This appears to be covered by the GNOME SRU exception. However, the bug
description does not reference this exception, and also does not follow
the template at
<https://wiki.ubuntu.com/StableReleaseUpdates#SRU_Bug_Template>. Please
update accordingly.
** Changed in: gjs (Ubuntu Jammy)
Status: Confirmed => Incomplete
--
You received this bug notification because you are a member of Desktop
Packages, which is subscribed to gjs in Ubuntu.
https://bugs.launchpad.net/bugs/1993214
Title:
[jammy] Update gjs to 1.74 using mozjs102 102.3
Status in gjs package in Ubuntu:
Fix Released
Status in mozjs102 package in Ubuntu:
Fix Released
Status in gjs source package in Jammy:
Incomplete
Status in mozjs102 source package in Jammy:
Fix Committed
Status in mozjs102 source package in Kinetic:
Fix Committed
Bug description:
Impact
------
GNOME Shell uses the SpiderMonkey JavaScript engine from Firefox ESR (mozjs).
Firefox 92 ESR has reached end of life; therefore, we should switch to the 102
ESR series for security updates for the next year.
This requires updating gjs from 1.72 to 1.74 from GNOME 43, as
packaged in Ubuntu 22.10.
This will be done as a Security Update.
Updating mozjs in stable Ubuntu releases was recommended when Ubuntu
first switched back to GNOME, but this is the first time it's been
done.
Security Impact
---------------
I looked through
https://github.com/mozilla/gecko-dev/commits/esr102/js
and searched for referenced bug numbers in
https://www.mozilla.org/en-US/security/advisories/
for Firefox ESR releases since Ubuntu's 91.10
and found one CVE. Also, there's the vague Mozilla Bug 1771084 (no CVE
issued) mentioned at
https://www.mozilla.org/en-US/security/advisories/mfsa2022-24/
Uploaded Packages
-----------------
We will introduce mozjs102, a new source package for Ubuntu 22.04 LTS, being
careful to publish it in main, not universe.
And we'll update gjs.
No other packages need to be updated for this change.
mozjs91 will remain in Ubuntu 22.04 LTS (source package removals are
generally not possible), but nothing else in Ubuntu uses it.
Test Case
---------
https://wiki.ubuntu.com/DesktopTeam/TestPlans/gjs
Security Sponsoring
-------------------
sudo apt install git-buildpackage
gbp clone https://salsa.debian.org/gnome-team/gjs
cd gjs
git checkout ubuntu/jammy
gbp buildpackage --git-builder="debuild -S -nc"
mkdir ../tarballs; cd ../tarballs
pull-lp-source mozjs102 kinetic
cd ..
gbp clone https://salsa.debian.org/gnome-team/mozjs
cd mozjs
git checkout ubuntu/102/jammy
gbp buildpackage --git-builder="debuild --no-lintian -S -nc"
--git-tarball-dir=../tarballs
# That avoids needing to recreate the original tarball from pristine-tar
which takes a while. Also, running lintian takes a while.
Initial Testing Done
--------------------
I built the packages in my PPA.
I installed the packages on Ubuntu 22.04 LTS and successfully completed the
Test Case.
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/gjs/+bug/1993214/+subscriptions
--
Mailing list: https://launchpad.net/~desktop-packages
Post to : [email protected]
Unsubscribe : https://launchpad.net/~desktop-packages
More help : https://help.launchpad.net/ListHelp
