subject:"\[Bug 1683103\] Re\: Use final Firefox 38 ESR tarball to build mozjs38"

[Bug 1683103] Re: Use final Firefox 38 ESR tarball to build mozjs38

2017-04-27 Thread Launchpad Bug Tracker

This bug was fixed in the package mozjs38 - 38.8.0~repack1-0ubuntu0.1

---
mozjs38 (38.8.0~repack1-0ubuntu0.1) zesty-security; urgency=medium

  * SECURITY UPDATE: Build from final Firefox 38 ESR tarball to fix
numerous security vulnerabilities (LP: #1683103)
- Use debian/repack* scripts to drop the extra files not shipped
  in the mozjs release tarballs.
- CVE-2015-4513, CVE-2016-1930, CVE-2016-1952,
  CVE-2016-2805, CVE-2016-2807, CVE-2016-2808

 -- Jeremy Bicha   Sun, 16 Apr 2017 14:45:59 -0400

** Changed in: mozjs38 (Ubuntu)
   Status: Confirmed => Fix Released

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1683103

Title:
  Use final Firefox 38 ESR tarball to build mozjs38

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/mozjs38/+bug/1683103/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1683103] Re: Use final Firefox 38 ESR tarball to build mozjs38

2017-04-24 Thread Tyler Hicks

Ack for the changes in Jeremy's git tree. I've uploaded the package to
the ubuntu-security-proposed PPA:

  https://launchpad.net/~ubuntu-security-
proposed/+archive/ubuntu/ppa/+packages

I'll install the mozjs38 locally and use it on my main machine while we
wait for the mozjs38 in zesty-proposed to make its way through the SRU
process. After the SRU is complete, we can publish this security update
(which is based on the SRU upload).

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1683103

Title:
  Use final Firefox 38 ESR tarball to build mozjs38

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/mozjs38/+bug/1683103/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1683103] Re: Use final Firefox 38 ESR tarball to build mozjs38

2017-04-22 Thread Jeremy Bicha

** Changed in: mozjs38 (Ubuntu)
   Status: Fix Released => Confirmed

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1683103

Title:
  Use final Firefox 38 ESR tarball to build mozjs38

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/mozjs38/+bug/1683103/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1683103] Re: Use final Firefox 38 ESR tarball to build mozjs38

2017-04-22 Thread Launchpad Bug Tracker

This bug was fixed in the package mozjs38 - 38.8.0~repack1-0ubuntu1

---
mozjs38 (38.8.0~repack1-0ubuntu1) artful; urgency=medium

  * SECURITY UPDATE: Build from final Firefox 38 ESR tarball to fix
numerous security vulnerabilities (LP: #1683103)
- Use debian/repack* scripts to drop the extra files not shipped
  in the mozjs release tarballs.
- CVE-2015-4513, CVE-2016-1930, CVE-2016-1952,
  CVE-2016-2805, CVE-2016-2807, CVE-2016-2808
  * Update package description
  * Use gnome-pkg-tools (for sponsorship by Debian GNOME)

 -- Jeremy Bicha   Sun, 16 Apr 2017 14:45:59 -0400

** Changed in: mozjs38 (Ubuntu)
   Status: Confirmed => Fix Released

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1683103

Title:
  Use final Firefox 38 ESR tarball to build mozjs38

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/mozjs38/+bug/1683103/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1683103] Re: Use final Firefox 38 ESR tarball to build mozjs38

2017-04-18 Thread Jeremy Bicha

** Description changed:

  Impact
  --
  SpiderMonkey (or mozjs) is Firefox's JavaScript engine. It is not 
well-supported by Mozilla. Generally, someone at Mozilla makes only one tarball 
release per Firefox ESR. For 38, this was done around 38.2. Fedora and Arch 
Linux build their mozjs38 using the final Firefox ESR tarball (38.8) which has 
7 more months of high-priority bugfixes included.
  
  https://developer.mozilla.org/en-
  US/docs/Mozilla/Projects/SpiderMonkey/Releases/38
  
  A quick review of the git log showed that there are multiple high-
  priority security fixes in this update.
  
