*** This bug is a security vulnerability *** Public security bug reported:
Impact ------ SpiderMonkey (or mozjs) is Firefox's JavaScript engine. It is not well-supported by Mozilla. Generally, someone at Mozilla makes only one tarball release per Firefox ESR. For 38, this was done around 38.2. Fedora and Arch Linux build their mozjs38 using the final Firefox ESR tarball (38.8) which has 7 more months of high-priority bugfixes included. https://developer.mozilla.org/en- US/docs/Mozilla/Projects/SpiderMonkey/Releases/38 A quick review of the git log showed that there are multiple high- priority security fixes in this update. Test Case --------- Install the update. Reboot Log into GNOME Shell. Does it seem to work ok? Regression Potential -------------------- The gjs maintainer has so far only tested with the original release tarball, but the risk is mitigated by being used by Fedora. Mozilla does tend to be cautious about updating its ESR branch. Other Info ---------- The Firefox tarball is very slow and difficult to work with since it has so many files. It was too big for the new debian/copyright Files-Excluded repack ( https://bugs.debian.org/855464 ). I used the older debian/repack scripts to cut the extra files. With the repack, I lost the INSTALL, LICENSE and README files which are not included in the Firefox tarball since I didn't know how to use the repack script to inject a copy of those files. It did not seem important enough to use a quilt patch to restore them since they aren't shipped in the resulting binary packages. js/src/ctypes/libffi/doc/libffi.info and js/src/jit-test/tests/sunspider /check-string-unpack-code.js were removed because debian/README.source says to remove them. Here's a visual diff of the new tarball: https://anonscm.debian.org/git/pkg-gnome/mozjs38.git/commit/?h=debian/unstable&id=ae6f925b6 And here's a git log (the original mozjs38 tarball is from mid-September 2015) https://github.com/mozilla/gecko-dev/commits/esr38/js/src ** Affects: mozjs38 (Ubuntu) Importance: Undecided Status: New -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1683103 Title: Use final Firefox 38 ESR tarball to build mozjs38 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/mozjs38/+bug/1683103/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs