Closed
Bug 803152
Opened 12 years ago
Closed 12 years ago
Please CTP block all versions of Java, and Flash versions 10.3 through (and including) 11.3.*
Categories
(Toolkit :: Blocklist Policy Requests, defect)
Toolkit
Blocklist Policy Requests
Tracking
()
VERIFIED
FIXED
People
(Reporter: akeybl, Assigned: jorgev)
References
Details
(Whiteboard: [plugin])
Please CTP block all versions of Java, and Flash versions 10.3 through (and including) 11.3 for Firefox versions 17 and up. This should have all of the necessary plugin name information: https://bsmedberg.etherpad.mozilla.org/ff15-ctp-blocklist-proposal
Reporter | ||
Updated•12 years ago
|
QA Contact: paul.silaghi
Reporter | ||
Updated•12 years ago
|
Summary: Please CTP block all versions of Java, and Flash versions 10.3 through (and including) 11.3 → Please CTP block all versions of Java, and Flash versions 10.3 through (and including) 11.3.*
Reporter | ||
Comment 1•12 years ago
|
||
This request should exclude Flash version 10.3.183.19 for all platforms, and version 11.2 for Linux.
Reporter | ||
Comment 2•12 years ago
|
||
We should not roll out these blocks for Android.
Draft testplan set up here: https://wiki.mozilla.org/QA/Plugins/CTP_Blocklist#Round_.232:_Flash_and_Java
Comment 4•12 years ago
|
||
Wouldn't be better to reduce the blocklist.interval from 24h ?
Comment 5•12 years ago
|
||
To put a finer point on comment 1: Flash 10.3 still gets security updates, so we should really block the following version ranges: On all platforms: Flash anything less than 10.3.183.19. We don't want to block future 10.3 updates. On Windows and Mac: Flash 11 through anything less than 11.4.402.287 On Linux: Flash 11 through anything less than 11.2.202.243 Unfortunately I don't think we can deploy the block for Linux because it doesn't report its true version number, it reports something like "Shockwave Flash 11.2 r202"
Comment 6•12 years ago
|
||
What's the expected behavior if plugins.click_to_play=TRUE but the plugin is also out-of-date (blocklist)? I see the initial pref has priority most of the time, but I managed to get the second one (out-of-date CTP block) couples of times after opening several flash sites and reload.
The expected behavior is that if a plugin is click-to-play via the blocklist, the security ui will be present (in both the drop-down and the in-page overlay). It would be good to verify that this works properly.
Assignee | ||
Comment 8•12 years ago
|
||
Are we blocking *all* versions of Java like the bug seems to indicate, or are we not blocking the latest version of every branch, as the test plan indicates?
Assignee | ||
Comment 9•12 years ago
|
||
https://addons-dev.allizom.org/en-US/firefox/blocked/p163 Flash Player below 10.3.183.19, blocked on Windows and Mac OS X, Firefox 17 and above.
Assignee | ||
Comment 10•12 years ago
|
||
https://addons-dev.allizom.org/en-US/firefox/blocked/p165 Flash Player Plugin between 11.0 and 11.4.402.287, blocked on Windows and Mac OS X, Firefox 17 and above.
Comment 11•12 years ago
|
||
(In reply to Jorge Villalobos [:jorgev] from comment #9) > https://addons-dev.allizom.org/en-US/firefox/blocked/p163 > Flash Player below 10.3.183.19, blocked on Windows and Mac OS X, Firefox 17 > and above. The latest Flash 10.3 is 10.3.183.29.
Comment 12•12 years ago
|
||
(In reply to Alex Keybl [:akeybl] from comment #1) > This request should exclude Flash version 10.3.183.19 for all platforms, and > version 11.2 for Linux. (In reply to Jorge Villalobos [:jorgev] from comment #9) > https://addons-dev.allizom.org/en-US/firefox/blocked/p163 > Flash Player below 10.3.183.19, blocked on Windows and Mac OS X, Firefox 17 > and above. (In reply to Jorge Villalobos [:jorgev] from comment #10) > https://addons-dev.allizom.org/en-US/firefox/blocked/p165 > Flash Player Plugin between 11.0 and 11.4.402.287, blocked on Windows and > Mac OS X, Firefox 17 and above. (In reply to Scoobidiver from comment #11) > (In reply to Jorge Villalobos [:jorgev] from comment #9) > > https://addons-dev.allizom.org/en-US/firefox/blocked/p163 > > Flash Player below 10.3.183.19, blocked on Windows and Mac OS X, Firefox 17 > > and above. > The latest Flash 10.3 is 10.3.183.29. Any version of Flash including latest (10 - 11.4.402.287) is staged blocked. Please clarify.
