Closed Bug 803152 Opened 12 years ago Closed 12 years ago

Please CTP block all versions of Java, and Flash versions 10.3 through (and including) 11.3.*

Categories

(Toolkit :: Blocklist Policy Requests, defect)

Product:
Toolkit
Component:
Blocklist Policy Requests
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
VERIFIED FIXED

People

(Reporter: akeybl, Assigned: jorgev)

References

Details

(Whiteboard: [plugin]) 

Please CTP block all versions of Java, and Flash versions 10.3 through (and including) 11.3 for Firefox versions 17 and up.

This should have all of the necessary plugin name information: https://bsmedberg.etherpad.mozilla.org/ff15-ctp-blocklist-proposal
Depends on: 795387
QA Contact: paul.silaghi
Summary: Please CTP block all versions of Java, and Flash versions 10.3 through (and including) 11.3 → Please CTP block all versions of Java, and Flash versions 10.3 through (and including) 11.3.*
This request should exclude Flash version 10.3.183.19 for all platforms, and version 11.2 for Linux.
We should not roll out these blocks for Android.
Wouldn't be better to reduce the blocklist.interval from 24h ?
To put a finer point on comment 1: Flash 10.3 still gets security updates, so we should really block the following version ranges:

On all platforms: Flash anything less than 10.3.183.19. We don't want to block future 10.3 updates.
On Windows and Mac: Flash 11 through anything less than 11.4.402.287
On Linux: Flash 11 through anything less than 11.2.202.243

Unfortunately I don't think we can deploy the block for Linux because it doesn't report its true version number, it reports something like "Shockwave Flash 11.2 r202"
What's the expected behavior if plugins.click_to_play=TRUE but the plugin is also out-of-date (blocklist)? I see the initial pref has priority most of the time, but I managed to get the second one (out-of-date CTP block) couples of times after opening several flash sites and reload.
The expected behavior is that if a plugin is click-to-play via the blocklist, the security ui will be present (in both the drop-down and the in-page overlay). It would be good to verify that this works properly.
Blocks: 804552
Are we blocking *all* versions of Java like the bug seems to indicate, or are we not blocking the latest version of every branch, as the test plan indicates?
https://addons-dev.allizom.org/en-US/firefox/blocked/p163
Flash Player below 10.3.183.19, blocked on Windows and Mac OS X, Firefox 17 and above.
https://addons-dev.allizom.org/en-US/firefox/blocked/p165
Flash Player Plugin between 11.0 and 11.4.402.287, blocked on Windows and Mac OS X, Firefox 17 and above.
(In reply to Jorge Villalobos [:jorgev] from comment #9)
> https://addons-dev.allizom.org/en-US/firefox/blocked/p163
> Flash Player below 10.3.183.19, blocked on Windows and Mac OS X, Firefox 17
> and above.
The latest Flash 10.3 is 10.3.183.29.
(In reply to Alex Keybl [:akeybl] from comment #1)
> This request should exclude Flash version 10.3.183.19 for all platforms, and
> version 11.2 for Linux.

(In reply to Jorge Villalobos [:jorgev] from comment #9)
> https://addons-dev.allizom.org/en-US/firefox/blocked/p163
> Flash Player below 10.3.183.19, blocked on Windows and Mac OS X, Firefox 17
> and above.

(In reply to Jorge Villalobos [:jorgev] from comment #10)
> https://addons-dev.allizom.org/en-US/firefox/blocked/p165
> Flash Player Plugin between 11.0 and 11.4.402.287, blocked on Windows and
> Mac OS X, Firefox 17 and above.

(In reply to Scoobidiver from comment #11)
> (In reply to Jorge Villalobos [:jorgev] from comment #9)
> > https://addons-dev.allizom.org/en-US/firefox/blocked/p163
> > Flash Player below 10.3.183.19, blocked on Windows and Mac OS X, Firefox 17
> > and above.
> The latest Flash 10.3 is 10.3.183.29.

