Debian Bug report logs - #1111591
mozjs128: update to 128.14.0

version graph

Package: src:mozjs128; Maintainer for src:mozjs128 is Debian GNOME Maintainers <pkg-gnome-maintainers@lists.alioth.debian.org>;

Reported by: Jeremy Bicha <jeremy@bicha.net>

Date: Tue, 19 Aug 2025 19:23:01 UTC

Severity: important

Tags: forky, sid, trixie

Found in version mozjs128/128.13.0-1

Fixed in versions mozjs128/128.14.0-1, mozjs128/128.14.0-1~deb13u1

Done: Jeremy Bícha <jbicha@ubuntu.com>

Bug is archived. No further changes may be made.

View this report as an mbox folder, status mbox, maintainer mbox

Report forwarded to debian-bugs-dist@lists.debian.org, Debian GNOME Maintainers <pkg-gnome-maintainers@lists.alioth.debian.org>:
Bug#1111591; Package src:mozjs128. (Tue, 19 Aug 2025 19:23:02 GMT) (full text, mbox, link).

Acknowledgement sent to Jeremy Bicha <jeremy@bicha.net>:
New Bug report received and forwarded. Copy sent to Debian GNOME Maintainers <pkg-gnome-maintainers@lists.alioth.debian.org>. (Tue, 19 Aug 2025 19:23:02 GMT) (full text, mbox, link).

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Jeremy Bicha <jeremy@bicha.net>
To: submit <submit@bugs.debian.org>
Subject: mozjs128: update to 128.14.0
Date: Tue, 19 Aug 2025 15:21:01 -0400
Source: mozjs128
Version: 128.13.0-1
Severity: important
Tags: trixie forky sid

The final scheduled mozjs128 release, 128.14.0, was released today
with some security fixes.

mozjs128 is only used by gjs (for GNOME Shell and several GNOME apps)
and cjs (for Cinnamon). Practically, I am not aware of any Firefox
CVEs ever being used to attack the desktop via gjs or cjs. Notably,
debian-security-support says about mozjs128 "Not covered by security
support, only suitable for trusted content". Therefore, updates for
mozjs* are handled via regular updates.

https://salsa.debian.org/debian/debian-security-support/-/blob/master/security-support.deb13#L30

https://whattrainisitnow.com/calendar/

Thank you,
Jeremy Bícha

Reply sent to Jeremy Bícha <jbicha@ubuntu.com>:
You have taken responsibility. (Tue, 19 Aug 2025 20:41:04 GMT) (full text, mbox, link).

Notification sent to Jeremy Bicha <jeremy@bicha.net>:
Bug acknowledged by developer. (Tue, 19 Aug 2025 20:41:04 GMT) (full text, mbox, link).

Message #10 received at 1111591-close@bugs.debian.org (full text, mbox, reply):

From: Debian FTP Masters <ftpmaster@ftp-master.debian.org>
To: 1111591-close@bugs.debian.org
Subject: Bug#1111591: fixed in mozjs128 128.14.0-1
Date: Tue, 19 Aug 2025 20:38:38 +0000
[Message part 1 (text/plain, inline)]
Source: mozjs128
Source-Version: 128.14.0-1
Done: Jeremy Bícha <jbicha@ubuntu.com>

We believe that the bug you reported is fixed in the latest version of
mozjs128, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 1111591@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Jeremy Bícha <jbicha@ubuntu.com> (supplier of updated mozjs128 package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Mon, 18 Aug 2025 11:27:41 -0400
Source: mozjs128
Built-For-Profiles: noudeb
Architecture: source
Version: 128.14.0-1
Distribution: unstable
Urgency: high
Maintainer: Debian GNOME Maintainers <pkg-gnome-maintainers@lists.alioth.debian.org>
Changed-By: Jeremy Bícha <jbicha@ubuntu.com>
Closes: 1111591
Changes:
 mozjs128 (128.14.0-1) unstable; urgency=high
 .
   * New upstream release (Closes: #1111591)
     - MFSA-RESERVE-2025-1977130: Uninitialized memory in the JavaScript Engine
       component
     - MFSA-RESERVE-2025-2: Memory safety bugs
Checksums-Sha1:
 f5260028e4a12c14e4d995b8c683299a80f6e2b5 2416 mozjs128_128.14.0-1.dsc
 97a6b00ade1ef58b215cf7061a86c4299fd9d5ba 157263392 mozjs128_128.14.0.orig.tar.xz
 720b0e6df0f33801697965cfac2b017c5906266a 53732 mozjs128_128.14.0-1.debian.tar.xz
 9c2d26c105496ed7d2a9ba79a49feafa0b578824 8959 mozjs128_128.14.0-1_source.buildinfo
Checksums-Sha256:
 b08eadebb8a17e95515ec725186551b43fe633e38c83e30e19869ff0faac31e6 2416 mozjs128_128.14.0-1.dsc
 41cca35149710ce45fbabc5fefcf86a01fdf833fdb783941964fca3a55fb72dd 157263392 mozjs128_128.14.0.orig.tar.xz
 cbd8b152d52ffe062d49ce19c1cb0d8c565b3f2f74b20b3a22b631947787bebd 53732 mozjs128_128.14.0-1.debian.tar.xz
 a3288e76b53bfb6d4623aed3065c57b1ae4449db1eef6df151703a2d3ba631fe 8959 mozjs128_128.14.0-1_source.buildinfo
Files:
 04cf17cff48efb07ef49486261928df4 2416 libs optional mozjs128_128.14.0-1.dsc
 66e67ee8b8ba967961691440c1457e2d 157263392 libs optional mozjs128_128.14.0.orig.tar.xz
 6d550072fa6a5a2151edb13f0fb1aa78 53732 libs optional mozjs128_128.14.0-1.debian.tar.xz
 e3e71261c94194e7221ac25f784c4d21 8959 libs optional mozjs128_128.14.0-1_source.buildinfo