  Test Case
  -
  Install the update.
  Reboot
  Log into GNOME Shell. Does it seem to work ok?
  
  Regression Potential
  
  The gjs maintainer has so far only tested with the original release tarball, 
but the risk is mitigated by being used by Fedora. Mozilla does tend to be 
cautious about updating its ESR branch.
  
  Other Info
  --
- The Firefox tarball is very slow and difficult to work with since it has so 
many files. It was too big for the new debian/copyright Files-Excluded repack ( 
https://bugs.debian.org/855464 ). I used the older debian/repack scripts to cut 
the extra files.
+ The Firefox tarball is very slow and difficult to work with since it has so 
many files. It was too big for the new debian/copyright Files-Excluded repack ( 
https://bugs.debian.org/855464 ). I used debian/repack scripts instead to cut 
the extra files.
  
  With the repack, I lost the INSTALL, LICENSE and README files which are
  not included in the Firefox tarball since I didn't know how to use the
  repack script to inject a copy of those files. It did not seem important
  enough to use a quilt patch to restore them since they aren't shipped in
  the resulting binary packages.
  
  js/src/ctypes/libffi/doc/libffi.info and js/src/jit-test/tests/sunspider
- /check-string-unpack-code.jswere removed because
- debian/README.source says to remove them.
+ /check-string-unpack-code.js were removed because debian/README.source
+ says to remove them. (Both files look like generated code.)
  
  Here's a visual diff of the new tarball:
- https://git.launchpad.net/~jbicha/ubuntu/+source/mozjs38/commit/?id=c324e07
+ https://git.launchpad.net/~jbicha/ubuntu/+source/mozjs38/commit/?id=2756358
  
  And here's a git log (the original mozjs38 tarball is from mid-September 2015)
  https://github.com/mozilla/gecko-dev/commits/esr38/js/src
  
  mozjs38 is only packaged in Ubuntu 17.04 "zesty"
  
  More Justification
  --
  https://www.mozilla.org/en-US/firefox/38.3.0/releasenotes/.
  And change the version number from 38.3.0, 38.4.0 up to 38.8.0. The only 
change not "Various security fixes" is 38.5.0's 
https://hg.mozilla.org/releases/mozilla-esr38/rev/b8244a3f55e1 which does not 
affect any files included in our tarball.
  
  The Release Notes link to https://www.mozilla.org/en-US/security/known-
  vulnerabilities/firefox-esr/#firefoxesr38.8
  
  Many of those vulnerabilities don't affect the SpiderMonkey JavaScript
  engine though.
  
  Testing Done
  
  I have tested that this package builds and that GNOME Shell runs with the 
built package.
  
  Sponsoring
  --
  I pushed my work to a temporary git repo because I think it should be fairly 
easy to sponsor from there:
  https://git.launchpad.net/~jbicha/ubuntu/+source/mozjs38/
  
- I also enabled the build tests (with 2 patches to make them work) and made 
them fatal on some architectures.
- If you decide you don't want that in this release, just skip the final commit.
+ There is a mozjs38 SRU accepted April 18 that enables build tests. It
+ would be nice if that could either be released into -updates first or
+ that update rolled into this update.

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1683103

Title:
  Use final Firefox 38 ESR tarball to build mozjs38

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/mozjs38/+bug/1683103/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1683103] Re: Use final Firefox 38 ESR tarball to build mozjs38

2017-04-18 Thread Adolfo Jayme

** Changed in: mozjs38 (Ubuntu)
   Importance: Undecided => High

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1683103

Title:
  Use final Firefox 38 ESR tarball to build mozjs38

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/mozjs38/+bug/1683103/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1683103] Re: Use final Firefox 38 ESR tarball to build mozjs38

2017-04-17 Thread Jeremy Bicha

** Description changed:

  Impact
  --
  SpiderMonkey (or mozjs) is Firefox's JavaScript engine. It is not 
well-supported by Mozilla. Generally, someone at Mozilla makes only one tarball 
release per Firefox ESR. For 38, this was done around 38.2. Fedora and Arch 
Linux build their mozjs38 using the final Firefox ESR tarball (38.8) which has 
7 more months of high-priority bugfixes included.
  
  https://developer.mozilla.org/en-
  US/docs/Mozilla/Projects/SpiderMonkey/Releases/38
  
  A quick review of the git log showed that there are multiple high-
  priority security fixes in this update.
  
