Closed Bug 598453 Opened 11 years ago Closed 11 years ago

New version of JEP (0.9.7.4), please land on branches

Categories

(Core :: Plug-ins, defect)

All
macOS
defect
Not set
critical

Tracking

()

RESOLVED FIXED
Tracking Status
status1.9.2 --- .11-fixed
status1.9.1 --- .14-fixed

People

(Reporter: smichaud, Assigned: smichaud)

References

Details

(Keywords: fixed1.9.0.20, Whiteboard: [sg:high])

Attachments

(1 file)

JEP 0.9.7.4 fixes (or works around) a major security hole (see bug
589041), and also fixes two other bugs (which are major annoyances for
certain classes of users).

Because I don't want to reveal too much about the security bug before
it's been fixed in all current Mozilla releases, I haven't yet
formally released JEP 0.9.7.4 (I haven't yet uploaded it to
http://javaplugin.sourceforge.net/).  That's also why I've marked this
bug security sensitive.

I've already emailed copies of the JEP 0.9.7.4 distro to Dan Veditz
and Christian Legnitto.  I can also email copies to others who wish to
test it (its size is about 4MB).

JEP 0.9.7.4 needs to be landed on the current branches (1.9.2 and
1.9.1) soon -- before the 1.9.2.11 and 1.9.1.14 branch code freeze
(currently scheduled for 2010-09-28).  It should probably also be
landed on the 1.9.0 branch (as JEP 0.9.7.3 was), so Camino can pick it
up (Smokey may have more to say about this).

Those who want to try the new version right away will need to install
it "over" the older versions currently bundled with Mozilla.org
browsers.  I recommend doing the following.  Note that these
instructions have changed from what I used to recommend.  This is
because Apple made changes in their most recent Java Updates (on OS X
10.5.X and 10.6.X) that cause the previous instructions to no longer
work properly.

For each of the browser binaries you wish to update:

1) Control-click (or right-click) on the browser binary and choose
   "Show Package Contents".

2) Browse to the Contents/MacOS/plugins folder and delete
   JavaEmbeddingPlugin.bundle and MRJPlugin.plugin.

3) Drag copies of the new Java Embedding Plugin binaries to the
   Contents/MacOS/plugins folder.
Attachment #477289 - Flags: review?(joshmoz)
Steven, can you mail me a copy, too (at this address), so I can take it for a spin in Camino?

As Steven mentioned, we will want this on 1.9.0 for our next Camino release (we'd like to have our RC built by end-of-month, but we're still blocked on a couple of our own bugs, so the final timeline is still a bit murky).  Assuming the new JEP lands simultaneously on 1.9.1 and 1.9.2, it would be great if it could land on 1.9.0 with them.
Attachment #477289 - Flags: review?(joshmoz) → review+
Attachment #477289 - Flags: approval1.9.2.11?
Attachment #477289 - Flags: approval1.9.1.14?
Attachment #477289 - Flags: approval1.9.0.next?
Attachment #477289 - Flags: approval1.9.2.11?
Attachment #477289 - Flags: approval1.9.2.11+
Attachment #477289 - Flags: approval1.9.1.14?
Attachment #477289 - Flags: approval1.9.1.14+
Attachment #477289 - Flags: approval1.9.0.next? → approval1.9.0.next+
Approved for the branches.
Landed on the 1.9.0 branch:

