Closed
Bug 642406
Opened 13 years ago
Closed 11 years ago
Plugin Finder service installs out of date, vulnerable Java 1.7u11
Categories
(Toolkit Graveyard :: Plugin Finder Service, defect, P1)
Tracking
(Not tracked)
RESOLVED
WORKSFORME
People
(Reporter: bc, Unassigned)
References
Details
I used the plugin finder service to install Java on Windows XP this morning. It installed version 1.6.0 update 22 instead of update 24. The http://mozilla.com/plugincheck and java.com both detected that it was out of date. We should not be installing an out of date and vulnerable version of Java. I don't know about the plugin finder on Linux or Mac, but it should be checked as well.
|
||
Comment 1•13 years ago
|
||
Oracle's probably changed the URLs. Will look into it and update.
|
|
||
Comment 2•13 years ago
|
||
Can you replicate? I get R24 when I go to the Java URLs defined (e.g. http://www.java.com/en/download/manual.jsp)
|
Reporter | |
Comment 3•13 years ago
|
||
Peforming a manual installation from java.com gave me R24. It was using our plugin finder service that installed the out of date version. If I recall correctly, this happended on more than one of my vms before I discovered the issue. Have you tried that? If needed, I can uninstall Java on one of my vms and try the plugin finder installation again to confirm.
|
|
Reporter | |
Comment 4•13 years ago
|
||
I just confirmed on xp that plugin finder installs an out of date version of java.
Java(TM) Platform SE 6 U22
File: npjp2.dll
Version: 6.0.220.4
Next Generation Java Plug-in 1.6.0_22 for Mozilla browsers|
|
Reporter | |
Comment 5•13 years ago
|
||
The plugin finder server still installs the 22 revision onto Windows XP. The most current version of Java is 25. After using pfs to install Java and using mozilla.com/plugincheck, It does flag 22 as out of date. Following the link to update takes you to Oracle where they recommend uninstalling the out of date version before installing the most current. I really must insist that the pfs service for Java be updated or disabled immediately. Directing our users to install an out of date, insecure vulnerable version of Java which immediately places them at risk of compromise is unacceptable. One of the major causes of our current crash issues is the installation of malware. In my opinion, malware induced crashes are a major cause of our users switching to other browsers.
Priority: -- → P1
|
|
||
Comment 6•13 years ago
|
||
I've asked Oracle for an update on whether they've ceased support on the Firefox-specific version of Java. I'll submit a patch for review for PFS which will direct users to the download page only.
|
|
Reporter | |
Comment 8•11 years ago
|
||
I just checked on Windows XP and the PFS prompts to install Java 7 update 11 so we are still not right. :-( 1. on a Windows machine without Java, visit http://mainline.brynmawr.edu/Courses/cs110/spring2002/Applets/Smiley/Smiley.html 2. click on Install missing plugins 3. prompted to install jre 7u11.
Flags: needinfo?(bclary)
Summary: Plugin Finder service installs out of date, vulnerable Java 1.6.0_22 → Plugin Finder service installs out of date, vulnerable Java 1.7u11
|
||
Comment 9•11 years ago
|
||
PFS now just links to https://support.mozilla.org/kb/use-java-plugin-to-view-interactive-content, so this should be fixed (or a bug opened against SUMO if that process is broken).
Status: NEW → RESOLVED
Closed: 11 years ago
Resolution: --- → WORKSFORME
|
Assignee | |
Updated•10 years ago
|
Product: Toolkit → Toolkit Graveyard
You need to log in
before you can comment on or make changes to this bug.
Description
•