Closed Bug 1154410 Opened 10 years ago Closed 8 years ago

Java 7u79 and 8u45 released

Categories

(Plugin Check Graveyard :: Database, defect)

Product:
Plugin Check Graveyard
Component:
Database
Platform:
x86
All
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
RESOLVED INCOMPLETE

People

(Reporter: roger.lewis, Unassigned)

Details

Today Java SE 7u79 and 8u45 were released to java.com and Oracle.com, which contain vulnerability fixes. They were released Tuesday April 14th, 2015 at 12pm PT. Please update the version checker to show these as the latest releases. Related documents: http://www.oracle.com/technetwork/topics/security/cpuapr2015-2365600.html
CCing rmcguigan and Matt Grimes. I think they can add these Plugins to the Plugincheck Database. DJ-Leith
Jorge if there isn't already a blocklist request for this, please file that as well.
Flags: needinfo?(jorge)
Filed bug 1159917.
Flags: needinfo?(jorge)
FAO Mark Schmidt 1. Please ensure that the Plugincheck Database is updated, and Plugincheck Website is tested, BEFORE the blocklist (bug 1159917 "Blocklist Java 7u78 and lower, 8u44 and lower") goes live. If the blocklist and Plugincheck 'disagree' (about the safe versions of Java) then I anticipate lots of confusion like we had in December 2014. Not only does it waste many User's time, it alarms them and it lowers their trust in Mozilla and the 'Plugincheck Service'. 2. I advocate that whoever updates the Database does their own research. 3. However, in view of the urgency, here are some facts that I expect you will be able to confirm: 3.1 According to Bugzilla, the most recent versions of Java that were added to the Plugincheck Database (before 2015-04-14) were: Bug 1123881 "Java 7u75 and 8u31 released", Reported 2015-01-20, FIXED 2015-01-21. 3.2 Evidence in the 'JSON List' that passes data from the 'Plugincheck Database' to the 'Plugincheck Website'. On 2014-04-10, see https://bug1154431.bugzilla.mozilla.org/attachment.cgi?id=8594408 > *** We do NOT know when the 'JSON List' was generated (see bug 1105483 > *** "Add a 'Generated' Date and Time stamp to the top of the 'Plugincheck JSON List' ") > *** However, line 0550 shows Flash 17.0.0.134 which was added > *** on 2015-03-13 at 11:17:04 PDT (bug 1143079). > 0009 jQuery111008872308988399221_1428693762207({ > 0010 'plugins': { We had the following data for Java: Java 8 u31 - is "latest" (input in bug 1123881 - at 3.1 above) > 2344 'status': 'latest', > 2345 'version': '8.0.31', > 2346 'detected_version': '8.0.31', > 2347 'detection_type': '*', > 2348 'os_name': '*', > 2349 'platform': { > 2350 'app_id': '*', > 2351 'app_release': '*', > 2352 'app_version': '*', > 2353 'locale': '*' Java 7 u71 - is "latest" (I do NOT think this is CORRECT. Correct should have been 'Java 7 u75' and it should have been input in bug 1123881 - at 3.1 above) > 2357 'status': 'latest', > 2358 'version': '7.0.71', > 2359 'detected_version': '7.0.71', > 2360 'detection_type': '*', > 2361 'os_name': '*', > 2362 'platform': { > 2363 'app_id': '*', > 2364 'app_release': '*', > 2365 'app_version': '*', > 2366 'locale': '*' Java 6 u81 - is "latest" (this might not be TRUE - see below) > 2370 'status': 'latest', > 2371 'version': '6.0.81', > 2372 'detected_version': '6.0.81', > 2373 'detection_type': '*', > 2374 'os_name': '*', > 2375 'platform': { > 2376 'app_id': '*', > 2377 'app_release': '*', > 2378 'app_version': '*', > 2379 'locale': '*' According to https://en.wikipedia.org/wiki/Java_version_history the latest 'Java 6 version' is > Java SE 6 Update 95 > released 2015-04-14 > Not available publicly, > only available through the Java SE Support program and in > Solaris 10's Recommended Patchset Cluster; 14 security fixes Java 5 u71 - is "latest" (again, this might not be TRUE - see "Java_version_history" just above, Java 5 is old) > 2383 'status': 'latest', > 2384 'version': '5.0.71', > 2385 