Comment 13•12 years ago
|
||
The previous live blocks are still ON on FF 16 and 17. Why is the infobar not wanted anymore on FF 16? Anyway, I see no infobar blocks on staging for FF 16 but 2 exceptions, due to some old old block - Flash 10.1.85.3 and 10.2.159.1.
Comment 14•12 years ago
|
||
Java is not blocked.
Comment 15•12 years ago
|
||
Comment 12 is Windows related only. On Mac OS X 10.7.5 nothing is actually blocked, the out-of-date infobar shows up for all Flash versions (10-latest included)
Comment 16•12 years ago
|
||
I made assumptions that we weren't blocking the latest release versions of Java 7 and 6, Flash 10.3 and 11.4 (11.2 on Linux). This was not based on any official statement from Engineering. It would be great to get explicit clarification about which plugin versions should be blocked and which type of block they should receive in Firefox 16 vs 17.
Assignee | ||
Comment 17•12 years ago
|
||
(In reply to Scoobidiver from comment #11) > (In reply to Jorge Villalobos [:jorgev] from comment #9) > > https://addons-dev.allizom.org/en-US/firefox/blocked/p163 > > Flash Player below 10.3.183.19, blocked on Windows and Mac OS X, Firefox 17 > > and above. > The latest Flash 10.3 is 10.3.183.29. Benjamin, do you want me to update the Flash 10.3 block based on this information? (In reply to Paul Silaghi [QA] from comment #13) > The previous live blocks are still ON on FF 16 and 17. Why is the infobar > not wanted anymore on FF 16? Anyway, I see no infobar blocks on staging for > FF 16 but 2 exceptions, due to some old old block - Flash 10.1.85.3 and > 10.2.159.1. We have 4 Flash Player blocks on staging: * 10.2.159.1 and below have an info bar block on Mac OS. * 10.2.9999 and below have a CTP/info bar block on Windows. * Below 10.3.183.19 have a CTP block on Firefox 17 and above (Windows and Mac OS). * Between 11.0 and 11.4.402.287 have a CTP block on Firefox 17 and above (Windows and Mac OS). So, here's how things should look. Windows * Anything in the 10.2.* branch and lower should have an info bar block on Firefox 16 and below. * Anything in the 10.2.* branch and lower should have a CTP block on Firefox 17 and above. * In the 10.3.* branch, below 10.3.183.19, we should have a CTP block on Firefox 17 and above. No block on other versions. * In the 11.* branch, below 11.4.402.287, we should have a CTP block on Firefox 17 and above. No block on other versions. Mac OS * 10.2.159.1 and lower should have an info bar block for all Firefox versions. * Anything above 10.2.159.1 and below 10.3.183.19 should have a CTP block on Firefox 17 and above. No block on other versions. * In the 11.* branch, below 11.4.402.287, we should have a CTP block on Firefox 17 and above. No block on other versions.
Comment 18•12 years ago
|
||
There is a meeting about the final list at 4:30 PT that many of you should be invited to. Please ping akeybl if you aren't on the list and want to be.
Comment 19•12 years ago
|
||
Neither Paul nor I will be able to attend that meeting but I would appreciate it if someone could communicate the outcomes either via email or to this bug. Paul will require that information to effectively test this blocklist. I've asked that Juan attend the meeting so QA is represented. Thanks
Assignee | ||
Comment 20•12 years ago
|
||
Java Plugin 7 update 7 and 8 (click-to-play), Mac OS X, Firefox 17 and above https://addons-dev.allizom.org/en-US/firefox/blocked/p167 Java Plugin 7 update 7 and 8 (click-to-play), Windows, Firefox 17 and above https://addons-dev.allizom.org/en-US/firefox/blocked/p169 Java Plugin 7 update 7 and 8 (click-to-play), Linux, Firefox 17 and above https://addons-dev.allizom.org/en-US/firefox/blocked/p171 All other versions in the Java 7 branch are softblocked, so I didn't include them.