Any version of Flash including latest (10 - 11.4.402.287) is staged blocked. Please clarify.
The previous live blocks are still ON on FF 16 and 17. Why is the infobar not wanted anymore on FF 16? Anyway, I see no infobar blocks on staging for FF 16 but 2 exceptions, due to some old old block - Flash 10.1.85.3 and 10.2.159.1.
Java is not blocked.
Comment 12 is Windows related only. On Mac OS X 10.7.5 nothing is actually blocked, the out-of-date infobar shows up for all Flash versions (10-latest included)
I made assumptions that we weren't blocking the latest release versions of Java 7 and 6, Flash 10.3 and 11.4 (11.2 on Linux). This was not based on any official statement from Engineering.

It would be great to get explicit clarification about which plugin versions should be blocked and which type of block they should receive in Firefox 16 vs 17.
(In reply to Scoobidiver from comment #11)
> (In reply to Jorge Villalobos [:jorgev] from comment #9)
> > https://addons-dev.allizom.org/en-US/firefox/blocked/p163
> > Flash Player below 10.3.183.19, blocked on Windows and Mac OS X, Firefox 17
> > and above.
> The latest Flash 10.3 is 10.3.183.29.

Benjamin, do you want me to update the Flash 10.3 block based on this information?

(In reply to Paul Silaghi [QA] from comment #13)
> The previous live blocks are still ON on FF 16 and 17. Why is the infobar
> not wanted anymore on FF 16? Anyway, I see no infobar blocks on staging for
> FF 16 but 2 exceptions, due to some old old block - Flash 10.1.85.3 and
> 10.2.159.1.

We have 4 Flash Player blocks on staging:
* 10.2.159.1 and below have an info bar block on Mac OS.
* 10.2.9999 and below have a CTP/info bar block on Windows.
* Below 10.3.183.19 have a CTP block on Firefox 17 and above (Windows and Mac OS).
* Between 11.0 and 11.4.402.287 have a CTP block on Firefox 17 and above (Windows and Mac OS).

So, here's how things should look.

Windows
* Anything in the 10.2.* branch and lower should have an info bar block on Firefox 16 and below.
* Anything in the 10.2.* branch and lower should have a CTP block on Firefox 17 and above.
* In the 10.3.* branch, below 10.3.183.19, we should have a CTP block on Firefox 17 and above. No block on other versions.
* In the 11.* branch, below 11.4.402.287, we should have a CTP block on Firefox 17 and above. No block on other versions.

Mac OS
* 10.2.159.1 and lower should have an info bar block for all Firefox versions.
* Anything above 10.2.159.1 and below 10.3.183.19 should have a CTP block on Firefox 17 and above. No block on other versions.
* In the 11.* branch, below 11.4.402.287, we should have a CTP block on Firefox 17 and above. No block on other versions.
There is a meeting about the final list at 4:30 PT that many of you should be invited to. Please ping akeybl if you aren't on the list and want to be.
Neither Paul nor I will be able to attend that meeting but I would appreciate it if someone could communicate the outcomes either via email or to this bug. Paul will require that information to effectively test this blocklist. I've asked that Juan attend the meeting so QA is represented.

Thanks
Java Plugin 7 update 7 and 8 (click-to-play), Mac OS X, Firefox 17 and above
https://addons-dev.allizom.org/en-US/firefox/blocked/p167

Java Plugin 7 update 7 and 8 (click-to-play), Windows, Firefox 17 and above
https://addons-dev.allizom.org/en-US/firefox/blocked/p169

Java Plugin 7 update 7 and 8 (click-to-play), Linux, Firefox 17 and above
https://addons-dev.allizom.org/en-US/firefox/blocked/p171

All other versions in the Java 7 branch are softblocked, so I didn't include them.
The things don't look too good, as I already said. 
Here are the results for FF 17 on staging:
Win - all Flash Players (10 - latest 11.4.402.287 included) are CTP blocked
Mac OS X - all Flash Players (10 - latest 11.4.402.287 included) are infobar blocked
(In reply to Jorge Villalobos [:jorgev] from comment #20)
> Java Plugin 7 update 7 and 8 (click-to-play), Mac OS X, Firefox 17 and above
> https://addons-dev.allizom.org/en-US/firefox/blocked/p167
> 
> Java Plugin 7 update 7 and 8 (click-to-play), Windows, Firefox 17 and above
> https://addons-dev.allizom.org/en-US/firefox/blocked/p169
> 
> Java Plugin 7 update 7 and 8 (click-to-play), Linux, Firefox 17 and above
> https://addons-dev.allizom.org/en-US/firefox/blocked/p171
> 
> All other versions in the Java 7 branch are softblocked, so I didn't include
> them.

