Package: release.debian.org Control: affects -1 + src:mozjs102 X-Debbugs-Cc: mozjs...@packages.debian.org User: release.debian....@packages.debian.org Usertags: unblock
Please unblock package mozjs102 and reduce the days required to reach Testing. [ Reason ] The new mozjs102 stable point release includes multiple security fixes. - CVE-2023-32211: Content process crash due to invalid wasm code - CVE-2023-32215: Memory safety bugs I included more in debian/changelog but those affected Firefox ESR, not mozjs specifically. Sorry. [ Impact ] mozjs102 is only used by gjs which in turn is used by GNOME Shell and several GNOME apps written in JavaScript. [ Tests ] The build tests have passed successfully and the gjs autopkgtests triggered by this upload have passed too. (mozjs102 itself does not have autopkgtests yet). I also completed the manual test cases from https://wiki.ubuntu.com/DesktopTeam/TestPlans/gjs on Debian Testing. [ Risks ] [ Checklist ] [X] all changes are documented in the d/changelog [X] I reviewed all changes and I approve them [X] attach debdiff against the package in testing [ Other info ] mozjs102 is the SpiderMonkey JavaScript engine from the current Firefox ESR stable branch. There are monthly releases until the end of August. https://whattrainisitnow.com/calendar/ I am unaware of anyone using Firefox vulnerabilities to attack GNOME Shell, but I think it's good to be prudent and apply available security updates. I don't think the Debian Security Team has done security uploads for mozjs*, in part because Mozilla's lifecycle is so short that it's difficult for an upstream supported mozjs to be in a Debian stable release. For more info about the commits, see the Github mirror: https://github.com/mozilla/gecko-dev/commits/esr102/js unblock mozjs102/102.11.0-1 Thank you, Jeremy Bicha
mozjs-102.11.debdiff
Description: Binary data