[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#1035879: marked as done (unblock: mozjs102/102.10.0-1)

Your message dated Thu, 11 May 2023 17:12:23 +0000
with message-id <E1px9q3-00F8q6-8J@respighi.debian.org>
and subject line unblock mozjs102
has caused the Debian Bug report #1035879,
regarding unblock: mozjs102/102.10.0-1
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
1035879: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1035879
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message --- 
Package: release.debian.org
Control: affects -1 + src:mozjs102
X-Debbugs-Cc: mozjs102@packages.debian.org
User: release.debian.org@packages.debian.org
Usertags: unblock

Please unblock package mozjs102 and reduce the days required to reach Testing.

[ Reason ]
The new mozjs102 stable point release includes multiple security fixes.

- CVE-2023-32211: Content process crash due to invalid wasm code
- CVE-2023-32215: Memory safety bugs

I included more in debian/changelog but those affected Firefox ESR,
not mozjs specifically. Sorry.

[ Impact ]
mozjs102 is only used by gjs which in turn is used by GNOME Shell and
several GNOME apps written in JavaScript.

[ Tests ]
The build tests have passed successfully and the gjs autopkgtests
triggered by this upload have passed too. (mozjs102 itself
does not have autopkgtests yet).

I also completed the manual test cases from
https://wiki.ubuntu.com/DesktopTeam/TestPlans/gjs
on Debian Testing.

[ Risks ]

[ Checklist ]
  [X] all changes are documented in the d/changelog
  [X] I reviewed all changes and I approve them
  [X] attach debdiff against the package in testing

[ Other info ]
mozjs102 is the SpiderMonkey JavaScript engine from the current
Firefox ESR stable branch. There are monthly releases until the end of August.

https://whattrainisitnow.com/calendar/

I am unaware of anyone using Firefox vulnerabilities to attack GNOME
Shell, but I think it's good to be prudent and apply available
security updates. I don't think the Debian Security Team has done
security uploads for mozjs*, in part because Mozilla's lifecycle is so
short that it's difficult for an upstream supported mozjs to be in a
Debian stable release.

For more info about the commits, see the Github mirror:
https://github.com/mozilla/gecko-dev/commits/esr102/js

unblock mozjs102/102.11.0-1

Thank you,
Jeremy Bicha

Attachment: mozjs-102.11.debdiff
Description: Binary data


--- End Message ---
--- Begin Message --- 
Unblocked.

--- End Message ---
Reply to: