The version of gjs in the proposed pocket of Jammy that was purported to
fix this bug report has been removed because one or more bugs that were
to be fixed by the upload have failed verification and been in this
state for more than 10 days.
** Tags removed: verification-needed-jammy
** Changed in: gjs (Ubuntu Jammy)
Status: Fix Committed => Confirmed
--
You received this bug notification because you are a member of Desktop
Packages, which is subscribed to gjs in Ubuntu.
https://bugs.launchpad.net/bugs/1993214
Title:
[jammy] Update gjs to 1.74 using mozjs102 102.3
Status in gjs package in Ubuntu:
Fix Released
Status in mozjs102 package in Ubuntu:
Fix Released
Status in gjs source package in Jammy:
Confirmed
Status in mozjs102 source package in Jammy:
Fix Committed
Status in mozjs102 source package in Kinetic:
Fix Committed
Bug description:
Impact
------
GNOME Shell uses the SpiderMonkey JavaScript engine from Firefox ESR (mozjs).
Firefox 92 ESR has reached end of life; therefore, we should switch to the 102
ESR series for security updates for the next year.
This requires updating gjs from 1.72 to 1.74 from GNOME 43, as
packaged in Ubuntu 22.10.
This will be done as a Security Update.
Updating mozjs in stable Ubuntu releases was recommended when Ubuntu
first switched back to GNOME, but this is the first time it's been
done.
Security Impact
---------------
I looked through
https://github.com/mozilla/gecko-dev/commits/esr102/js
and searched for referenced bug numbers in
https://www.mozilla.org/en-US/security/advisories/
for Firefox ESR releases since Ubuntu's 91.10
and found one CVE. Also, there's the vague Mozilla Bug 1771084 (no CVE
issued) mentioned at
https://www.mozilla.org/en-US/security/advisories/mfsa2022-24/
Uploaded Packages
-----------------
We will introduce mozjs102, a new source package for Ubuntu 22.04 LTS, being
careful to publish it in main, not universe.
And we'll update gjs.
No other packages need to be updated for this change.
mozjs91 will remain in Ubuntu 22.04 LTS (source package removals are
generally not possible), but nothing else in Ubuntu uses it.
Test Case
---------
https://wiki.ubuntu.com/DesktopTeam/TestPlans/gjs
Security Sponsoring
-------------------
sudo apt install git-buildpackage
gbp clone https://salsa.debian.org/gnome-team/gjs
cd gjs
git checkout ubuntu/jammy
gbp buildpackage --git-builder="debuild -S -nc"
mkdir ../tarballs; cd ../tarballs
pull-lp-source mozjs102 kinetic
cd ..
gbp clone https://salsa.debian.org/gnome-team/mozjs
cd mozjs
git checkout ubuntu/102/jammy
gbp buildpackage --git-builder="debuild --no-lintian -S -nc"
--git-tarball-dir=../tarballs
# That avoids needing to recreate the original tarball from pristine-tar
which takes a while. Also, running lintian takes a while.
Initial Testing Done
--------------------
I built the packages in my PPA.
I installed the packages on Ubuntu 22.04 LTS and successfully completed the
Test Case.
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/gjs/+bug/1993214/+subscriptions
--
Mailing list: https://launchpad.net/~desktop-packages
Post to : [email protected]
Unsubscribe : https://launchpad.net/~desktop-packages
More help : https://help.launchpad.net/ListHelp
