I installed gjs 1.74.0-0ubuntu1 (which pulled in libmozjs-102-0) on Ubuntu 22.04 LTS and successfully completed Test Case 1 and Test Case 2 from https://wiki.ubuntu.com/DesktopTeam/TestPlans/gjs
I installed libmozjs-102-0 102.6.0-0ubuntu0.22.10.1 on Ubuntu 22.10 and successfully completed Test Case 1 and Test Case 2 from https://wiki.ubuntu.com/DesktopTeam/TestPlans/gjs ** Tags removed: verification-needed verification-needed-jammy verification-needed-kinetic ** Tags added: verification-done verification-done-jammy verification-done-kinetic -- You received this bug notification because you are a member of Desktop Packages, which is subscribed to gjs in Ubuntu. https://bugs.launchpad.net/bugs/1993214 Title: [jammy] Update gjs to 1.74 using mozjs102 102.3 Status in gjs package in Ubuntu: Fix Released Status in mozjs102 package in Ubuntu: Fix Released Status in gjs source package in Jammy: Fix Committed Status in mozjs102 source package in Jammy: Fix Committed Status in mozjs102 source package in Kinetic: Fix Committed Bug description: Impact ------ GNOME Shell uses the SpiderMonkey JavaScript engine from Firefox ESR (mozjs). Firefox 92 ESR has reached end of life; therefore, we should switch to the 102 ESR series for security updates for the next year. This requires updating gjs from 1.72 to 1.74 from GNOME 43, as packaged in Ubuntu 22.10. This will be done as a Security Update. Updating mozjs in stable Ubuntu releases was recommended when Ubuntu first switched back to GNOME, but this is the first time it's been done. Security Impact --------------- I looked through https://github.com/mozilla/gecko-dev/commits/esr102/js and searched for referenced bug numbers in https://www.mozilla.org/en-US/security/advisories/ for Firefox ESR releases since Ubuntu's 91.10 and found one CVE. Also, there's the vague Mozilla Bug 1771084 (no CVE issued) mentioned at https://www.mozilla.org/en-US/security/advisories/mfsa2022-24/ Uploaded Packages ----------------- We will introduce mozjs102, a new source package for Ubuntu 22.04 LTS, being careful to publish it in main, not universe. And we'll update gjs. No other packages need to be updated for this change. mozjs91 will remain in Ubuntu 22.04 LTS (source package removals are generally not possible), but nothing else in Ubuntu uses it. Test Case --------- https://wiki.ubuntu.com/DesktopTeam/TestPlans/gjs Security Sponsoring ------------------- sudo apt install git-buildpackage gbp clone https://salsa.debian.org/gnome-team/gjs cd gjs git checkout ubuntu/jammy gbp buildpackage --git-builder="debuild -S -nc" mkdir ../tarballs; cd ../tarballs pull-lp-source mozjs102 kinetic cd .. gbp clone https://salsa.debian.org/gnome-team/mozjs cd mozjs git checkout ubuntu/102/jammy gbp buildpackage --git-builder="debuild --no-lintian -S -nc" --git-tarball-dir=../tarballs # That avoids needing to recreate the original tarball from pristine-tar which takes a while. Also, running lintian takes a while. Initial Testing Done -------------------- I built the packages in my PPA. I installed the packages on Ubuntu 22.04 LTS and successfully completed the Test Case. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/gjs/+bug/1993214/+subscriptions -- Mailing list: https://launchpad.net/~desktop-packages Post to : desktop-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~desktop-packages More help : https://help.launchpad.net/ListHelp