*** This bug is a security vulnerability *** Public security bug reported:
Impact ------ mozjs is Firefox's Spidermonkey JavaScript engine. mozjs52 is derived from Firefox 52 ESR. 52.9 is the final scheduled release in the 52 series. (mozjs itself never got "official releases" from Mozilla.) By comparing the bug numbers in the release notes with the bug numbers mentioned at https://github.com/mozilla/gecko-dev/commits/esr52/js/src/ it looks like the new release includes fixes for one or more memory safety bugs identified as CVE-2018-5188. GNOME Shell (Ubuntu's default interface in Ubuntu 18.04 LTS) requires mozjs52. Nothing else in Ubuntu 18.04 LTS uses mozjs52. References ---------- https://www.mozilla.org/en-US/firefox/52.9.0/releasenotes/ https://www.mozilla.org/en-US/security/advisories/mfsa2018-17/ https://wiki.ubuntu.com/SecurityTeam/FAQ#mozjs Test Case --------- Install the update. Restart your computer. Log in and make sure the default desktop still works. Regression Potential -------------------- This is a minor release in the long-term support series. I count about 6 cherry-picked targeted commits. Other Info ---------- I believe the version in Ubuntu 18.10 (synced with Debian) goes back to building with the distro's ICU library instead of the bundled version. Maybe we should backport from 18.10 instead of a more minimal diff against the Ubuntu version. A diff of the 18.10 version is at https://launchpad.net/ubuntu/+source/mozjs52/52.9.1-1 ** Affects: mozjs52 (Ubuntu) Importance: Undecided Status: Fix Released ** Affects: mozjs52 (Ubuntu Bionic) Importance: Undecided Status: Triaged ** Tags: bionic ** Also affects: mozjs52 (Ubuntu Bionic) Importance: Undecided Status: New ** Changed in: mozjs52 (Ubuntu Bionic) Status: New => Triaged ** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2018-5188 ** Description changed: Impact ------ mozjs is Firefox's Spidermonkey JavaScript engine. mozjs52 is derived from Firefox 52 ESR. 52.9 is the final scheduled release in the 52 series. (mozjs itself never got "official releases" from Mozilla.) By comparing the bug numbers in the release notes with the bug numbers mentioned at https://github.com/mozilla/gecko-dev/commits/esr52/js/src/ - it looks like the new release includes one or more memory safety bugs - identified as CVE-2018-5188. + it looks like the new release includes fixes for one or more memory + safety bugs identified as CVE-2018-5188. GNOME Shell (Ubuntu's default interface in Ubuntu 18.04 LTS) requires mozjs52. Nothing else in Ubuntu 18.04 LTS uses mozjs52. References ---------- https://www.mozilla.org/en-US/firefox/52.9.0/releasenotes/ https://www.mozilla.org/en-US/security/advisories/mfsa2018-17/ https://wiki.ubuntu.com/SecurityTeam/FAQ#mozjs Test Case --------- Install the update. Restart your computer. Log in and make sure the default desktop still works. Regression Potential -------------------- This is a minor release in the long-term support series. I count about 6 cherry-picked targeted commits. Other Info ---------- I believe the version in Ubuntu 18.10 (synced with Debian) goes back to building with the distro's ICU library instead of the bundled version. Maybe we should backport from 18.10 instead of a more minimal diff against the Ubuntu version. A diff of the 18.10 version is at https://launchpad.net/ubuntu/+source/mozjs52/52.9.1-1 -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1784974 Title: Update mozjs52 to 52.1.9 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/mozjs52/+bug/1784974/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
