If you think a bug might affect users in the 57 release, please set the correct tracking and status flags for Release Management.

Blocklisting IBM Java7 properly for Windows and Linux platforms

RESOLVED WORKSFORME

Status

()

Toolkit
Blocklisting
RESOLVED WORKSFORME
5 years ago
2 years ago

People

(Reporter: Riju Reghunath, Unassigned)

Tracking

Firefox Tracking Flags

(Not tracked)

Details

(Reporter)

Description

5 years ago
User Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:10.0.12) Gecko/20100101 Firefox/10.0.12
Build ID: 20130103094221

Steps to reproduce:

This issue is being opened in continuation to Mozilla bug https://bugzilla.mozilla.org/show_bug.cgi?id=785837 request for blocklisting java due impact of CVE-2012-4681. 

New version of IBM JDK7 (Java7 Service Refresh (SR) 4) will be having a unique plugin and description for both Windows and Linux plugin. Mozilla should use the unique plugin name and description while they design script (blocklist.xml) to block IBM Java.

Comment 1

5 years ago
There was a conversation about splitting off the Java version string so Mozilla can distinguish between Oracle Java and IBM Java.  See https://bugzilla.mozilla.org/show_bug.cgi?id=743446

The upcoming release of IBM Java 7 SR4 and IBM Java 1.6 SR13 will have uniquely identifiable Java plugin version strings so that Mozilla can selectively blocklist the Java plugins on Windows / Linux.

In some security vulnerability cases over the past year, the Oracle Java plugin was at risk but the IBM Java plugin was not affected.  Because the Java plugin strings were not unique, IBM Java plugin users where unjustly blocked.   Unique version strings will give Mozilla and IBM more flexibility to construct plugin block rules.
As far as I understand it, we currently only target Oracle Java, so there shouldn't be any problems where IBM Java is accidentally blocked.
Status: UNCONFIRMED → RESOLVED
Last Resolved: 4 years ago
Resolution: --- → WORKSFORME
(Assignee)

Updated

2 years ago
Product: addons.mozilla.org → Toolkit
You need to log in before you can comment on or make changes to this bug.