local/share/ca-certificates when using symlinks. Closes: #916833 + * sbin/update-ca-certificates: + Remove orphan symlinks found in /etc/ssl/certs to prevent `openssl + rehash` from exiting with an error. Closes: #895482, #895473 * mozilla/{certdata.txt,nssckbi.h}: Update Mozilla certificate authority bundle to version 2.28. The following certificate authorities were added (+): diff --git a/sbin/update-ca-certificates b/sbin/update-ca-certificates index bdf5b27..b27c6bd 100755 --- a/sbin/update-ca-certificates +++ b/sbin/update-ca-certificates @@ -172,11 +172,20 @@ REMOVED_CNT=$(wc -l < "$REMOVED") if [ "$ADDED_CNT" -gt 0 ] || [ "$REMOVED_CNT" -gt 0 ] then # only run if set of files has changed + # Remove orphan symlinks found in ETCCERTSDIR to prevent `openssl rehash` + # from exiting with an error. See #895482, #895473. + find $ETCCERTSDIR -type l ! -exec test -e {} \; -print | while read orphan + do + rm -f "$orphan" + if [ "$verbose" = 1 ]; then + echo "Removed orphan symlink $orphan" + fi + done if [ "$verbose" = 0 ] then openssl rehash . > /dev/null else - openssl rehash . + openssl rehash -v . fi fi |