Closed Bug 1381926 Opened 7 years ago Closed 7 years ago

Java 8u141 was released

Categories

(Toolkit :: Blocklist Policy Requests, defect)

defect
Not set
critical

Tracking

()

RESOLVED FIXED

People

(Reporter: roger.lewis, Unassigned)

Details

Tuesday July 18, 2017, at 10am PT, Java SE 8u141 was released to java.com and Oracle.com, which contain vulnerability fixes. 

Please update the blocklist.  

Related documents:
http://www.oracle.com/technetwork/java/javase/8u141-relnotes-3720385.html
http://www.oracle.com/technetwork/security-advisory/cpujul2017-3236622.html
I staged the blocks for this update. They cover Java 7 150 and earlier, and Java 8 140 and earlier.

Kamil, please give these a spin (not urgent).
Flags: needinfo?(kjozwiak)
Florin, I won't have enough time to get this done before Monday. As mentioned above in comment#1, this isn't very urgent.

As per our discussion in yesterday's meeting, I'll send over some links/material on how to test these blocks sometime today/tonight.
Flags: needinfo?(kjozwiak) → needinfo?(florin.mezei)
(In reply to Kamil Jozwiak [:kjozwiak] from comment #2)
> Florin, I won't have enough time to get this done before Monday. As
> mentioned above in comment#1, this isn't very urgent.
> 
> As per our discussion in yesterday's meeting, I'll send over some
> links/material on how to test these blocks sometime today/tonight.

Understood, thanks Kamil! To be on the safer side, I'm moving this to Andrei (one week from now I'm going on vacation).
Flags: needinfo?(florin.mezei) → needinfo?(andrei.vaida)
Based on the links/material sent to us by Kamil I managed to set an environment here for us to test the blocklisting for Java but I have a few questions:

1. I see that java launched version 8u144 (http://www.oracle.com/technetwork/java/javase/8u144-relnotes-3838694.html) so I'm not clear on which version should we test 8u141 or 8u144?
2. I've installed 8u141 followed the steps from this etherpad "https://public.etherpad-mozilla.org/p/blocklisting" (steps made after the links/material sent by Kamil, but I saw that the staging url for "extensions.blocklist.url" does not work. 

Maybe I'm missing something here, Jorge can you help with this?
Flags: needinfo?(andrei.vaida) → needinfo?(jorge)
1. The blocks cover Java 7 150 and earlier, and Java 8 140 and earlier, so those should be tested as being blocked. More recent versions should not be blocked.

2. As far as I can see, the instructions on the etherpad are working. Can you please try again? If it doesn't work, please specify what isn't working.
Flags: needinfo?(jorge)
Thanks Jorge for your input but I still have some problems:

1. I downloaded Java 8 131 since that's the version before Java 8 141 and for some reason the plugin did not appear in Firefox 52.3.0esr (I also tried with older esr 52.2.0) in Windows 10 64bit (I've installed both 32 and 64bit versions), but it did appear on Mac OS X 10.10 (did not tried on Linux though, that's what I'll do tomorrow). AFAIK Java and other plugins are not supported on newer builds (55, 56, 57), so I think this should be tested only on ESR build, correct me if I'm wrong.

2. I followed the steps from the etherpad from comment 4, and at step number 6 I don't get the message "...changed from 0 to 4", I get "...changed from 0 to 0" and the plugin is not recognized as vulnerable and no update is found.
Flags: needinfo?(jorge)
1. I checked the Roadmap (https://developer.mozilla.org/en-US/docs/Plugins/Roadmap), and you're right, this should only matter for ESR. This may be the last Java plugin block we accept.

2. Okay, so the blocklist refresh did work, but the plugin didn't change state. That could mean there's something wrong with the block. If that persists, I'll need the details you get for the Java plugin in about:plugins.
Flags: needinfo?(jorge)
So we tested using Java 8u131 and the results are in the same etherpad from above (https://public.etherpad-mozilla.org/p/blocklisting). I want to point out that for Mac OS X 10.10.5 at step 6 from the etherpad "Blocklist state for Java Applet Plug-in changed from 0 to 0" is displayed in the console so the plugin is not marked as vulnerable. 

I'm not entirely sure what step 10 (from etherpad) should do actually, I left a comment in the etherpad as well, also the url from step 7 points to an XML file for Ubuntu and Windows.
Flags: needinfo?(jorge)
Thanks. I found a bug in the Mac OS blocklist and corrected it now. Please try testing again.

Not sure what 7 and 10 are about, but they shouldn't affect deploying the block.
Flags: needinfo?(jorge)
(In reply to Jorge Villalobos [:jorgev] from comment #9)
> Thanks. I found a bug in the Mac OS blocklist and corrected it now. Please
> try testing again.
> 
> Not sure what 7 and 10 are about, but they shouldn't affect deploying the
> block.

Finished testing on Mac OS as well, we can see the same behavior as on Windows and Ubuntu.
Cool. Andreas, can you please push these plugin blocks live?
Flags: needinfo?(awagner)
The blocks are now live.
Status: NEW → RESOLVED
Closed: 7 years ago
Flags: needinfo?(awagner)
Resolution: --- → FIXED
All I get when I try to  update my Java SE8 on https://java.com is a SECURE CONNECTION FAILED and I see no way to bypass this with Firefox??? Thus, at least for now, I'm stuck with no way to update Java SE. What to do??
You need to log in before you can comment on or make changes to this bug.