  Test Case
  -
  Install the update.
  Reboot
  Log into GNOME Shell. Does it seem to work ok?
  
  Regression Potential
  
  The gjs maintainer has so far only tested with the original release tarball, 
but the risk is mitigated by being used by Fedora. Mozilla does tend to be 
cautious about updating its ESR branch.
  
  Other Info
  --
  The Firefox tarball is very slow and difficult to work with since it has so 
many files. It was too big for the new debian/copyright Files-Excluded repack ( 
https://bugs.debian.org/855464 ). I used the older debian/repack scripts to cut 
the extra files.
  
  With the repack, I lost the INSTALL, LICENSE and README files which are
  not included in the Firefox tarball since I didn't know how to use the
  repack script to inject a copy of those files. It did not seem important
  enough to use a quilt patch to restore them since they aren't shipped in
  the resulting binary packages.
  
  js/src/ctypes/libffi/doc/libffi.info and js/src/jit-test/tests/sunspider
  /check-string-unpack-code.jswere removed because
  debian/README.source says to remove them.
  
  Here's a visual diff of the new tarball:
  https://git.launchpad.net/~jbicha/ubuntu/+source/mozjs38/commit/?id=c324e07
  
  And here's a git log (the original mozjs38 tarball is from mid-September 2015)
  https://github.com/mozilla/gecko-dev/commits/esr38/js/src
  
- mozjs38 is only packaged in Ubuntu 17.04 "zesty".
+ mozjs38 is only packaged in Ubuntu 17.04 "zesty"
+ 
+ More Justification
+ --
+ https://www.mozilla.org/en-US/firefox/38.3.0/releasenotes/.
+ And change the version number from 38.3.0, 38.4.0 up to 38.8.0. The only 
change not "Various security fixes" is 38.5.0's 
https://hg.mozilla.org/releases/mozilla-esr38/rev/b8244a3f55e1 which does not 
affect any files included in our tarball.
+ 
+ The Release Notes link to https://www.mozilla.org/en-US/security/known-
+ vulnerabilities/firefox-esr/#firefoxesr38.8
  
  Testing Done
  
  I have tested that this package builds and that GNOME Shell runs with the 
built package.
  
  Sponsoring
  --
  I pushed my work to a temporary git repo because I think it should be fairly 
easy to sponsor from there:
  https://git.launchpad.net/~jbicha/ubuntu/+source/mozjs38/
  
  I also enabled the build tests (with 2 patches to make them work) and made 
them fatal on some architectures.
  If you decide you don't want that in this release, just skip the final commit.

** Description changed:

  Impact
  --
  SpiderMonkey (or mozjs) is Firefox's JavaScript engine. It is not 
well-supported by Mozilla. Generally, someone at Mozilla makes only one tarball 
release per Firefox ESR. For 38, this was done around 38.2. Fedora and Arch 
Linux build their mozjs38 using the final Firefox ESR tarball (38.8) which has 
7 more months of high-priority bugfixes included.
  
  https://developer.mozilla.org/en-
  US/docs/Mozilla/Projects/SpiderMonkey/Releases/38
  
  A quick review of the git log showed that there are multiple high-
  priority security fixes in this update.
  
  Test Case
  -
  Install the update.
  Reboot
  Log into GNOME Shell. Does it seem to work ok?
  
  Regression Potential
  
  The gjs maintainer has so far only tested with the original release tarball, 
but the risk is mitigated by being used by Fedora. Mozilla does tend to be 
cautious about updating its ESR branch.
  