Comment 21•12 years ago
|
||
The things don't look too good, as I already said. Here are the results for FF 17 on staging: Win - all Flash Players (10 - latest 11.4.402.287 included) are CTP blocked Mac OS X - all Flash Players (10 - latest 11.4.402.287 included) are infobar blocked
Comment 22•12 years ago
|
||
(In reply to Jorge Villalobos [:jorgev] from comment #20) > Java Plugin 7 update 7 and 8 (click-to-play), Mac OS X, Firefox 17 and above > https://addons-dev.allizom.org/en-US/firefox/blocked/p167 > > Java Plugin 7 update 7 and 8 (click-to-play), Windows, Firefox 17 and above > https://addons-dev.allizom.org/en-US/firefox/blocked/p169 > > Java Plugin 7 update 7 and 8 (click-to-play), Linux, Firefox 17 and above > https://addons-dev.allizom.org/en-US/firefox/blocked/p171 > > All other versions in the Java 7 branch are softblocked, so I didn't include > them. Tested on Windows only: Java 6 <= Java 6u32 are softblocked Java 6u33, 6u34, 6u35, 6u37 are NOT softblocked Java 7 <= Java 7u6 are softblocked Java 7u7 is CTP blocked Java 7u8 - cannot find the installation kit Java 7u9 (latest) - not blocked as expected
Assignee | ||
Comment 23•12 years ago
|
||
(In reply to Paul Silaghi [QA] from comment #22) > Tested on Windows only: > > Java 6 <= Java 6u32 are softblocked > Java 6u33, 6u34, 6u35, 6u37 are NOT softblocked This is expected because no Java 6 blocks have been staged yet. > Java 7 <= Java 7u6 are softblocked > Java 7u7 is CTP blocked > Java 7u8 - cannot find the installation kit > Java 7u9 (latest) - not blocked as expected These look okay, though we should find a way to test update 8.
Comment 24•12 years ago
|
||
(In reply to Jorge Villalobos [:jorgev] from comment #23) > These look okay, though we should find a way to test update 8. "Java SE 7 Update 8 (7u8) is being renumbered to Java SE 7 Update 10 (7u10)." http://jdk7.java.net/download.html
Assignee | ||
Comment 25•12 years ago
|
||
(In reply to Paul Silaghi [QA] from comment #21) > The things don't look too good, as I already said. > Here are the results for FF 17 on staging: > Win - all Flash Players (10 - latest 11.4.402.287 included) are CTP blocked > Mac OS X - all Flash Players (10 - latest 11.4.402.287 included) are infobar > blocked Yes, looking at the blocklist, the entries are not including plugin version ranges anymore, which making the blocks behave incorrectly. This is a regression caused by bug 795387.
Assignee | ||
Comment 26•12 years ago
|
||
OK, now that bug 795387 is resolved again (I checked and it looks good), we need to retest these blocks. Paul mentioned not being available tomorrow, so we might need someone else from QA to step in.
Assignee | ||
Comment 27•12 years ago
|
||
Java Plugin 6 updates 33 through 36 (click-to-play), Windows https://addons-dev.allizom.org/en-US/firefox/blocked/p173 Java Plugin 6 updates 36 and lower (click-to-play), Mac OS X * https://addons-dev.allizom.org/en-US/firefox/blocked/p175 Java Plugin 6 updates 33 through 36 (click-to-play), Linux ** https://addons-dev.allizom.org/en-US/firefox/blocked/p179 * Note that this block only covers the Oracle plugin, not the one that used to be bundled with Mac OS X. To block that one, we would need help from QA to figure out which was the latest version of the plugin and which JRE version it corresponds to. I could CTP all versions of that plugin, if we feel that's necessary. ** Also limited to the Oracle plugin, which isn't typically found in Linux distros. This should cover all CTP blocks required by this bug.
Comment 28•12 years ago
|
||
(In reply to Scoobidiver from comment #11) > (In reply to Jorge Villalobos [:jorgev] from comment #9) > > https://addons-dev.allizom.org/en-US/firefox/blocked/p163 > > Flash Player below 10.3.183.19, blocked on Windows and Mac OS X, Firefox 17 > > and above. > The latest Flash 10.3 is 10.3.183.29. What about Flash 10.3.183.19 - 10.3.183.29 ? And what about Flash on linux ?
Assignee | ||
Comment 29•12 years ago
|
||
(In reply to Paul Silaghi [QA] from comment #28) > (In reply to Scoobidiver from comment #11) > > (In reply to Jorge Villalobos [:jorgev] from comment #9) > > > https://addons-dev.allizom.org/en-US/firefox/blocked/p163 > > > Flash Player below 10.3.183.19, blocked on Windows and Mac OS X, Firefox 17 > > > and above. > > The latest Flash 10.3 is 10.3.183.29. > > What about Flash 10.3.183.19 - 10.3.183.29 ? I asked this on comment #17 and haven't seen a response yet. > And what about Flash on linux ? Plugins on Linux don't report their version numbers correctly to the Add-ons Manager, so we can't block the Flash plugin effectively. We can block Java because the version number is reported in the Java plugin name and we can create blocks based on name patterns.
