Your message dated Sun, 12 Jul 2020 14:35:22 +0000
with message-id <[email protected]>
and subject line Bug#959804: fixed in debian-security-support 2020.07.12
has caused the Debian Bug report #959804,
regarding debian-security-support: Consider marking src:mozjs68 as "support
limited"
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
959804: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=959804
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: debian-security-support
Version: 2020.04.16
Severity: normal
X-Debbugs-Cc: [email protected], [email protected],
[email protected]
mozjs68 has essentially the same security status as mozjs60, and I'm not
sure how realistic it is to expect it to be safe for use with untrusted
content. The GNOME team mainly maintains it as a dependency of gjs, where
this restriction is not a problem because the JavaScript code is fully
trusted anyway (JavaScript as an alternative to Python etc., rather than
JavaScript as a sandboxed language like its use on the web).
Note that this conflicts somewhat with the existence of
libproxy1-plugin-mozjs, which uses mozjs68 to parse proxy
autoconfiguration files; but that isn't a regression, because older
versions of libproxy1-plugin-mozjs used mozjs60 or older, which have
the same limited security support. I'm not sure whether there is any
reasonable threat model where PAC is *completely* untrusted content, but
I'm not sure whether it can be considered to be completely trusted either?
libproxy1-plugin-mozjs doesn't actually *work* in non-trivial cases
(https://github.com/libproxy/libproxy/issues/119), it has a popcon score
of 108 installations, and mozjs68 appears to be less portable than
WebKitGTK in practice, so perhaps it would make sense to just remove
that plugin.
smcv
--- End Message ---
--- Begin Message ---
Source: debian-security-support
Source-Version: 2020.07.12
Done: Holger Levsen <[email protected]>
We believe that the bug you reported is fixed in the latest version of
debian-security-support, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Holger Levsen <[email protected]> (supplier of updated debian-security-support
package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Sun, 12 Jul 2020 16:18:31 +0200
Source: debian-security-support
Architecture: source
Version: 2020.07.12
Distribution: unstable
Urgency: medium
Maintainer: Holger Levsen <[email protected]>
Changed-By: Holger Levsen <[email protected]>
Closes: 959804
Changes:
debian-security-support (2020.07.12) unstable; urgency=medium
.
* Drop support for jessie:
- drop security-support-ended.deb8.
- set DEB_LOWEST_VER_ID=9 in check-support-status.in.
* security-support-limited:
- add mozjs68. Closes: #959804, thanks to Simon McVittie for the bug
report.
- drop glpi as it was only shipped in jessie and before.
- drop ltp as it was only shipped in squeeze.
- drop wine-gecko-2.(21|24) as they were only present in jessie.
* lintian-overrides: drop unused maintainer-script-should-not-use-adduser-
system-without-home.
Checksums-Sha1:
078b46f8e78569b9a9105a618be6b1faf115db36 1857
debian-security-support_2020.07.12.dsc
52e19222f846129c4623470739f090e22765ff11 30016
debian-security-support_2020.07.12.tar.xz
4d77cadddc31b053cee809009779933ebb350545 6284
debian-security-support_2020.07.12_source.buildinfo
Checksums-Sha256:
644646e9a0263669cece953d13bd0202e3660a4d30575989d17809a6fb9541c9 1857
debian-security-support_2020.07.12.dsc
96b9ce9514d081437fa4a8e7ed46c596b66a8f29de741dbf8b2248fa7cbd515e 30016
debian-security-support_2020.07.12.tar.xz
9a9a206fafc79ee5a89d93d6d39de907adf84ab2aa410542f646cba94f8155ee 6284
debian-security-support_2020.07.12_source.buildinfo
Files:
969531f0a4865e3074aa1c1b51a5f35b 1857 admin optional
debian-security-support_2020.07.12.dsc
258bdeb14432860c2e5856f392cdceaa 30016 admin optional
debian-security-support_2020.07.12.tar.xz
e0c534a063edaf7c8ea27de259922f9e 6284 admin optional
debian-security-support_2020.07.12_source.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEuL9UE3sJ01zwJv6dCRq4VgaaqhwFAl8LHH4ACgkQCRq4Vgaa
qhzK2g/+PC+FtzG81jLTuoq+4qHSzcVsmfDsNa4koQxVPPBN2hX5lkE3qktHOCQA
el7HzdDnBaJBAL2fQCUy3XNxzCm84Ook0b12oVlwGLbZAMWYsIcLlifTqqB6720V
7JYAoE9QQrifEd42amV23G7l7FdRolBV+4orA+zGiFE6/rvHQ1cYrhn573WDYTET
AEgEfB7nqXrgZ3wI98vouyfhrGcWqzHcmdMZnix6zJyAAsFyiDY9J7DD5Omeklks
hMguf5eHKgZhar4CjhAQIIoy04M0T/y/IwsrYaPDBYmjndzEIdpP2Ovk7JdL8UMN
GrYq2/QX8LKR9/INhRVqOyKz9xVH1lw/9tGCX3RKcfN6tH2ewmIV+u3czumHHeAC
+6LIGjkBjWrx3oddgt0+lgLc4YanG7NlMUkgLjbsKhwVnIGJUyWMADp9uzqKfEwH
siY+b9HY0glNnnEuf67H/+fxRF39qGH5fghLA5l6y0Rowqgh/1j43fo/YPY/UvIE
fLuGzg1ZZ6DOImSh6Yj+ondX7Qs0ih8k0fWpc94i65m5qw5JqNKyAZVVxGnlFOk6
dYjNsAp7w3P7BesEbNoIOcDva1iRzMJuJwz161RjaZDMo22denNaeFr3UPyMKIhm
Y0pZLytY3Qs8ayKlLv0WrGSvUibyQT3rYyQHHnyG+j8QQuglE58=
=Xioy
-----END PGP SIGNATURE-----
--- End Message ---
