Package: mozjs102 X-Debbugs-CC: t...@security.debian.org Severity: important Version: 102.11.0-1 Tags: security upstream bookworm
[ Reason ] The new mozjs102 stable point release 102.12.0 includes a security fix for - CVE-2023-34416: Memory safety bugs [ Impact ] mozjs102 is only used by gjs which in turn is used by GNOME Shell and several GNOME apps written in JavaScript. [ Tests ] mozjs102 has build tests It does not have autopkgtests of its own but triggers gjs autopkgtests. There are also manual tests: https://wiki.ubuntu.com/DesktopTeam/TestPlans/gjs [ Other info ] mozjs102 is the SpiderMonkey JavaScript engine from the current Firefox ESR stable branch. There are monthly releases until the end of August. https://whattrainisitnow.com/calendar/ I am unaware of anyone using Firefox vulnerabilities to attack GNOME Shell, but I think it's good to be prudent and apply available security updates. I don't believe the Debian Security Team has previously done security uploads for mozjs. For instance, mozjs78 is out of date in Bullseye. For more info about the commits, see the Github mirror: https://github.com/mozilla/gecko-dev/commits/esr102/js This update also updates the GPG key for signing releases (copy stored in debian/upstream/signing-key.asc and used by gbp import-orig). The signing key expires every 2 years and the previous one has expired now. https://blog.mozilla.org/security/2023/05/11/updated-gpg-key-for-signing-firefox-releases/ Thank you, Jeremy Bicha