Tested on Windows only:

Java 6 <= Java 6u32 are softblocked
Java 6u33, 6u34, 6u35, 6u37 are NOT softblocked
Java 7 <= Java 7u6 are softblocked
Java 7u7 is CTP blocked
Java 7u8 - cannot find the installation kit
Java 7u9 (latest) - not blocked as expected
(In reply to Paul Silaghi [QA] from comment #22)
> Tested on Windows only:
> 
> Java 6 <= Java 6u32 are softblocked
> Java 6u33, 6u34, 6u35, 6u37 are NOT softblocked

This is expected because no Java 6 blocks have been staged yet.

> Java 7 <= Java 7u6 are softblocked
> Java 7u7 is CTP blocked
> Java 7u8 - cannot find the installation kit
> Java 7u9 (latest) - not blocked as expected

These look okay, though we should find a way to test update 8.
(In reply to Jorge Villalobos [:jorgev] from comment #23)
> These look okay, though we should find a way to test update 8.

"Java SE 7 Update 8 (7u8) is being renumbered to Java SE 7 Update 10 (7u10)."
http://jdk7.java.net/download.html
(In reply to Paul Silaghi [QA] from comment #21)
> The things don't look too good, as I already said. 
> Here are the results for FF 17 on staging:
> Win - all Flash Players (10 - latest 11.4.402.287 included) are CTP blocked
> Mac OS X - all Flash Players (10 - latest 11.4.402.287 included) are infobar
> blocked

Yes, looking at the blocklist, the entries are not including plugin version ranges anymore, which making the blocks behave incorrectly. This is a regression caused by bug 795387.
OK, now that bug 795387 is resolved again (I checked and it looks good), we need to retest these blocks. Paul mentioned not being available tomorrow, so we might need someone else from QA to step in.
Java Plugin 6 updates 33 through 36 (click-to-play), Windows
https://addons-dev.allizom.org/en-US/firefox/blocked/p173

Java Plugin 6 updates 36 and lower (click-to-play), Mac OS X *
https://addons-dev.allizom.org/en-US/firefox/blocked/p175

Java Plugin 6 updates 33 through 36 (click-to-play), Linux **
https://addons-dev.allizom.org/en-US/firefox/blocked/p179

* Note that this block only covers the Oracle plugin, not the one that used to be bundled with Mac OS X. To block that one, we would need help from QA to figure out which was the latest version of the plugin and which JRE version it corresponds to. I could CTP all versions of that plugin, if we feel that's necessary.

** Also limited to the Oracle plugin, which isn't typically found in Linux distros.

This should cover all CTP blocks required by this bug.
(In reply to Scoobidiver from comment #11)
> (In reply to Jorge Villalobos [:jorgev] from comment #9)
> > https://addons-dev.allizom.org/en-US/firefox/blocked/p163
> > Flash Player below 10.3.183.19, blocked on Windows and Mac OS X, Firefox 17
> > and above.
> The latest Flash 10.3 is 10.3.183.29.

What about Flash 10.3.183.19 - 10.3.183.29 ?

And what about Flash on linux ?
(In reply to Paul Silaghi [QA] from comment #28)
> (In reply to Scoobidiver from comment #11)
> > (In reply to Jorge Villalobos [:jorgev] from comment #9)
> > > https://addons-dev.allizom.org/en-US/firefox/blocked/p163
> > > Flash Player below 10.3.183.19, blocked on Windows and Mac OS X, Firefox 17
> > > and above.
> > The latest Flash 10.3 is 10.3.183.29.
> 
> What about Flash 10.3.183.19 - 10.3.183.29 ? 

