Closed Bug 1217932 Opened 9 years ago Closed 9 years ago

Blocklist Java plugin up to versions 8u65 and 7u91

Categories

(Toolkit :: Blocklist Policy Requests, defect)

Product:
Toolkit
Component:
Blocklist Policy Requests
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED FIXED

People

(Reporter: marksc, Assigned: jorgev, NeedInfo)

References

Details

On October 20th Oracle released Java 8u65 and 7u91 to address vulnerabilities in older versions. Older versions will need added to the blocklist. http://www.oracle.com/technetwork/topics/security/cpuoct2015-2367953.html#AppendixJAVA
The blocks are now staged: Java Plugin 7 update 81 to 90 (click-to-play), Mac OS X https://addons-dev.allizom.org/en-US/firefox/blocked/p790 Java Plugin 8 update 46 to 64 (click-to-play), Mac OS X https://addons-dev.allizom.org/en-US/firefox/blocked/p791 Java Plugin 7 update 81 to 90 (click-to-play), Windows https://addons-dev.allizom.org/en-US/firefox/blocked/p792 Java Plugin 8 update 46 to 64 (click-to-play), Windows https://addons-dev.allizom.org/en-US/firefox/blocked/p793 Java Plugin 7 update 81 to 90 (click-to-play), Linux https://addons-dev.allizom.org/en-US/firefox/blocked/p794 Java Plugin 8 update 46 to 64 (click-to-play), Linux https://addons-dev.allizom.org/en-US/firefox/blocked/p795
Flags: needinfo?(kjozwiak)
Keywords: qawanted
It's going to be difficult to test the Java 7 blocks for 7u91... from Java's website: "Updates for Java SE 7 released after April 2015, and updates for Java SE 6 released after April 2013 are only available to Oracle Customers through My Oracle Support (requires support login)." The last version of Java 7 that's available to the public is 7u80 [1]. I'll continue testing with 8u65. Jorge, any suggestions? [1] http://www.oracle.com/technetwork/java/javase/downloads/java-archive-downloads-javase7-521261.html
Flags: needinfo?(jorge)
Maybe Roger from Oracle can help you with this.
Flags: needinfo?(jorge) → needinfo?(roger.lewis)
Finished testing the blocklists using 8u65 & 8u65 without any issues. Waiting for a response from Roger relating to 7u91. Windows 10 x64 VM: ================== Build Used: https://archive.mozilla.org/pub/firefox/nightly/2015/11/2015-11-13-03-02-48-mozilla-central/ File: npjp2.dll Path: C:\Program Files (x86)\Java\jre1.8.0_60\bin\plugin2\npjp2.dll Version: 11.60.2.27 State: Enabled (STATE_VULNERABLE_UPDATE_AVAILABLE) Next Generation Java Plug-in 11.60.2 for Mozilla browsers > Blocklist state for Java(TM) Platform SE 8 U60 changed from 0 to 4 File: npjp2.dll Path: C:\Program Files (x86)\Java\jre1.8.0_65\bin\plugin2\npjp2.dll Version: 11.65.2.17 State: Enabled Next Generation Java Plug-in 11.65.2 for Mozilla browsers > Blocklist state for Java(TM) Platform SE 8 U65 changed from 0 to 0 File: npjp2.dll Path: C:\Program Files (x86)\Java\jre1.8.0_66\bin\plugin2\npjp2.dll Version: 11.66.2.18 State: Enabled Next Generation Java Plug-in 11.66.2 for Mozilla browsers > Blocklist state for Java(TM) Platform SE 8 U66 changed from 0 to 0 Ubuntu 14.04.3 x64 VM ===================== Build Used: https://archive.mozilla.org/pub/firefox/nightly/2015/11/2015-11-13-00-41-15-mozilla-aurora/ File: libnpjp2.so Path: /usr/java/jre1.8.0_60/lib/amd64/libnpjp2.so Version: 11.60.2 State: Enabled (STATE_VULNERABLE_UPDATE_AVAILABLE) Next Generation Java Plug-in 11.60.2 for Mozilla browsers > Blocklist state for Java(TM) Plug-in 11.60.2 changed from 0 to 4 File: libnpjp2.so Path: /usr/java/jre1.8.0_65/lib/amd64/libnpjp2.so Version: 11.65.2 State: Enabled Next Generation Java Plug-in 11.65.2 for Mozilla browsers > Blocklist state for Java(TM) Plug-in 11.65.2 changed from 0 to 0 File: libnpjp2.so Path: /usr/java/jre1.8.0_66/lib/amd64/libnpjp2.so Version: 11.66.2 State: Enabled Next Generation Java Plug-in 11.66.2 