Closed Bug 1183369 Opened 10 years ago Closed 10 years ago

Blocklist Java plugin up to Version 8 Update 45 and Version 7 Update 80

Categories

(Toolkit :: Blocklist Policy Requests, defect)

defect
Not set
normal

Tracking

()

VERIFIED FIXED
2015-07

People

(Reporter: jorgev, Assigned: jorgev)

References

Details

All current versions of the Java plugin are vulnerable to a publicly disclosed vulnerability: http://www.oracle.com/technetwork/topics/security/cpujul2015-2367936.html. Oracle plans to release an update tomorrow, but this might require an immediate block.
QA Contact: kjozwiak
Summary: Blocklist Java plugin up to Version 8 Update 45 → Blocklist Java plugin up to Version 8 Update 45 and Version 7 Update 80
The blocks are now staged: Java Plugin 7 update 79 to 80 (click-to-play), Mac OS X https://addons-dev.allizom.org/en-US/firefox/blocked/p752 Java Plugin 8 update 45 (click-to-play), Mac OS X https://addons-dev.allizom.org/en-US/firefox/blocked/p754 Java Plugin 7 update 79 to 80 (click-to-play), Windows https://addons-dev.allizom.org/en-US/firefox/blocked/p756 Java Plugin 8 update 45 (click-to-play), Windows https://addons-dev.allizom.org/en-US/firefox/blocked/p758 Java Plugin 7 update 79 to 80 (click-to-play), Linux https://addons-dev.allizom.org/en-US/firefox/blocked/p760 Java Plugin 8 update 45 (click-to-play), Linux https://addons-dev.allizom.org/en-US/firefox/blocked/p762 Kamil, can you please take a look?
Flags: needinfo?(kjozwiak)
Keywords: qawanted
Jorge, I'll take a look first thing in the morning. I've never tested a Java blocklist but hopefully it's similar to the Flash process :)
For what it's worth, I followed https://wiki.mozilla.org/Blocklisting/Testing and everything looks good to me. Windows 8 using Firefox 38.0 win32 ============= File: npjp2.dll Path: C:\Program Files (x86)\Java\jre1.8.0_45\bin\plugin2\npjp2.dll Version: 11.45.2.14 State: Enabled (STATE_VULNERABLE_NO_UPDATE) Next Generation Java Plug-in 11.45.2 for Mozilla browsers File: npdeployJava1.dll Path: C:\Program Files (x86)\Java\jre1.8.0_45\bin\dtplugin\npdeployJava1.dll Version: 11.45.2.14 State: Enabled (STATE_VULNERABLE_NO_UPDATE) NPRuntime Script Plug-in Library for Java(TM) Deploy Tested: - Plugin is blocked and "This plugin has security vulnerabilities is displayed? Yes - Clicking "Activate Java." presents "Allow Now" and "Allow and Remember" door-hanger? Yes - Clicking "Allow Now" activates the plugin for the current site and session? Yes - Plugin remains deactivated for other sites within the same session? Yes - Plugin is deactivated for the same site in a new session? Yes - Clicking "Allow and Remember" keeps the plugin activated for the same site between sessions? Yes
Windows 8.1 x64 (VM): ===================== Used the following build: http://ftp.mozilla.org/pub/mozilla.org/firefox/nightly/2015-07-14-03-02-06-mozilla-central/ File: npjp2.dll Path: C:\Program Files (x86)\Java\jre7\bin\plugin2\npjp2.dll Version: 10.80.2.15 State: Enabled (STATE_VULNERABLE_NO_UPDATE) Next Generation Java Plug-in 10.80.2 for Mozilla browsers File: npjp2.dll Path: C:\Program Files (x86)\Java\jre7\bin\plugin2\npjp2.dll Version: 10.79.2.15 State: Enabled (STATE_VULNERABLE_NO_UPDATE) Next Generation Java Plug-in 10.79.2 for Mozilla browsers File: npjp2.dll Path: C:\Program Files (x86)\Java\jre1.8.0_45\bin\plugin2\npjp2.dll Version: 11.45.2.15 State: Enabled (STATE_VULNERABLE_NO_UPDATE) Next Generation Java Plug-in 11.45.2 for Mozilla browsers Ubuntu 14.04.2 x64 (VM): ======================== Used the following build: http://ftp.mozilla.org/pub/mozilla.org/firefox/nightly/2015-07-14-00-40-06-mozilla-aurora/ File: libnpjp2.so Path: /usr/java/jre1.7.0_79/lib/amd64/libnpjp2.so Version: 10.79.2 State: Enabled (STATE_VULNERABLE_NO_UPDATE) Next Generation Java Plug-in 10.79.2 for Mozilla browsers File: libnpjp2.so Path: /usr/java/jre1.7.0_80/lib/amd64/libnpjp2.so Version: 10.80.2 State: Enabled (STATE_VULNERABLE_NO_UPDATE) Next Generation Java Plug-in 10.80.2 for Mozilla browsers File: libnpjp2.so Path: /usr/java/jre1.8.0_45/lib/amd64/libnpjp2.so Version: 11.45.2 State: Enabled (STATE_VULNERABLE_NO_UPDATE) Next Generation Java Plug-in 11.45.2 for Mozilla browsers OSX 10.10.4 x64: ================ Used the following build: http://ftp.mozilla.org/pub/mozilla.org/firefox/releases/39.0/ File: JavaAppletPlugin.plugin Path: /Library/Internet Plug-Ins/JavaAppletPlugin.plugin Version: Java 7 Update 79 State: Enabled (STATE_VULNERABLE_NO_UPDATE) Displays Java applet content, or a placeholder if Java is not installed. File: JavaAppletPlugin.plugin Path: /Library/Internet Plug-Ins/JavaAppletPlugin.plugin Version: Java 7 Update 80 State: Enabled (STATE_VULNERABLE_NO_UPDATE) Displays Java applet content, or a placeholder if Java is not installed. File: JavaAppletPlugin.plugin Path: /Library/Internet Plug-Ins/JavaAppletPlugin.plugin Version: Java 8 Update 45 State: Enabled (STATE_VULNERABLE_NO_UPDATE) Displays Java applet content, or a placeholder if Java is not installed. Went through the following test cases: - used the following link to test the java block: https://www.java.com/verify - ensured that "Allow" and "Allow and Remember" work correctly - ensured that "Block Plugin" and "Continue Allowing" work correctly - ensured that it worked in both e10s & non-e10s (m-c & m-a) - ensured "is known to be vulnerable. Use with caution. <link>More Information</link>" appears under about:addons when STATE_VULNERABLE_NO_UPDATE - ensured "More Information" opened the correct link (listed in comment # 1) Summary: ======== Appears like the block is working as expected. However, they're all appearing as STATE_VULNERABLE_NO_UPDATE even though there's updates available. I'm guessing this is due to our end? Also Jorge, take a look and let me know if I missed something as this is the first time I'm doing a java blocklist (I don't want to miss anything)
Flags: needinfo?(kjozwiak)
It all looks right. I staged the blocks with "update unavailable" since that was the reality at the time. I'll push the blocks live with "update available" in about an hour, unless something else comes up.
> It all looks right. I staged the blocks with "update unavailable" since that > was the reality at the time. I'll push the blocks live with "update > available" in about an hour, unless something else comes up. Would it be worth it going through this again once it hits the live server? This time just checking to make sure that the blocked plugin is appearing as STATE_VULNERABLE_UPDATE_AVAILABLE??
The blocks are now live with update available on: Java Plugin 7 update 79 to 80 (click-to-play), Mac OS X https://addons.mozilla.org/en-US/firefox/blocked/p954 Java Plugin 8 update 45 (click-to-play), Mac OS X https://addons.mozilla.org/en-US/firefox/blocked/p956 Java Plugin 7 update 79 to 80 (click-to-play), Windows https://addons.mozilla.org/en-US/firefox/blocked/p958 Java Plugin 8 update 45 (click-to-play), Windows https://addons.mozilla.org/en-US/firefox/blocked/p960 Java Plugin 7 update 79 to 80 (click-to-play), Linux https://addons.mozilla.org/en-US/firefox/blocked/p962 Java Plugin 8 update 45 (click-to-play), Linux https://addons.mozilla.org/en-US/firefox/blocked/p964 Kamil, can you give these a quick look?
Status: NEW → RESOLVED
Closed: 10 years ago
Keywords: qawanted
Resolution: --- → FIXED
Target Milestone: --- → 2015-07
Win 8.1 x64 (VM): ================= Build used: http://ftp.mozilla.org/pub/mozilla.org/firefox/releases/39.0/ ----------- Vulnerable: ----------- File: npjp2.dll Path: C:\Program Files (x86)\Java\jre7\bin\plugin2\npjp2.dll Version: 10.79.2.15 State: Enabled (STATE_VULNERABLE_UPDATE_AVAILABLE) Next Generation Java Plug-in 10.79.2 for Mozilla browsers File: npjp2.dll Path: C:\Program Files (x86)\Java\jre7\bin\plugin2\npjp2.dll Version: 10.80.2.15 State: Enabled (STATE_VULNERABLE_UPDATE_AVAILABLE) Next Generation Java Plug-in 10.80.2 for Mozilla browsers File: npjp2.dll Path: C:\Program Files (x86)\Java\jre1.8.0_45\bin\plugin2\npjp2.dll Version: 11.45.2.15 State: Enabled (STATE_VULNERABLE_UPDATE_AVAILABLE) Next Generation Java Plug-in 11.45.2 for Mozilla browsers --------------- Not Vulnerable: --------------- File: npjp2.dll Path: C:\Program Files (x86)\Java\jre1.8.0_51\bin\plugin2\npjp2.dll Version: 11.51.2.16 State: Enabled Next Generation Java Plug-in 11.51.2 for Mozilla browsers Ubuntu 14.04.2 x64 (VM): ======================== Build used: http://ftp.mozilla.org/pub/mozilla.org/firefox/nightly/2015-07-15-09-55-19-mozilla-aurora/ ----------- Vulnerable: ----------- File: libnpjp2.so Path: /usr/java/jre1.7.0_79/lib/amd64/libnpjp2.so Version: 10.79.2 State: Enabled (STATE_VULNERABLE_UPDATE_AVAILABLE) Next Generation Java Plug-in 10.79.2 for Mozilla browsers File: libnpjp2.so Path: /usr/java/jre1.7.0_80/lib/amd64/libnpjp2.so Version: 10.80.2 State: Enabled (STATE_VULNERABLE_UPDATE_AVAILABLE) Next Generation Java Plug-in 10.80.2 for Mozilla browsers File: libnpjp2.so Path: /usr/java/jre1.8.0_45/lib/amd64/libnpjp2.so Version: 11.45.2 State: Enabled (STATE_VULNERABLE_UPDATE_AVAILABLE) Next Generation Java Plug-in 11.45.2 for Mozilla browsers --------------- Not Vulnerable: --------------- File: libnpjp2.so Path: /usr/java/jre1.8.0_51/lib/amd64/libnpjp2.so Version: 11.51.2 State: Enabled Next Generation Java Plug-in 11.51.2 for Mozilla browsers OSX 10.10.4 x64: ================ ----------- Vulnerable: ----------- File: JavaAppletPlugin.plugin Path: /Library/Internet Plug-Ins/JavaAppletPlugin.plugin Version: Java 7 Update 79 State: Enabled (STATE_VULNERABLE_UPDATE_AVAILABLE) Displays Java applet content, or a placeholder if Java is not installed. File: JavaAppletPlugin.plugin Path: /Library/Internet Plug-Ins/JavaAppletPlugin.plugin Version: Java 7 Update 80 State: Enabled (STATE_VULNERABLE_UPDATE_AVAILABLE) Displays Java applet content, or a placeholder if Java is not installed. File: JavaAppletPlugin.plugin Path: /Library/Internet Plug-Ins/JavaAppletPlugin.plugin Version: Java 8 Update 45 State: Enabled (STATE_VULNERABLE_UPDATE_AVAILABLE) Displays Java applet content, or a placeholder if Java is not installed. --------------- Not Vulnerable: --------------- File: JavaAppletPlugin.plugin Path: /Library/Internet Plug-Ins/JavaAppletPlugin.plugin Version: Java 8 Update 51 State: Enabled Displays Java applet content, or a placeholder if Java is not installed.
Status: RESOLVED → VERIFIED
Excuse me, I'm new here and I've not read all these technical comments (yet) but I do want to tell you about the infinite loop you've created for me. Because the link is blocked, when I go to the Add-on manager and click UPDATE I get the same BLOCKED Add-on page that I saw when I pressed the UPPDATE link, which then sends me back to the Add-on page for me to click UPDATE. How do you expect users to UPDATE any of the software you've BLOCKED under these circomstances?
Flags: needinfo?(jorge)
The update link should take you to a more useful page than the blocklist page. I'm not sure why that's happening, sorry about that. However, the blocklist page should point to our plugin check page, which should be more useful: http://www.mozilla.org/plugincheck/. Or just take a shortcut and go to https://java.com/.
Flags: needinfo?(jorge)
(In reply to Jorge Villalobos [:jorgev] from comment #10) > The update link should take you to a more useful page than the blocklist > page. I'm not sure why that's happening, sorry about that. I'm hearing this again and again from different people. Do we have a bug filed for that?
Flags: needinfo?(jorge)
(In reply to Robert Kaiser (:kairo@mozilla.com) from comment #11) > (In reply to Jorge Villalobos [:jorgev] from comment #10) > > The update link should take you to a more useful page than the blocklist > > page. I'm not sure why that's happening, sorry about that. > > I'm hearing this again and again from different people. Do we have a bug > filed for that? Bug # 798176, CC'd Jorge and yourself if you two want to jump into the conversation :)
Flags: needinfo?(jorge)
Hey guys, I don't know what you updated here. I still can't update my Java. Can you please unblock this thing. Now I can't work from home because of this. I installed new Java 8 from website and I still get the same message that it is blocked.
(In reply to Deima from comment #13) > Hey guys, > I don't know what you updated here. I still can't update my Java. Can you > please unblock this thing. Now I can't work from home because of this. I > installed new Java 8 from website and I still get the same message that it > is blocked. Which version did you download/install? The latest version is Java SE 8u51 and that shouldn't be blocked. What version does "about:plugins" and "about:addons" list?
Java company stop update jave 7 ( i have on my portable computer) on windows xp. Xp is not working for java 8
Product: addons.mozilla.org → Toolkit
You need to log in before you can comment on or make changes to this bug.