  Other Info
  --
  The Firefox tarball is very slow and difficult to work with since it has so 
many files. It was too big for the new debian/copyright Files-Excluded repack ( 
https://bugs.debian.org/855464 ). I used the older debian/repack scripts to cut 
the extra files.
  
  With the repack, I lost the INSTALL, LICENSE and README files which are
  not included in the Firefox tarball since I didn't know how to use the
  repack script to inject a copy of those files. It did not seem important
  enough to use a quilt patch to restore them since they aren't shipped in
  the resulting binary packages.
  
  js/src/ctypes/libffi/doc/libffi.info and js/src/jit-test/tests/sunspider
  /check-string-unpack-code.jswere removed because
  debian/README.source says to remove them.
  
  Here's a visual diff of the new tarball:

[Bug 1683103] Re: Use final Firefox 38 ESR tarball to build mozjs38

2017-04-16 Thread Jeremy Bicha

** Tags added: zesty

** Description changed:

  Impact
  --
  SpiderMonkey (or mozjs) is Firefox's JavaScript engine. It is not 
well-supported by Mozilla. Generally, someone at Mozilla makes only one tarball 
release per Firefox ESR. For 38, this was done around 38.2. Fedora and Arch 
Linux build their mozjs38 using the final Firefox ESR tarball (38.8) which has 
7 more months of high-priority bugfixes included.
  
  https://developer.mozilla.org/en-
  US/docs/Mozilla/Projects/SpiderMonkey/Releases/38
  
  A quick review of the git log showed that there are multiple high-
  priority security fixes in this update.
  
  Test Case
  -
  Install the update.
  Reboot
  Log into GNOME Shell. Does it seem to work ok?
  
  Regression Potential
  
  The gjs maintainer has so far only tested with the original release tarball, 
but the risk is mitigated by being used by Fedora. Mozilla does tend to be 
cautious about updating its ESR branch.
  
  Other Info
  --
  The Firefox tarball is very slow and difficult to work with since it has so 
many files. It was too big for the new debian/copyright Files-Excluded repack ( 
https://bugs.debian.org/855464 ). I used the older debian/repack scripts to cut 
the extra files.
  
  With the repack, I lost the INSTALL, LICENSE and README files which are
  not included in the Firefox tarball since I didn't know how to use the
  repack script to inject a copy of those files. It did not seem important
  enough to use a quilt patch to restore them since they aren't shipped in
  the resulting binary packages.
  
  js/src/ctypes/libffi/doc/libffi.info and js/src/jit-test/tests/sunspider
  /check-string-unpack-code.jswere removed because
  debian/README.source says to remove them.
  
  Here's a visual diff of the new tarball:
  https://git.launchpad.net/~jbicha/ubuntu/+source/mozjs38/commit/?id=c324e07
  
  And here's a git log (the original mozjs38 tarball is from mid-September 2015)
  https://github.com/mozilla/gecko-dev/commits/esr38/js/src
  
+ mozjs38 is only packaged in Ubuntu 17.04 "zesty".
+ 
  Testing Done
  
  I have tested that this package builds and that GNOME Shell runs with the 
built package.
  
  Sponsoring
  --
  I pushed my work to a temporary git repo because I think it should be fairly 
easy to sponsor from there:
  https://git.launchpad.net/~jbicha/ubuntu/+source/mozjs38/
  
  I also enabled the build tests (with 2 patches to make them work) and made 
them fatal on some architectures.
  If you decide you don't want that in this release, just skip the final commit.

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1683103

Title:
  Use final Firefox 38 ESR tarball to build mozjs38

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/mozjs38/+bug/1683103/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1683103] Re: Use final Firefox 38 ESR tarball to build mozjs38

2017-04-16 Thread Jeremy Bicha

** Description changed:

  Impact
  --
  SpiderMonkey (or mozjs) is Firefox's JavaScript engine. It is not 
well-supported by Mozilla. Generally, someone at Mozilla makes only one tarball 
release per Firefox ESR. For 38, this was done around 38.2. Fedora and Arch 
Linux build their mozjs38 using the final Firefox ESR tarball (38.8) which has 
7 more months of high-priority bugfixes included.
  
  https://developer.mozilla.org/en-
  US/docs/Mozilla/Projects/SpiderMonkey/Releases/38
  
  A quick review of the git log showed that there are multiple high-
  priority security fixes in this update.
  