for Mozilla browsers > Blocklist state for Java(TM) Plug-in 11.66.2 changed from 0 to 0 OSX 10.11.1 x64 =============== Build Used: https://archive.mozilla.org/pub/firefox/releases/42.0/mac/en-US/ File: JavaAppletPlugin.plugin Path: /Library/Internet Plug-Ins/JavaAppletPlugin.plugin Version: Java 8 Update 60 build 27 State: Enabled (STATE_VULNERABLE_UPDATE_AVAILABLE) Displays Java applet content, or a placeholder if Java is not installed. > Blocklist state for Java Applet Plug-in changed from 0 to 4 File: JavaAppletPlugin.plugin Path: /Library/Internet Plug-Ins/JavaAppletPlugin.plugin Version: Java 8 Update 65 build 17 State: Enabled Displays Java applet content, or a placeholder if Java is not installed. > Blocklist state for Java Applet Plug-in changed from 0 to 0 File: JavaAppletPlugin.plugin Path: /Library/Internet Plug-Ins/JavaAppletPlugin.plugin Version: Java 8 Update 66 build 17 State: Enabled Displays Java applet content, or a placeholder if Java is not installed. > Blocklist state for Java Applet Plug-in changed from 0 to 0 Test Cases used against each Plugin/OS: - ensured "Update Now" under about:addons pointed to the correct URLs outlined in comment # 1 - ensured that the plugin is correctly being blocked via https://www.java.com/en/download/installed.jsp - ensured that "Allow" and "Allow and Remember" are working correctly - ensured that "Ask to Activate" was selected and the other choices greyed out and not selectable
Kamil, Let me know how I can help test. I have sent you a mail for details on testing.
> Let me know how I can help test. I have sent you a mail for details on testing. Roger, I haven't received any emails from you :/ (I've checked the spam folder just in case as well) I basically need access to 7u91 as it seems it's only available for Oracle Customers through the My Oracle Support portal.
Flags: needinfo?(kjozwiak)
Given the enormous number of Firefox ESR38.4 end-users crashing due to a bug in Java7, we should consider blocking it soon. Please see the recommended versions of Java 7 that ought to be blocked from Donald Smith @Oracle: https://bugzilla.mozilla.org/show_bug.cgi?id=1221448#c66
We decided to move forward with the blocks, since they had stalled for too long and there were other issues coming up around them (bug 1221448). I hope we can resolve the testing issues so they don't come up in the future, but I also don't want us to dwell too much on this. Java Plugin 8 update 46 to 64 (click-to-play), Linux https://addons.mozilla.org/firefox/blocked/p1064 Java Plugin 7 update 81 to 90 (click-to-play), Linux https://addons.mozilla.org/firefox/blocked/p1063 Java Plugin 8 update 46 to 64 (click-to-play), Windows https://addons.mozilla.org/firefox/blocked/p1062 Java Plugin 7 update 81 to 90 (click-to-play), Windows https://addons.mozilla.org/firefox/blocked/p1061 Java Plugin 8 update 46 to 64 (click-to-play), Mac OS X https://addons.mozilla.org/firefox/blocked/p1060 Java Plugin 7 update 81 to 90 (click-to-play), Mac OS X https://addons.mozilla.org/firefox/blocked/p1059
Assignee: nobody → jorge
Status: NEW → RESOLVED
Closed: 9 years ago
Keywords: qawanted
Resolution: --- → FIXED
Target Milestone: --- → 45.3
Product: addons.mozilla.org → Toolkit
It would be nice if the browser provided any feedback to the user on why the plugin was rejected. Right now I see the 32-bit JRE 1.8.0_111 from Program Files (x86) getting into the INVALID section of my pluginreg.dat every time I start Nightly 52.0a1 (Nov 2, 2017) 32-bit. Disabling the blocklist via user_pref("extensions.blocklist.enabled", false); in prefs.js did not help, and searches online stumble on more frequent issues such as 64-bit vs 32-bit, Java control panel etc.
You need to log in before you can comment on or make changes to this bug.