Package: openjdk-8-jre-headless Severity: serious Tags: security patch < Viiru> Hmm. So apparently ca-certificates-java has a hard-coded list of JRE versions. < Viiru> Thus if one installs JRE 8 from backports to a jessie machine (and removes JRE 7) the trust store will never be updated again. < Viiru> Somewhat unexpected.
The solution for this bug is a Breaks: ca-certificates-java (<< 20160321~) in openjdk-8-jre-headless (plus adding ca-certificates-java to backports, which is outside the scope of this bug).