'detected_version': '5.0.71', > 2386 'detection_type': '*', > 2387 'os_name': '*', > 2388 'platform': { > 2389 'app_id': '*', > 2390 'app_release': '*', > 2391 'app_version': '*', > 2392 'locale': '*' Java 8 u25 - is "vulnerable" (input in bug 1123881 - at 3.1 above) > 2396 'vulnerable': [ > 2397 { > 2398 'status': 'vulnerable', > 2399 'vulnerability_description': 'This Critical Patch Update contains 169 new security fixes', > 2400 'vulnerability_url': 'http://www.oracle.com/technetwork/topics/security/cpujan2015-1972971.html', > 2401 'version': '8.0.25', > 2402 'detected_version': '8.0.25', > 2403 'detection_type': '*', > 2404 'os_name': '*', > 2405 'platform': { > 2406 'app_id': '*', > 2407 'app_release': '*', > 2408 'app_version': '*', > 2409 'locale': '*' > 2410 } Java 7 u67 - is "vulnerable" (I think it might have been 'marked vulnerable' in bug 1082813 "Java 7u71 and 8u25 released") > 2458 'status': 'vulnerable', > 2459 'vulnerability_description': 'vendor information', > 2460 'vulnerability_url': 'http://www.oracle.com/technetwork/topics/security/cpuoct2014-1972960.html', > 2461 'version': '7.0.67', > 2462 'detected_version': '7.0.67', > 2463 'detection_type': '*', > 2464 'os_name': '*', > 2465 'platform': { > 2466 'app_id': '*', > 2467 'app_release': '*', > 2468 'app_version': '*', > 2469 'locale': '*' https://en.wikipedia.org/wiki/Java_version_history lists some versions of Java 7 that were released after Java 7 u67, i.e. u71 and u72, and before Java 7 u75. > Java SE 7 Update 71 > 2014-10-14, 16 bug fixes > Java SE 7 Update 72 > 2014-10-14, Same release date with Update 71 as a > corresponding Patch Set Update (PSU) for Java SE 7, 36 bug fixes 3.3 You will need to update both Java 7 and Java 8. In the 'Plugincheck Database' GUI Screenshot (a year ago) on 2104-04-09 https://bug959760.bugzilla.mozilla.org/attachment.cgi?id=8404012 Shows the 'Java 8 family' [1.8.0.0] and the 'Java 7 family' "1.7.0.51" AKA 'Java 7 u51' The screenshot was discussed in https://bugzilla.mozilla.org/show_bug.cgi?id=985968#c41 where the 'new Java 8 family', which was available to developers, had a 'version number that was higher than the current Java 7' i.e. "Java 7 u51". As a result the vast majority of visitors to the Plugincheck Website, who had a 'Java 7' Plugin, were told that their "Java 7 u51" was "vulnerable" in Error. Note: The 'JSON List' data (shown above in 3.2) strips off the leading "1." from Java Versions: so 'Java 7 u51' is "7.0.51" in the 'JSON List' but "1.7.0.51" in the Database. 4. Testing Some older versions are available at Oracle's official download site http://www.oracle.com/technetwork/java/javase/downloads/index.html DJ-Leith
Flags: needinfo?(mschmidt)
The plugin check page was updated when 1159917 was filed. Note: That page is updated much more frequently than bugzilla would suggest. The current change process for that page is very informal. This will likely change for the better in the near future.
Flags: needinfo?(mschmidt)
Per Oracle[1] the current security baselines are 1.8.0_45 (Java8) and 1.7.0_79 (Java 7). The plugins page reflects this change. [1] http://www.oracle.com/technetwork/java/javase/8u45-relnotes-2494160.html Thanks for doing that research, DJ-Leith.
(In reply to Mark Schmidt (:marksc) from comment #5) > The plugin check page was updated when 1159917 was filed. Very good to read. > Note: That page is updated much more frequently than bugzilla would suggest. > The current change process for that page is very informal. This will likely change > for the better in the near future. I think a more formal record would be a good idea. Mark, when you think the data is correct, and the Plugincheck Website shows the 'correct result for Java', please close this bug. I speculate that a 'visitor to Plugincheck', who had 'Java 7 u75' (released on 2015-01-19) might be told "Up to Date" in Error (see below for