Package: release.debian.org Control: affects -1 + src:mozjs128 X-Debbugs-Cc: mozjs128@packages.debian.org User: release.debian.org@packages.debian.org Usertags: pu Tags: trixie [ Reason ] New bugfix release [ Impact ] mozjs128 is the SpiderMonkey JavaScript engine from Firefox ESR 128. I identified 2 security fixes in 128.14 https://www.mozilla.org/en-US/security/advisories/mfsa2025-66/ https://github.com/mozilla-firefox/firefox/commits/esr128/js mozjs128 is only used by gjs (for GNOME Shell and several GNOME apps) and cjs (for Cinnamon). Practically, I am unaware of any Firefox CVEs ever being used to attack the desktop via gjs or cjs. Notably, debian-security-support says about mozjs128 "Not covered by security support, only suitable for trusted content". Therefore, updates for mozjs* are handled via regular updates. https://salsa.debian.org/debian/debian-security-support/-/blob/master/security-support.deb13#L30 [ Tests ] mozjs128 has a trivial autopkgtest which is passing for forky. I also completed manual testing of all gjs apps as described at https://wiki.ubuntu.com/DesktopTeam/TestPlans/gjs [ Risks ] mozjs128 is a key package for both GNOME and Cinnamon. Mozilla does a good job of doing monthly releases with minimal, mostly security related fixes for the ESR series. One time a few years ago, a mozjs update broke the gnome-weather app which was fixed with a simple rebuild of the app. [ Checklist ] [✔️] all changes are documented in the d/changelog [✔️] I reviewed all changes and I approve them [✔️] attach debdiff against the package in stable [✔️] the issue is verified as fixed in unstable [ Other info ] There is the final scheduled 128.x release before the 128 series reaches End of Life. On the other hand, this week there was a 115.27 release which isn't on the calendar at all so I admit I don't know for sure there won't be more 128.x releases. https://whattrainisitnow.com/calendar/ Thank you, Jeremy Bícha
Attachment:
mozjs128_128.14.0-1~deb13u1.debdiff
Description: Binary data