Checking in plugin/oji/JEP/JavaEmbeddingPlugin.bundle/Contents/Info.plist;
/cvsroot/mozilla/plugin/oji/JEP/JavaEmbeddingPlugin.bundle/Contents/Info.plist,v  <--  Info.plist
new revision: 1.23; previous revision: 1.22
done
Checking in plugin/oji/JEP/JavaEmbeddingPlugin.bundle/Contents/MacOS/JavaEmbeddingPlugin;
/cvsroot/mozilla/plugin/oji/JEP/JavaEmbeddingPlugin.bundle/Contents/MacOS/JavaEmbeddingPlugin,v  <--  JavaEmbeddingPlugin
new revision: 1.24; previous revision: 1.23
done
Checking in plugin/oji/JEP/JavaEmbeddingPlugin.bundle/Contents/Resources/English.lproj/InfoPlist.strings;
/cvsroot/mozilla/plugin/oji/JEP/JavaEmbeddingPlugin.bundle/Contents/Resources/English.lproj/InfoPlist.strings,v  <--  InfoPlist.strings
new revision: 1.23; previous revision: 1.22
done
Checking in plugin/oji/JEP/JavaEmbeddingPlugin.bundle/Contents/Resources/Java/JavaEmbeddingPlugin.jar;
/cvsroot/mozilla/plugin/oji/JEP/JavaEmbeddingPlugin.bundle/Contents/Resources/Java/JavaEmbeddingPlugin.jar,v  <--  JavaEmbeddingPlugin.jar
new revision: 1.23; previous revision: 1.22
done
Checking in plugin/oji/JEP/MRJPlugin.plugin/Contents/Info.plist;
/cvsroot/mozilla/plugin/oji/JEP/MRJPlugin.plugin/Contents/Info.plist,v  <--  Info.plist
new revision: 1.23; previous revision: 1.22
done
Checking in plugin/oji/JEP/MRJPlugin.plugin/Contents/MacOS/MRJPlugin;
/cvsroot/mozilla/plugin/oji/JEP/MRJPlugin.plugin/Contents/MacOS/MRJPlugin,v  <--  MRJPlugin
new revision: 1.24; previous revision: 1.23
done
Checking in plugin/oji/JEP/MRJPlugin.plugin/Contents/MacOS/MRJPlugin.jar;
/cvsroot/mozilla/plugin/oji/JEP/MRJPlugin.plugin/Contents/MacOS/MRJPlugin.jar,v  <--  MRJPlugin.jar
new revision: 1.23; previous revision: 1.22
done
Checking in plugin/oji/JEP/MRJPlugin.plugin/Contents/Resources/MRJPlugin.rsrc;
/cvsroot/mozilla/plugin/oji/JEP/MRJPlugin.plugin/Contents/Resources/MRJPlugin.rsrc,v  <--  MRJPlugin.rsrc
new revision: 1.19; previous revision: 1.18
done
Checking in plugin/oji/JEP/MRJPlugin.plugin/Contents/Resources/English.lproj/InfoPlist.strings;
/cvsroot/mozilla/plugin/oji/JEP/MRJPlugin.plugin/Contents/Resources/English.lproj/InfoPlist.strings,v  <--  InfoPlist.strings
new revision: 1.23; previous revision: 1.22
done
Status: NEW → RESOLVED
Closed: 11 years ago
Resolution: --- → FIXED
Since this bug is not _in_ the JEP but is about landing code in Gecko, I'm changing the product so I can set the branch status flags appropriately
Assignee: smichaud → blackconnect
Component: Java (Java Embedding Plugin) → Java-Implemented Plugins
Product: Plugins → Core
QA Contact: jep-java → blackconnect
(In reply to comment #7)
> Since this bug is not _in_ the JEP but is about landing code in Gecko, I'm
> changing the product so I can set the branch status flags appropriately

You join the list of people wanting bug 584632 to actually get fixed ;)
Assignee: blackconnect → smichaud
Component: Java-Implemented Plugins → Plug-ins
QA Contact: blackconnect → plugins
Whiteboard: [sg:high]
I'm wondering if this bug needs an advisory for the 1.9.2.11 and 1.9.1.14 releases.  I'm also unclear why it's marked sg:high when it blocks a sg:critical bug.
Unfortunately, this seems to have broken popular game sites Yahoo! Games and pogo.com, which are apparently not the kinds of Java applets/sites that any of us test against :(  See bug 607678.
Group: core-security
Now that this bug is no longer marked security-sensitive, I'll formally release JEP 0.9.7.4 pretty soon -- possibly this weekend.
You need to log in before you can comment on or make changes to this bug.