Bug#1106815: unblock: mozjs128/128.11.0-1

Jeremy Bícha jeremy.bicha at canonical.com
Thu May 29 23:19:38 BST 2025 

Package: release.debian.org
Control: affects -1 + src:mozjs128
X-Debbugs-Cc: mozjs128 at packages.debian.org
User: release.debian.org at packages.debian.org
Usertags: unblock

Please unblock package mozjs128

[ Reason ]
New bugfix release

[ Impact ]
mozjs128 is the SpiderMonkey JavaScript engine from Firefox ESR 128.
By comparing https://github.com/mozilla-firefox/firefox/commits/esr128/js
with https://www.mozilla.org/security/advisories/mfsa2025-44/ , I
identified one CVE which is fixed in this update.

mozjs128 is only used by gjs (for GNOME Shell and several GNOME apps)
and cjs (for Cinnamon). Practically, I am not aware of any Firefox
CVEs ever being used to attack the desktop via gjs or cjs. Notably,
debian-security-support says about mozjs128 "Not covered by security
support, only suitable for trusted content".

https://salsa.debian.org/debian/debian-security-support/-/blob/master/security-support.deb13#L28

[ Tests ]
mozjs128 has a trivial autopkgtest which is passing

I also completed manual testing of all gjs apps as described at
https://wiki.ubuntu.com/DesktopTeam/TestPlans/gjs

[ Risks ]
mozjs128 is a key package for both GNOME and Cinnamon. Mozilla does a
good job of doing monthly releases with minimal, mostly security
related fixes for the ESR series.

One time a few years ago, a mozjs update broke the gnome-weather app
which was fixed with a simple rebuild of the app.

[ Checklist ]
  [✔️] all changes are documented in the d/changelog
  [✔️] I reviewed all changes and I approve them
  [✔️] attach debdiff against the package in testing

[ Other info ]
Mozilla's official announcement about the rotated gpg key:
https://blog.mozilla.org/security/2025/04/01/updated-gpg-key-for-signing-firefox-releases-2/

Firefox 128 ESR schedule:
https://whattrainisitnow.com/calendar/


unblock mozjs128/128.11.0-1

Thank you,
Jeremy Bícha
-------------- next part --------------
A non-text attachment was scrubbed...
Name: mozjs128_128.11.0-1.debdiff
Type: application/octet-stream
Size: 43108 bytes
Desc: not available
URL: <http://alioth-lists.debian.net/pipermail/pkg-gnome-maintainers/attachments/20250529/26425c1f/attachment-0001.obj>

More information about the pkg-gnome-maintainers mailing list