Bug#1104748: release.debian.org: advise on handling QuickJS and Edbrowse for Trixie
Sebastian Humenda
shumenda at gmx.de
Mon May 5 17:37:00 BST 2025
Package: release.debian.org
Severity: important
X-Debbugs-Cc: pkg-a11y-devel at alioth-lists.debian.net
Hi
QuickJS has two CVEs, see
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1104255 .
Upstream has fixed the CVEs in a new version that at the same time makes an
API-incompatible change. Backporting the CVEs can be riskier packaging the new
upstream version. The currently only downstream users of QuickJS is Edgbrowse
which statically links to QuickJS and is also affected by the API change.
In an attempt to close the CVEs, I've uploaded the latest QuickJs 2025.04.26
and would now need to upload the already packaged Edbrowse (see SALSA). I
suppose this is against the release plan/policy, hence I'm raising it here.
As I said, I believe it will be easier for Trixie to get the latest versions
into Debian, as this will decrease the maintenance burden, especially in the
case of future CVEs.
Thanks
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <http://alioth-lists.debian.net/pipermail/pkg-a11y-devel/attachments/20250505/9fb5acb1/attachment.sig>
More information about the Pkg-a11y-devel
mailing list