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEETQvhLw5HdtiqzpaW5mx3Wuv+bH0FAmik0BgACgkQ5mx3Wuv+
bH2J2RAAg/5kjWf3Aj/JrouJaLcKwqY+HkSvqTfvK6GXAVfoQWcBwkfDCm/GScsh
Nczt29wJ69aqcsSiVhgGomDJdssb3ILze68RMsBgLfZS5lmPkkMMtLj3K3UkFzHl
nl/6P+Oind7WIJem7mLU94M0VpnDCy6F0V3r0f6fl3cDt1IPLufKsCR0X/VqyaGw
eDVxDvEZttADXHiEj9WNTgu409czoHwURdkB+h9hzreXNUEBcdaXFkaZw3mcl9Qz
0RfjRkYKyZxtHUBaU9eDLsEYJUxKzg0XDK2+zfMjh9gXN7iFH78iOEX7a6Q2nqWP
oyaoFQRAfuKr3PrlliMoz5KGfrLYdvDGNIjt32IpBiHA644rnrHhwB0PvDOgoik5
qawRsbFLB9SkPb5Dnh7QFd+Mdf87FufeBlOww5kjZQcnk6HpJ55z6ysOyqZt3jt4
BTTnqaAdSOfO3/rS0osxAjZwunJCpG8h7g60XcEiv72Yh5Txnjz2rkOUuFJ/8Mqg
dWRiHaKRFIHBVZrDu2JgMuJOzYFFx8U0xg/Y0iZMbx061bioWpQeUVs7Q+UJR8aX
aqjAAulwUJ0FVqIydW4LfUOtVxRg78SuvSMN8oWXIRcosGaMj75NFcI9xICuryNO
AsYyWuPWNg3CvO5/SD+7qb7nlYOAmXJelIOulAu7WU9iPtdcYpI=
=xO8M
-----END PGP SIGNATURE-----


[Message part 2 (application/pgp-signature, inline)]

Reply sent to Jeremy Bícha <jbicha@ubuntu.com>:
You have taken responsibility. (Fri, 22 Aug 2025 10:49:06 GMT) (full text, mbox, link).

Notification sent to Jeremy Bicha <jeremy@bicha.net>:
Bug acknowledged by developer. (Fri, 22 Aug 2025 10:49:06 GMT) (full text, mbox, link).

Message #15 received at 1111591-close@bugs.debian.org (full text, mbox, reply):

From: Debian FTP Masters <ftpmaster@ftp-master.debian.org>
To: 1111591-close@bugs.debian.org
Subject: Bug#1111591: fixed in mozjs128 128.14.0-1~deb13u1
Date: Fri, 22 Aug 2025 10:47:12 +0000
[Message part 1 (text/plain, inline)]
Source: mozjs128
Source-Version: 128.14.0-1~deb13u1
Done: Jeremy Bícha <jbicha@ubuntu.com>