I asked this on comment #17 and haven't seen a response yet.

> And what about Flash on linux ?

Plugins on Linux don't report their version numbers correctly to the Add-ons Manager, so we can't block the Flash plugin effectively. We can block Java because the version number is reported in the Java plugin name and we can create blocks based on name patterns.
Except versions between 10.3.183.19 - 10.3.183.29, Flash is properly blocked both on Win and Mac OS X.
Java is properly blocked on Win (j6u37 and j7u9 are not blocked as expected).
Currently testing java on linux.

I didn't manage to install an older version of java on Mac, also didn't found any documentation for that. Any ideas ?
(In reply to Paul Silaghi [QA] from comment #31)
> Java is properly blocked on Win (j6u37 and j7u9 are not blocked as expected).
> Currently testing java on linux.
> 
> I didn't manage to install an older version of java on Mac, also didn't
> found any documentation for that. Any ideas ?

We've had problems around testing this previously. I wouldn't block deploying on final verification here - we can rely on external testing for older versions of Java on Mac.
(In reply to Scoobidiver from comment #11)
> The latest Flash 10.3 is 10.3.183.29.
Adobe references it as the latest one on their website: http://helpx.adobe.com/flash-player/kb/archived-flash-player-versions.html#flash_player_archives and http://www.adobe.com/support/security/bulletins/apsb12-22.html
Trying to understand a high-level assessment of where we are at here. Please correct me where I am wrong.

Flash 10.3 to 11.3 excluding 10.3.183.19 and 11.4.402.287
* Windows: Tested and signed-off
* Mac: Tested and signed off
* Linux: Untested since they don't report correct version numbers to Firefox

Java 7 excluding 7u9
* Windows: Tested and signed-off
* Mac: Untested due to technical complexities of Apple's Java support model
* Linux: Remains to be tested

Java 6 excluding 6u37
* Windows: Tested and signed-off
* Mac: Untested due to technical complexities of Apple's Java support model
* Linux: Tested and signed-off

As far as I can tell all that remains is to test Java 7 on Linux. The one caveat being that we will push live without Mac testing. We'll let Mac users inform us of any issues and react accordingly post-push as we've done in the past.

Is this an accurate assessment?
(In reply to Anthony Hughes, Mozilla QA (:ashughes) from comment #34) 
> Is this an accurate assessment?

Looks right to me.
(In reply to Jorge Villalobos [:jorgev] from comment #35)
> (In reply to Anthony Hughes, Mozilla QA (:ashughes) from comment #34) 
> > Is this an accurate assessment?
> 
> Looks right to me.

Thanks Jorge. I'll try to get the Java 7 Linux testing complete today so we can either push live tonight having Paul test the live block, or tomorrow morning having me test the live block.
(In reply to Anthony Hughes, Mozilla QA (:ashughes) from comment #34)
> excluding 10.3.183.19
This version doesn't even exist and you are allowing 10.3.183.20, 10.3.183.23 and 10.3.183.25 that are vulnerable. See comment 33.
Thanks Scoobidiver, you are right. The latest Flash 10.3 version supported by Adobe is 10.3.183.29. We should amend the Flash 10.3 block to cover all Flash 10.3 excluding 10.3.183.29. If this has already been done I can test it, if not I'm inclined to block sign-off until we do.
I've been trying for nearly an hour trying to get old versions of Java 7 to install in Linux unsuccessfully. I don't think this is getting done today. I'll keep trying to find a way to get this to work until the end of the day. Failing that, Paul can you please try to test Java 7 on Linux? Thanks.
I managed to get Java 7 to register in Firefox 17.0b3 now but I think I'm hitting another block which might be taking precedence over the staged block.

1. Install Java 7.0
2. Start Firefox, update about:config prefs to staging
3. Force a blocklist ping and open Add-ons Manager :: Plugins
> Java 1.7.0 is disabled because it's known to cause security vulnerabilities
3. Enable Java
4. Load a Java applet
> Java applet is loaded without blocking
Which version of Java 7 is this?
(In reply to Jorge Villalobos [:jorgev] from comment #41)
> Which version of Java 7 is this?

