Update oracular to new mozjs releases

Bug #2083344 reported by Jeremy Bícha
256
This bug affects 1 person
Affects Status Importance Assigned to Milestone
mozjs115 (Ubuntu)
Fix Released
Undecided
Unassigned
mozjs128 (Ubuntu)
Fix Released
Undecided
Unassigned

Bug Description

Impact
------
Mozilla released new security updates today. I have compared the security advisories with the somewhat stripped down source code we build with and mentioned fixed security vulnerabilities in debian/changelog.

https://www.mozilla.org/en-US/security/advisories/mfsa2024-47/ mozjs128
https://www.mozilla.org/en-US/security/advisories/mfsa2024-48/ mozjs115
https://www.mozilla.org/en-US/security/advisories/mfsa2024-41/ mozjs115

Other Info
----------
mozjs is the JavaScript engine from Firefox ESR. Mozilla provides security updates for an ESR series for about a year.

In an exceptional move, Mozilla has extended security support for the 115 series through March 2025 for old Windows and macOS users only. However, the source code is still provided so we continue packaging the security updates.

mozjs128 is used by gjs which powers GNOME Shell and several GNOME apps.
mozjs115 is currently used by cjs which powers Cinnamon.

https://whattrainisitnow.com/calendar/

Jeremy Bícha (jbicha)
description: updated
information type: Public → Public Security
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package mozjs115 - 115.16.0-1

---------------
mozjs115 (115.16.0-1) unstable; urgency=high

  * New upstream release (LP: #2083344)
    - CVE-2024-8381 Type confusion when looking up property names
    - CVE-2024-8382 Internal event interfaces exposed to web content
    - CVE-2024-8384 Garbage collection could mis-color cross-compartment objects
    - CVE-2024-9401 Memory safety bugs

 -- Jeremy Bícha <email address hidden> Tue, 01 Oct 2024 11:09:34 -0400

Changed in mozjs115 (Ubuntu):
status: New → Fix Released
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package mozjs128 - 128.3.0-1

---------------
mozjs128 (128.3.0-1) unstable; urgency=high

  * New upstream release (LP: #2083344)
    - CVE-2024-9396 Potential memory corruption when cloning certain objects
    - CVE-2024-9400 Potential memory corruption during JIT compilation
    - CVE-2024-9402 Memory safety bugs
  * Remove libatomic patch applied in new release
  * Revert "Add -latomic to LDFLAGS to try to fix armel build"

 -- Jeremy Bícha <email address hidden> Tue, 01 Oct 2024 11:46:49 -0400

Changed in mozjs128 (Ubuntu):
status: New → Fix Released
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.