This bug was fixed in the package mozjs128 - 128.9.0-1
---------------
mozjs128 (128.9.0-1) unstable; urgency=high
* New upstream release (LP: #2105631)
- CVE-2025-3028 Use-after-free triggered by XSLTProcessor
- CVE-2025-3029 URL bar spoofing via non-BMP Unicode characters
- CVE-2025-3030 Memory safety bugs
-- Jeremy Bícha <jbi...@ubuntu.com> Mon, 31 Mar 2025 12:49:25 -0400
** Changed in: mozjs128 (Ubuntu)
Status: In Progress => Fix Released
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2025-3028
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2025-3029
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2025-3030
--
You received this bug notification because you are a member of Desktop
Packages, which is subscribed to mozjs128 in Ubuntu.
https://bugs.launchpad.net/bugs/2105631
Title:
Update mozjs128 to 128.9.0 for plucky
Status in mozjs128 package in Ubuntu:
Fix Released
Bug description:
Impact
------
Mozilla is releasing new security updates April 1. I have compared the
security advisories with the somewhat stripped down source code we build with
and mentioned fixed security vulnerabilities in debian/changelog.
Test Cases
----------
Complete the test cases at
https://wiki.ubuntu.com/DesktopTeam/TestPlans/gjs
It is rare for a minor mozjs update to break apps. (It happened once
to the gnome-weather app.)
Other Info
----------
mozjs is the JavaScript engine from Firefox ESR. Mozilla provides security
updates for an ESR series for about a year.
mozjs128 is used by gjs which powers GNOME Shell and several GNOME
apps.
https://whattrainisitnow.com/calendar/
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/mozjs128/+bug/2105631/+subscriptions
--
Mailing list: https://launchpad.net/~desktop-packages
Post to : desktop-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~desktop-packages
More help : https://help.launchpad.net/ListHelp