Comment 30•12 years ago
|
||
Except versions between 10.3.183.19 - 10.3.183.29, Flash is properly blocked both on Win and Mac OS X.
Comment 31•12 years ago
|
||
Java is properly blocked on Win (j6u37 and j7u9 are not blocked as expected). Currently testing java on linux. I didn't manage to install an older version of java on Mac, also didn't found any documentation for that. Any ideas ?
Reporter | ||
Comment 32•12 years ago
|
||
(In reply to Paul Silaghi [QA] from comment #31) > Java is properly blocked on Win (j6u37 and j7u9 are not blocked as expected). > Currently testing java on linux. > > I didn't manage to install an older version of java on Mac, also didn't > found any documentation for that. Any ideas ? We've had problems around testing this previously. I wouldn't block deploying on final verification here - we can rely on external testing for older versions of Java on Mac.
Comment 33•12 years ago
|
||
(In reply to Scoobidiver from comment #11) > The latest Flash 10.3 is 10.3.183.29. Adobe references it as the latest one on their website: http://helpx.adobe.com/flash-player/kb/archived-flash-player-versions.html#flash_player_archives and http://www.adobe.com/support/security/bulletins/apsb12-22.html
Comment 34•12 years ago
|
||
Trying to understand a high-level assessment of where we are at here. Please correct me where I am wrong. Flash 10.3 to 11.3 excluding 10.3.183.19 and 11.4.402.287 * Windows: Tested and signed-off * Mac: Tested and signed off * Linux: Untested since they don't report correct version numbers to Firefox Java 7 excluding 7u9 * Windows: Tested and signed-off * Mac: Untested due to technical complexities of Apple's Java support model * Linux: Remains to be tested Java 6 excluding 6u37 * Windows: Tested and signed-off * Mac: Untested due to technical complexities of Apple's Java support model * Linux: Tested and signed-off As far as I can tell all that remains is to test Java 7 on Linux. The one caveat being that we will push live without Mac testing. We'll let Mac users inform us of any issues and react accordingly post-push as we've done in the past. Is this an accurate assessment?
Assignee | ||
Comment 35•12 years ago
|
||
(In reply to Anthony Hughes, Mozilla QA (:ashughes) from comment #34) > Is this an accurate assessment? Looks right to me.
Comment 36•12 years ago
|
||
(In reply to Jorge Villalobos [:jorgev] from comment #35) > (In reply to Anthony Hughes, Mozilla QA (:ashughes) from comment #34) > > Is this an accurate assessment? > > Looks right to me. Thanks Jorge. I'll try to get the Java 7 Linux testing complete today so we can either push live tonight having Paul test the live block, or tomorrow morning having me test the live block.
Comment 37•12 years ago
|
||
(In reply to Anthony Hughes, Mozilla QA (:ashughes) from comment #34) > excluding 10.3.183.19 This version doesn't even exist and you are allowing 10.3.183.20, 10.3.183.23 and 10.3.183.25 that are vulnerable. See comment 33.
Comment 38•12 years ago
|
||
Thanks Scoobidiver, you are right. The latest Flash 10.3 version supported by Adobe is 10.3.183.29. We should amend the Flash 10.3 block to cover all Flash 10.3 excluding 10.3.183.29. If this has already been done I can test it, if not I'm inclined to block sign-off until we do.
Comment 39•12 years ago
|
||
I've been trying for nearly an hour trying to get old versions of Java 7 to install in Linux unsuccessfully. I don't think this is getting done today. I'll keep trying to find a way to get this to work until the end of the day. Failing that, Paul can you please try to test Java 7 on Linux? Thanks.
Comment 40•12 years ago
|
||
I managed to get Java 7 to register in Firefox 17.0b3 now but I think I'm hitting another block which might be taking precedence over the staged block. 1. Install Java 7.0 2. Start Firefox, update about:config prefs to staging 3. Force a blocklist ping and open Add-ons Manager :: Plugins > Java 1.7.0 is disabled because it's known to cause security vulnerabilities 3. Enable Java 4. Load a Java applet > Java applet is loaded without blocking
Assignee | ||
Comment 41•12 years ago
|
||
Which version of Java 7 is this?
