Closed
Bug 833364
Opened 11 years ago
Closed 11 years ago
Mozilla blocklisting policy ignored when blocking java 6u38
Categories
(Firefox :: Security, defect)
Tracking
()
RESOLVED
DUPLICATE
of bug 829111
People
(Reporter: bns_robson, Unassigned)
Details
I use Java version 6u38 and have just updated from Firefox 10.0.12esr to 17.0.2esr I went to the "Add-ons Manager" and see it states that "Java(TM) Platform SE 6 U38 is known to cause security or stability issues." I am unaware of any reported security issues for 6u38 (although I am aware that security issues have been reported for 7u11). I have found the Mozilla security blog and, in the comments, when "skeptic" asks about blocking of 6u38, "mcoates" indicates that Mozilla know of no reported security issues with 6u38 (the post reads "We are being extra cautious to ensure all users are protected in the event the scope of the vulnerability is larger than the initial reports have indicated. We are erring on the side of caution."). See https://blog.mozilla.org/security/2013/01/11/protecting-users-against-java-vulnerability/ I also found Mozilla's blocklisting policy. Blocklisting reasons include "Critical security vulnerabilities". However the policy also states "Blocking third-party software is a sensitive issue that must be carefully considered in every case. We must be certain that the issue at hand is so great that it outweighs the user's choice to install the software, the utility it provides, and the vendor's freedom to distribute and control their software." See https://wiki.mozilla.org/Blocklisting As Mozilla are not certain 6u38 has a security issue, blocking it is against Mozilla's blocklisting policy. I also think blocking 6u38 without there being a known security issue is a BAD idea. Having researched the reason for blocking 6u38, I've added a permanent exception for 6u38 and I expect other people have or will do the same. The means that if a security issue is later actually found in 6u38, Mozilla can't warn us by added a block when the security issue is found. See Aesop's Fable "The Boy Who Cried Wolf" http://en.wikipedia.org/wiki/The_Boy_Who_Cried_Wolf
We have taken the action to block all Java versions behind the click-to-play protections built into Firefox per bug 829111, per https://bugzilla.mozilla.org/show_bug.cgi?id=829111#c29 we are being extra cautious here as information is still developing. If you have further questions or concerns please comment in bug 829111 as to keep all information in one central bug.
Status: NEW → RESOLVED
Closed: 11 years ago
Resolution: --- → DUPLICATE
You need to log in
before you can comment on or make changes to this bug.
Description
•