** Description changed: Impact ------ GNOME Shell uses the SpiderMonkey JavaScript engine from Firefox ESR (mozjs). Firefox 92 ESR has reached end of life; therefore, we should switch to the 102 ESR series for security updates for the next year. This requires updating gjs from 1.72 to 1.74 from GNOME 43, as packaged in Ubuntu 22.10. This will be done as a Security Update. + + Updating mozjs in stable Ubuntu releases was recommended when Ubuntu + first switched back to GNOME, but this is the first time it's been done. Security Impact --------------- I looked through https://github.com/mozilla/gecko-dev/commits/esr102/js and searched for referenced bug numbers in https://www.mozilla.org/en-US/security/advisories/ for Firefox ESR releases since Ubuntu's 91.10 and found one CVE. Also, there's the vague Mozilla Bug 1771084 (no CVE issued) mentioned at https://www.mozilla.org/en-US/security/advisories/mfsa2022-24/ Uploaded Packages ----------------- We will introduce mozjs102, a new source package for Ubuntu 22.04 LTS, being careful to publish it in main, not universe. And we'll update gjs. No other packages need to be updated for this change. mozjs91 will remain in Ubuntu 22.04 LTS (source package removals are generally not possible), but nothing else in Ubuntu uses it. Test Case --------- https://wiki.ubuntu.com/DesktopTeam/TestPlans/gjs Prerequisite ------------ We need to get mozjs102 on the i386 whitelist for Ubuntu 22.04 LTS Security Sponsoring ------------------- sudo apt install git-buildpackage gbp clone https://salsa.debian.org/gnome-team/gjs cd gjs git checkout ubuntu/jammy gbp buildpackage --git-builder="debuild -S -nc" mkdir -p tarballs; cd tarballs pull-lp-source mozjs102 kinetic cd .. gbp clone https://salsa.debian.org/gnome-team/mozjs cd mozjs git checkout ubuntu/102/jammy gbp buildpackage --git-builder="debuild --no-lintian -S -nc" --git-tarball-dir=../tarballs # That avoids needing to recreate the original tarball from pristine-tar which takes a while. Also, running lintian takes a while. Initial Testing Done -------------------- I built the packages in my PPA. Only issue is that mozjs102 was not built for i386 but it's needed. I installed the packages on Ubuntu 22.04 LTS and successfully completed the Test Case.
-- You received this bug notification because you are a member of Desktop Packages, which is subscribed to gjs in Ubuntu. https://bugs.launchpad.net/bugs/1993214 Title: [jammy] Update gjs to 1.74 using mozjs102 102.3 Status in gjs package in Ubuntu: New Status in mozjs102 package in Ubuntu: New Bug description: Impact ------ GNOME Shell uses the SpiderMonkey JavaScript engine from Firefox ESR (mozjs). Firefox 92 ESR has reached end of life; therefore, we should switch to the 102 ESR series for security updates for the next year. This requires updating gjs from 1.72 to 1.74 from GNOME 43, as packaged in Ubuntu 22.10. This will be done as a Security Update. Updating mozjs in stable Ubuntu releases was recommended when Ubuntu first switched back to GNOME, but this is the first time it's been done. Security Impact --------------- I looked through https://github.com/mozilla/gecko-dev/commits/esr102/js and searched for referenced bug numbers in https://www.mozilla.org/en-US/security/advisories/ for Firefox ESR releases since Ubuntu's 91.10 and found one CVE. Also, there's the vague Mozilla Bug 1771084 (no CVE issued) mentioned at https://www.mozilla.org/en-US/security/advisories/mfsa2022-24/ Uploaded Packages ----------------- We will introduce mozjs102, a new source package for Ubuntu 22.04 LTS, being careful to publish it in main, not universe. And we'll update gjs. No other packages need to be updated for this change. mozjs91 will remain in Ubuntu 22.04 LTS (source package removals are generally not possible), but nothing else in Ubuntu uses it. Test Case --------- https://wiki.ubuntu.com/DesktopTeam/TestPlans/gjs Prerequisite ------------ We need to get mozjs102 on the i386 whitelist for Ubuntu 22.04 LTS Security Sponsoring ------------------- sudo apt install git-buildpackage gbp clone https://salsa.debian.org/gnome-team/gjs cd gjs git checkout ubuntu/jammy gbp buildpackage --git-builder="debuild -S -nc" mkdir -p tarballs; cd tarballs pull-lp-source mozjs102 kinetic cd .. gbp clone https://salsa.debian.org/gnome-team/mozjs cd mozjs git checkout ubuntu/102/jammy gbp buildpackage --git-builder="debuild --no-lintian -S -nc" --git-tarball-dir=../tarballs # That avoids needing to recreate the original tarball from pristine-tar which takes a while. Also, running lintian takes a while. Initial Testing Done -------------------- I built the packages in my PPA. Only issue is that mozjs102 was not built for i386 but it's needed. I installed the packages on Ubuntu 22.04 LTS and successfully completed the Test Case. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/gjs/+bug/1993214/+subscriptions -- Mailing list: https://launchpad.net/~desktop-packages Post to : desktop-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~desktop-packages More help : https://help.launchpad.net/ListHelp