Comment 42•12 years ago
|
||
(In reply to Jorge Villalobos [:jorgev] from comment #41) > Which version of Java 7 is this? Java 7.0, the initial Java 7 release.
Assignee | ||
Comment 43•12 years ago
|
||
See comment #20. The Java block only covers Java 7 update 7 and 8. The rest of the Java 7 should be softblocked only.
Assignee | ||
Comment 44•12 years ago
|
||
(In reply to Jorge Villalobos [:jorgev] from comment #43) > the rest of the Java 7 the rest of the Java 7 *branch*
Comment 45•12 years ago
|
||
(In reply to Jorge Villalobos [:jorgev] from comment #43) > See comment #20. The Java block only covers Java 7 update 7 and 8. The rest > of the Java 7 should be softblocked only. I don't think we can test CTP for Java 7 on Linux then... http://www.oracle.com/technetwork/java/javase/downloads/java-archive-downloads-javase7-521261.html ...only shows Java 7u6 and below.
Comment 46•12 years ago
|
||
Given my assessment in comment 34, if it's believed the risk is low to pushing live without Java testing on Mac and without Java 7 testing on Linux then I can send QA sign off. However, I won't send sign off until someone okays that risk.
Comment 47•12 years ago
|
||
I finally found j7u7 for linux: http://www.oracle.com/technetwork/java/javase/downloads/jre7u7-downloads-1836441.html. Given that, j7u8 remains untested, both on Win and Linux (but I guess that's ok due to comment 24) and also the java issue on Mac. So, the results are: Java 6 <= Java 6u32 are softblocked Java 6u33, 6u34, 6u35 are CTP blocked Java 7 <= Java 7u6 are softblocked Java 7u7 is CTP blocked Java 7u8 - N/A Java 6u37, 7u9 (latest) - not blocked as expected
Comment 48•12 years ago
|
||
Given the results I think we are good to push live. Assuming there is no requirement to send an email to r-d, consider this comment QA sign-off for staging.
Comment 49•12 years ago
|
||
(In reply to Anthony Hughes, Mozilla QA (:ashughes) from comment #48) > Given the results I think we are good to push live. What about comment 38?
Assignee | ||
Comment 50•12 years ago
|
||
I just remembered that bug 795387 hasn't been pushed to production yet, since we needed to test that it was working well first. I'll ask to get it pushed now.
Assignee | ||
Comment 51•12 years ago
|
||
Done: Java Plugin 6 updates 33 through 36 (click-to-play), Linux https://addons.mozilla.org/en-US/firefox/blocked/p190 Java Plugin 6 updates 36 and lower (click-to-play), Mac OS X https://addons.mozilla.org/en-US/firefox/blocked/p188 Java Plugin 6 updates 33 through 36 (click-to-play), Windows https://addons.mozilla.org/en-US/firefox/blocked/p186 Java Plugin 7 update 7 and 8 (click-to-play), Linux https://addons.mozilla.org/en-US/firefox/blocked/p184 Java Plugin 7 update 7 and 8 (click-to-play), Windows https://addons.mozilla.org/en-US/firefox/blocked/p182 Java Plugin 7 update 7 and 8 (click-to-play), Mac OS X https://addons.mozilla.org/en-US/firefox/blocked/p180 Flash Player Plugin between 11.0 and 11.4.402.287 (click-to-play) https://addons.mozilla.org/en-US/firefox/blocked/p178 Flash Player Plugin below 10.3.183.19 (click-to-play) https://addons.mozilla.org/en-US/firefox/blocked/p176
Status: NEW → RESOLVED
Closed: 12 years ago
Resolution: --- → FIXED
Comment 52•12 years ago
|
||
Should I file a new bug for the 3 vulnerable Flash 10.3 versions (10.3.183.20, 10.3.183.23 and 10.3.183.25) that are not blocked?
Comment 53•12 years ago
|
||
The blocks appear to be working as expected on production. Be advised that we were unable to test Java on Mac, as with the staged block.
Status: RESOLVED → VERIFIED
Comment 54•12 years ago
|
||
(In reply to Scoobidiver from comment #52) > Should I file a new bug for the 3 vulnerable Flash 10.3 versions > (10.3.183.20, 10.3.183.23 and 10.3.183.25) that are not blocked? Done - bug 807258
No longer blocks: 807258
Updated•12 years ago
|
Updated•8 years ago
|
Product: addons.mozilla.org → Toolkit
You need to log in
before you can comment on or make changes to this bug.
Description
•