Bug#1111672: trixie-pu: package mozjs128/128.14.0-1~deb13u1
Jeremy Bicha
jbicha at ubuntu.com
Thu Aug 21 00:49:30 BST 2025
Package: release.debian.org
Control: affects -1 + src:mozjs128
X-Debbugs-Cc: mozjs128 at packages.debian.org
User: release.debian.org at packages.debian.org
Usertags: pu
Tags: trixie
[ Reason ]
New bugfix release
[ Impact ]
mozjs128 is the SpiderMonkey JavaScript engine from Firefox ESR 128.
I identified 2 security fixes in 128.14
https://www.mozilla.org/en-US/security/advisories/mfsa2025-66/
https://github.com/mozilla-firefox/firefox/commits/esr128/js
mozjs128 is only used by gjs (for GNOME Shell and several GNOME apps)
and cjs (for Cinnamon). Practically, I am unaware of any Firefox
CVEs ever being used to attack the desktop via gjs or cjs. Notably,
debian-security-support says about mozjs128 "Not covered by security
support, only suitable for trusted content". Therefore, updates for
mozjs* are handled via regular updates.
https://salsa.debian.org/debian/debian-security-support/-/blob/master/security-support.deb13#L30
[ Tests ]
mozjs128 has a trivial autopkgtest which is passing for forky.
I also completed manual testing of all gjs apps as described at
https://wiki.ubuntu.com/DesktopTeam/TestPlans/gjs
[ Risks ]
mozjs128 is a key package for both GNOME and Cinnamon. Mozilla does a
good job of doing monthly releases with minimal, mostly security
related fixes for the ESR series.
One time a few years ago, a mozjs update broke the gnome-weather app
which was fixed with a simple rebuild of the app.
[ Checklist ]
[✔️] all changes are documented in the d/changelog
[✔️] I reviewed all changes and I approve them
[✔️] attach debdiff against the package in stable
[✔️] the issue is verified as fixed in unstable
[ Other info ]
There is the final scheduled 128.x release before the 128 series
reaches End of Life. On the other hand, this week there was a 115.27
release which isn't on the calendar at all so I admit I don't know for
sure there won't be more 128.x releases.
https://whattrainisitnow.com/calendar/
Thank you,
Jeremy Bícha
-------------- next part --------------
A non-text attachment was scrubbed...
Name: mozjs128_128.14.0-1~deb13u1.debdiff
Type: application/octet-stream
Size: 48992 bytes
Desc: not available
URL: <http://alioth-lists.debian.net/pipermail/pkg-gnome-maintainers/attachments/20250820/1bc0104d/attachment-0001.obj>
More information about the pkg-gnome-maintainers
mailing list