Java 7.0, the initial Java 7 release.
See comment #20. The Java block only covers Java 7 update 7 and 8. The rest of the Java 7 should be softblocked only.
(In reply to Jorge Villalobos [:jorgev] from comment #43)
> the rest of the Java 7

the rest of the Java 7 *branch*
(In reply to Jorge Villalobos [:jorgev] from comment #43)
> See comment #20. The Java block only covers Java 7 update 7 and 8. The rest
> of the Java 7 should be softblocked only.

I don't think we can test CTP for Java 7 on Linux then...

http://www.oracle.com/technetwork/java/javase/downloads/java-archive-downloads-javase7-521261.html

...only shows Java 7u6 and below.
Given my assessment in comment 34, if it's believed the risk is low to pushing live without Java testing on Mac and without Java 7 testing on Linux then I can send QA sign off. However, I won't send sign off until someone okays that risk.
I finally found j7u7 for linux: http://www.oracle.com/technetwork/java/javase/downloads/jre7u7-downloads-1836441.html.
Given that, j7u8 remains untested, both on Win and Linux (but I guess that's ok due to comment 24) and also the java issue on Mac. So, the results are:
Java 6 <= Java 6u32 are softblocked
Java 6u33, 6u34, 6u35 are CTP blocked
Java 7 <= Java 7u6 are softblocked
Java 7u7 is CTP blocked
Java 7u8 - N/A
Java 6u37, 7u9 (latest) - not blocked as expected
Given the results I think we are good to push live. Assuming there is no requirement to send an email to r-d, consider this comment QA sign-off for staging.
(In reply to Anthony Hughes, Mozilla QA (:ashughes) from comment #48)
> Given the results I think we are good to push live.
What about comment 38?
I just remembered that bug 795387 hasn't been pushed to production yet, since we needed to test that it was working well first. I'll ask to get it pushed now.
Done:

Java Plugin 6 updates 33 through 36 (click-to-play), Linux
https://addons.mozilla.org/en-US/firefox/blocked/p190

Java Plugin 6 updates 36 and lower (click-to-play), Mac OS X
https://addons.mozilla.org/en-US/firefox/blocked/p188

Java Plugin 6 updates 33 through 36 (click-to-play), Windows
https://addons.mozilla.org/en-US/firefox/blocked/p186

Java Plugin 7 update 7 and 8 (click-to-play), Linux
https://addons.mozilla.org/en-US/firefox/blocked/p184

Java Plugin 7 update 7 and 8 (click-to-play), Windows
https://addons.mozilla.org/en-US/firefox/blocked/p182

Java Plugin 7 update 7 and 8 (click-to-play), Mac OS X
https://addons.mozilla.org/en-US/firefox/blocked/p180

Flash Player Plugin between 11.0 and 11.4.402.287 (click-to-play)
https://addons.mozilla.org/en-US/firefox/blocked/p178

Flash Player Plugin below 10.3.183.19 (click-to-play) 
https://addons.mozilla.org/en-US/firefox/blocked/p176
Status: NEW → RESOLVED
Closed: 12 years ago
Resolution: --- → FIXED
Should I file a new bug for the 3 vulnerable Flash 10.3 versions (10.3.183.20, 10.3.183.23 and 10.3.183.25) that are not blocked?
The blocks appear to be working as expected on production. Be advised that we were unable to test Java on Mac, as with the staged block.
Status: RESOLVED → VERIFIED
Blocks: 807258
(In reply to Scoobidiver from comment #52)
> Should I file a new bug for the 3 vulnerable Flash 10.3 versions
> (10.3.183.20, 10.3.183.23 and 10.3.183.25) that are not blocked?

Done - bug 807258
No longer blocks: 807258
Depends on: 807258
No longer blocks: 804552
Depends on: 804552
Depends on: 808824
Blocks: 843373
No longer blocks: 843373
Product: addons.mozilla.org → Toolkit
You need to log in before you can comment on or make changes to this bug.