Blocklist Java versions affected by Sept 25 0-day vulnerability

RESOLVED WORKSFORME

Status

()

Toolkit
Blocklisting
--
critical
RESOLVED WORKSFORME
5 years ago
2 years ago

People

(Reporter: Scoobidiver (away), Assigned: jorgev)

Tracking

Firefox Tracking Flags

(Not tracked)

Details

(Whiteboard: [plugin], URL)

(Reporter)

Description

5 years ago
A new critical vulnerability has been discovered in:
- Java SE 5 Update 22
- Java SE 6 Update 35
- Java SE 7 Update 7

There's no current fix, so the block should only display an info bar.
(Assignee)

Comment 1

5 years ago
The infobar block is useless without a version to update to, and I don't think we want to move forward with a block unless we have evidence of the vulnerability being exploited in the wild.
Assignee: nobody → jorge

Comment 2

5 years ago
I believe this is now (partially) fixed by "Oracle Java SE Critical Patch Update Advisory - October 2012"[1]

I'd say you should put the block in place and suggest users to upgrade to either 1.7.0_09 or 1.6.0_37.

1| http://www.oracle.com/technetwork/topics/security/javacpuoct2012-1515924.html
(Reporter)

Comment 3

5 years ago
It's likely a dupe of bug 803152 although we have no evidence that this vulnerability is included in Java SE7u9 and SE6u37.
According to https://wiki.mozilla.org/Blocklisting/PluginBlocks Java SE 7 Update 7 is softblocked/CTP blocked in all Firefox versions. Java SE 6 Update 35 is CTP blocked in FF 17 and newer. So what's remaining here is Java SE 5 and softblocks for older Firefox versions (for Java SE 6).
(Reporter)

Comment 5

5 years ago
(In reply to Frank Wein [:mcsmurf] from comment #4)
> So what's remaining here is Java SE 5 and softblocks for older Firefox versions (for
> Java SE 6).
Old Java SE 6 versions are soft-blocklisted for any Firefox versions. See https://addons.mozilla.org/firefox/blocked/
Concerning Java SE 5, it's already hard-blocklisted for users of Firefox 3.6 and above. See bug 634639.
So https://wiki.mozilla.org/Blocklisting/PluginBlocks is out-of-date then? Because SE 6 Update 35 is not listed there.
(Assignee)

Comment 7

5 years ago
(In reply to Frank Wein [:mcsmurf] from comment #6)
> So https://wiki.mozilla.org/Blocklisting/PluginBlocks is out-of-date then?
> Because SE 6 Update 35 is not listed there.

The page should be up to date. Java 6 up to 6u30 is softblocked for all versions, and 6u31 to 6u32 are sofblocked up to Firefox 17.*. 6u31  to 6u38 are only CTP blocked on 17 and above.
(Assignee)

Comment 8

5 years ago
As far as I can tell, all versions mentioned in this block have already been included in other blocks: https://wiki.mozilla.org/Blocklisting/PluginBlocks
Status: NEW → RESOLVED
Last Resolved: 5 years ago
Resolution: --- → WORKSFORME
Product: addons.mozilla.org → Toolkit
You need to log in before you can comment on or make changes to this bug.