  Test Case
  -
  Install the update.
  Reboot
  Log into GNOME Shell. Does it seem to work ok?
  
  Regression Potential
  
  The gjs maintainer has so far only tested with the original release tarball, 
but the risk is mitigated by being used by Fedora. Mozilla does tend to be 
cautious about updating its ESR branch.
  
  Other Info
  --
  The Firefox tarball is very slow and difficult to work with since it has so 
many files. It was too big for the new debian/copyright Files-Excluded repack ( 
https://bugs.debian.org/855464 ). I used the older debian/repack scripts to cut 
the extra files.
  
  With the repack, I lost the INSTALL, LICENSE and README files which are
  not included in the Firefox tarball since I didn't know how to use the
  repack script to inject a copy of those files. It did not seem important
  enough to use a quilt patch to restore them since they aren't shipped in
  the resulting binary packages.
  
  js/src/ctypes/libffi/doc/libffi.info and js/src/jit-test/tests/sunspider
  /check-string-unpack-code.jswere removed because
  debian/README.source says to remove them.
  
  Here's a visual diff of the new tarball:
- 
https://anonscm.debian.org/git/pkg-gnome/mozjs38.git/commit/?h=debian/unstable=ae6f925b6
+ https://git.launchpad.net/~jbicha/ubuntu/+source/mozjs38/commit/?id=c324e07
  
  And here's a git log (the original mozjs38 tarball is from mid-September 2015)
  https://github.com/mozilla/gecko-dev/commits/esr38/js/src
+ 
+ Testing Done
+ 
+ I have tested that this package builds and that GNOME Shell runs with the 
built package.
+ 
+ Sponsoring
+ --
+ I pushed my work to a temporary git repo because I think it should be fairly 
easy to sponsor from there:
+ https://git.launchpad.net/~jbicha/ubuntu/+source/mozjs38/
+ 
+ I also enabled the build tests (with 2 patches to make them work) and made 
them fatal on some architectures.
+ If you decide you don't want that in this release, just skip the final commit.

** Changed in: mozjs38 (Ubuntu)
   Status: New => Confirmed

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1683103

Title:
  Use final Firefox 38 ESR tarball to build mozjs38

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/mozjs38/+bug/1683103/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1683103] Re: Use final Firefox 38 ESR tarball to build mozjs38

2017-04-15 Thread Jeremy Bicha

** CVE added: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2016-2805

** CVE added: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2016-1952

** CVE added: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2016-2807

** CVE added: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2016-2808

** CVE added: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2016-1930

** CVE added: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2015-4513

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1683103

Title:
  Use final Firefox 38 ESR tarball to build mozjs38

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/mozjs38/+bug/1683103/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1683103] Re: Use final Firefox 38 ESR tarball to build mozjs38

[Bug 1683103] Re: Use final Firefox 38 ESR tarball to build mozjs38

[Bug 1683103] Re: Use final Firefox 38 ESR tarball to build mozjs38

[Bug 1683103] Re: Use final Firefox 38 ESR tarball to build mozjs38

[Bug 1683103] Re: Use final Firefox 38 ESR tarball to build mozjs38

[Bug 1683103] Re: Use final Firefox 38 ESR tarball to build mozjs38

[Bug 1683103] Re: Use final Firefox 38 ESR tarball to build mozjs38

[Bug 1683103] Re: Use final Firefox 38 ESR tarball to build mozjs38

[Bug 1683103] Re: Use final Firefox 38 ESR tarball to build mozjs38

[Bug 1683103] Re: Use final Firefox 38 ESR tarball to build mozjs38

10 matches

Site Navigation

Mail list logo

Footer information