Bug#1037158: mozjs102: CVE-2023-34416, update to mozjs 102.12
Jeremy Bícha
jeremy.bicha at canonical.com
Tue Jun 6 16:53:46 BST 2023
Package: mozjs102
X-Debbugs-CC: team at security.debian.org
Severity: important
Version: 102.11.0-1
Tags: security upstream bookworm
[ Reason ]
The new mozjs102 stable point release 102.12.0 includes a security fix for
- CVE-2023-34416: Memory safety bugs
[ Impact ]
mozjs102 is only used by gjs which in turn is used by GNOME Shell and
several GNOME apps written in JavaScript.
[ Tests ]
mozjs102 has build tests
It does not have autopkgtests of its own but triggers gjs autopkgtests.
There are also manual tests:
https://wiki.ubuntu.com/DesktopTeam/TestPlans/gjs
[ Other info ]
mozjs102 is the SpiderMonkey JavaScript engine from the current
Firefox ESR stable branch. There are monthly releases until the end of August.
https://whattrainisitnow.com/calendar/
I am unaware of anyone using Firefox vulnerabilities to attack GNOME
Shell, but I think it's good to be prudent and apply available
security updates. I don't believe the Debian Security Team has
previously done security uploads for mozjs. For instance, mozjs78 is
out of date in Bullseye.
For more info about the commits, see the Github mirror:
https://github.com/mozilla/gecko-dev/commits/esr102/js
This update also updates the GPG key for signing releases (copy stored
in debian/upstream/signing-key.asc and used by gbp import-orig). The
signing key expires every 2 years and the previous one has expired
now.
https://blog.mozilla.org/security/2023/05/11/updated-gpg-key-for-signing-firefox-releases/
Thank you,
Jeremy Bicha
More information about the pkg-gnome-maintainers
mailing list