We believe that the bug you reported is fixed in the latest version of
mozjs128, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 1111591@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Jeremy Bícha <jbicha@ubuntu.com> (supplier of updated mozjs128 package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Mon, 18 Aug 2025 11:27:41 -0400
Source: mozjs128
Built-For-Profiles: noudeb
Architecture: source
Version: 128.14.0-1~deb13u1
Distribution: trixie
Urgency: medium
Maintainer: Debian GNOME Maintainers <pkg-gnome-maintainers@lists.alioth.debian.org>
Changed-By: Jeremy Bícha <jbicha@ubuntu.com>
Closes: 1111591
Changes:
 mozjs128 (128.14.0-1~deb13u1) trixie; urgency=medium
 .
   * New upstream release (Closes: #1111591)
     - CVE-2025-9181: Uninitialized memory in the JavaScript Engine
       component
     - CVE-2025-9185: Memory safety bugs
   * Branch for trixie
Checksums-Sha1:
 be3f13bf45cbf2251dbbf7e270234a0228b7ac47 2448 mozjs128_128.14.0-1~deb13u1.dsc
 97a6b00ade1ef58b215cf7061a86c4299fd9d5ba 157263392 mozjs128_128.14.0.orig.tar.xz
 eb6c9294453a796491957a96f30ce29ce228686e 53764 mozjs128_128.14.0-1~deb13u1.debian.tar.xz
 10feb8fe65a24b23fc291810220b49b22e1203ad 8989 mozjs128_128.14.0-1~deb13u1_source.buildinfo
Checksums-Sha256:
 0bb78fc07665cafb45b0659644cc7b812ef306cae470b6a0c89b9dc7e0d34d8b 2448 mozjs128_128.14.0-1~deb13u1.dsc
 41cca35149710ce45fbabc5fefcf86a01fdf833fdb783941964fca3a55fb72dd 157263392 mozjs128_128.14.0.orig.tar.xz
 39bd9cb8abb66e2dc5b2b2a8fe7df1f55307e48a0155a9c2a3d698bac0b25b3b 53764 mozjs128_128.14.0-1~deb13u1.debian.tar.xz
 2fea9b7ba4a798ce39b5861f66e5e5132d16a6ed81a3162a11c67602fbdb4558 8989 mozjs128_128.14.0-1~deb13u1_source.buildinfo
Files:
 9b4cfaa19748c82acecd8cfb10a6920d 2448 libs optional mozjs128_128.14.0-1~deb13u1.dsc
 66e67ee8b8ba967961691440c1457e2d 157263392 libs optional mozjs128_128.14.0.orig.tar.xz
 fe9ea7d1200985cd2d7c4e2930970344 53764 libs optional mozjs128_128.14.0-1~deb13u1.debian.tar.xz
 aada4cd9b3395cff52912da7db63e254 8989 libs optional mozjs128_128.14.0-1~deb13u1_source.buildinfo

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEETQvhLw5HdtiqzpaW5mx3Wuv+bH0FAmimXKQACgkQ5mx3Wuv+
bH1n4Q/+NgFrli6HBpYsUNRNh+ysCnvGI2oucku1JHXN5cYZafXIB7ZxVMJ6zER/
bpOXUCTB3lwQJp74JiMlkWLzwR90SyjiAgyobfSuoBe2J26QBI7dAogNHKtAtJP6
GiPW5RXKjZgmiUh6rC3TVF68bWK5rCxB1Mxq+WJpu6mTN8ToT8N/D7B1AI8f8oOz
PZavAQ5eU4WncholAY8RKjtPEdszole6Oikk9dX6rXbig6vY7itEA//xp61MTjSQ
TA4iT9S0tYu/MaT9Vmo8GgnhRFRIX3XDsnv1Rob4VsEJNv8OolDh2XiRXtz3VDle
vo3quGjZaVdCl51HRfTbRBQN78bIE0bhftXxPm4QlD3CHL+dNVAErL76E13z4TjV
NGXGGUaw4zqTOhyjSSp+69daHblSBxFFPLUztzetHtQ0kK1tDtQHBxMfe+Zn/Avq
MjZEJQCkVE078j2S57467UFY4rqa7E36rg1MhLAs1eXxAH4kyXqbQlarCyai6hH2
uGnaBxoYeG3x38Hc//+BwYaPMsGsP2o2oeK5Rs39Anx5pxZTKnHjnLeAPF1Ic9mz
RnCB4mJg6eTNGTZvctEpCMAVer4oHHDIAzcNw/A75SyJFW/HLjt3ARdsxBI34e64
aGKA7z/vtR2c95N4wJEHwIDGeFQPk98fiZzhOrsSfQrfjnml2Bg=
=m3RT
-----END PGP SIGNATURE-----


[Message part 2 (application/pgp-signature, inline)]

Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Sat, 20 Sep 2025 07:27:33 GMT) (full text, mbox, link).

Send a report that this bug log contains spam.

Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Fri Jan 23 19:51:44 2026; Machine Name: buxtehude

Debian Bug tracking system

Debbugs is free software and licensed under the terms of the GNU General Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.