evidence). Looking at the data today, using PFS [1], has the advantage of showing more detail about when the data about a specific Plugin was changed. This is harder than 'looking at the JSON List', which can be seen at https://plugins.mozilla.org/en-us/plugins_list.json The 'JSON List' does not have an indication of when the 'JSON List' itself was generated. Here is data about 'Java 8 u45' AKA "1.8.0.45", which has been added. > 0030 'latest': [ > 0031 { > 0032 'id': '4', > 0033 'pfs_id': 'java-runtime-environment', > 0034 'name': 'Java Runtime Environment', > 0035 'vendor': 'Sun Microsystems', > 0036 'url': 'http://www.java.com/en/download/manual.jsp', > 0037 'modified': '2015-05-01T21:04:07+00:00', > 0038 'created': '2015-04-24T01:24:28+00:00', > 0039 'plugin_id': '7', > 0040 'os_id': '1', > 0041 'platform_id': '4', > 0042 'status': 'latest', > 0043 'version': '1.8.0.45', > 0044 'detected_version': '1.8.0.45', > 0045 'detection_type': 'original', > 0046 'os_name': '*', > 0047 'app_id': '*', > 0048 'app_release': '*', > 0049 'app_version': '*', > 0050 'locale': '*', > 0051 'fetched': '2015-05-01T08:18:37-07:00', > 0052 'relevance': 1 It was added (record "created") on 2015-04-24 > 0037 'modified': '2015-05-01T21:04:07+00:00', > 0038 'created': '2015-04-24T01:24:28+00:00', Java 7 u79, is "latest", and was added today. > 0060 'modified': '2015-05-01T21:04:06+00:00', > 0061 'created': '2015-05-01T21:04:06+00:00', > 0062 'plugin_id': '7', > 0063 'os_id': '1', > 0064 'platform_id': '4', > 0065 'status': 'latest', > 0066 'version': '1.7.0.79', Java 8 u31 is correctly recorded as "vulnerable". > 0156 'modified': '2015-05-01T21:04:07+00:00', > 0157 'created': '2015-03-11T20:35:27+00:00', > 0158 'plugin_id': '7', > 0159 'os_id': '1', > 0160 'platform_id': '4', > 0161 'status': 'vulnerable', > 0162 'vulnerability_description': 'oracle release notes', > 0163 'vulnerability_url': 'http://www.oracle.com/technetwork/java/javase/8u45-relnotes-2494160.html', > 0164 'version': '1.8.0.31', > 0165 'detected_version': '1.8.0.31', The 'Java 7' with the highest version number, that I can find, that is recorded as "vulnerable" is 'Java 7 u71'. > 0279 'modified': '2015-05-01T21:04:07+00:00', > 0280 'created': '2014-10-15T20:58:53+00:00', > 0281 'plugin_id': '7', > 0282 'os_id': '1', > 0283 'platform_id': '4', > 0284 'status': 'vulnerable', > 0285 'vulnerability_description': 'oracle release notes', > 0286 'vulnerability_url': 'http://www.oracle.com/technetwork/java/javase/8u45-relnotes-2494160.html', > 0287 'version': '1.7.0.71', > 0288 'detected_version': '1.7.0.71', I speculate that a 'visitor to Plugincheck', who had 'Java 7 u75' (released on 2015-01-19) might be told "Up to Date" in Error. I might be wrong. Perhaps the fact that 'Java 7 u79', is "latest", and was added today. > 0060 'modified': '2015-05-01T21:04:06+00:00', > 0061 'created': '2015-05-01T21:04:06+00:00', > 0062 'plugin_id': '7', > 0063 'os_id': '1', > 0064 'platform_id': '4', > 0065 'status': 'latest', > 0066 'version': '1.7.0.79', would result in users who had 'Java 7 u75' getting a report of "vulnerable". I hope so. If you have Java please test. [1] Here is the URL I used today: https://plugins.mozilla.org/pfs/v2?appID={ec8030f7-c20a-464f-9b0e-13a3a9e97384}&appRelease=39&appVersion=20150501004005&clientOS=Windows&chromeLocale=en-US&detection=original&mimetype=application%2Fx-java-applet+application&callback=C Select the 'result' <Ctrl>+<a> (to select all) Copy this and paste into Scratchpad, at line 9, then "Pretty Print". I have added line numbers to the TXT file. These match the Scratchpad line numbers (1089 lines). DJ-Leith
See also: Bug 1381926
Status: NEW → RESOLVED
Closed: 8 years ago
Component: plugins.mozilla.org → Database
OS: Mac OS X → All
Product: Websites → Plugin Check
Resolution: --- → INCOMPLETE
You need to log in before you can comment on or make changes to this bug.