[opensuse-factory] new package: mozjs24
Hi, I've just created a submitrequest to Factory for the source package mozjs24 (Mozilla JS engine version 24). This is basically an update for mozjs17 and not a real new package. mozjs17 has to stay though until all consumers have been changed to use mozjs24. mozjs17 is unmaintained from a security perspective so depending projects should look into migrating to use mozjs24 instead. Wolfgang -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
Wolfgang Rosenauer writes:
I've just created a submitrequest to Factory for the source package mozjs24 (Mozilla JS engine version 24).
So the JS engines follow the ESR shedule now, it seems — or is this purely incidental? Regards, Achim. -- +<[Q+ Matrix-12 WAVE#46+305 Neuron microQkb Andromeda XTk Blofeld]>+ Samples for the Waldorf Blofeld: http://Synth.Stromeko.net/Downloads.html#BlofeldSamplesExtra -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
Am 15.01.2014 21:08, schrieb Achim Gratz:
AFAICS for the ESR versions there are source tarballs. It's possible to build every current JS engine as well but as API/ABI is changing regularly it makes sense to follow ESR versions which are stable at least some months. Wolfgang -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
* Wolfgang Rosenauer <wolfgang@rosenauer.org> [2014-01-15 11:51]:
What does that mean for 13.1, will you backport security fixes for its and subsequently Evergreen's lifetime? Just wondering because there is this steaming pile called PolicyKit which currently depends on libmozjs-17 and only supports either 17.0 or 18.5... -- Guido Berhoerster -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
Am 15.01.2014 22:03, schrieb Guido Berhoerster:
Security fixes will be backported on a best effort base I'd say because there are not many choices. Wolfgang -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
Wolfgang Rosenauer wrote:
Security fixes in the Javascript engine are not much of relevance for policykit anyways as policykit only executes Javascript code that the admin provides. cu Ludwig -- (o_ Ludwig Nussel //\ V_/_ http://www.suse.de/ SUSE LINUX Products GmbH, GF: Jeff Hawn, Jennifer Guild, Felix Imendörffer, HRB 16746 (AG Nürnberg) -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
* Ludwig Nussel <ludwig.nussel@suse.de> [2014-01-16 08:53]:
While the js code comes from trusted sources (package or admin) polkit passes bunch of input from the system, some of which user-controllable (e.g. pkexec commandline), to the js engine, so if that can be used to trigger a bug in mozjs (e.g. memory corruption) which affects the evaluation or returned results it could potentially be exploited to bypass access restrictions. -- Guido Berhoerster -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
Wolfgang Rosenauer writes:
I've just created a submitrequest to Factory for the source package mozjs24 (Mozilla JS engine version 24).
So the JS engines follow the ESR shedule now, it seems — or is this purely incidental? Regards, Achim. -- +<[Q+ Matrix-12 WAVE#46+305 Neuron microQkb Andromeda XTk Blofeld]>+ Samples for the Waldorf Blofeld: http://Synth.Stromeko.net/Downloads.html#BlofeldSamplesExtra -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
Am 15.01.2014 21:08, schrieb Achim Gratz:
AFAICS for the ESR versions there are source tarballs. It's possible to build every current JS engine as well but as API/ABI is changing regularly it makes sense to follow ESR versions which are stable at least some months. Wolfgang -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
* Wolfgang Rosenauer <wolfgang@rosenauer.org> [2014-01-15 11:51]:
What does that mean for 13.1, will you backport security fixes for its and subsequently Evergreen's lifetime? Just wondering because there is this steaming pile called PolicyKit which currently depends on libmozjs-17 and only supports either 17.0 or 18.5... -- Guido Berhoerster -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
Am 15.01.2014 22:03, schrieb Guido Berhoerster:
Security fixes will be backported on a best effort base I'd say because there are not many choices. Wolfgang -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
Wolfgang Rosenauer wrote:
Security fixes in the Javascript engine are not much of relevance for policykit anyways as policykit only executes Javascript code that the admin provides. cu Ludwig -- (o_ Ludwig Nussel //\ V_/_ http://www.suse.de/ SUSE LINUX Products GmbH, GF: Jeff Hawn, Jennifer Guild, Felix Imendörffer, HRB 16746 (AG Nürnberg) -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
* Ludwig Nussel <ludwig.nussel@suse.de> [2014-01-16 08:53]:
While the js code comes from trusted sources (package or admin) polkit passes bunch of input from the system, some of which user-controllable (e.g. pkexec commandline), to the js engine, so if that can be used to trigger a bug in mozjs (e.g. memory corruption) which affects the evaluation or returned results it could potentially be exploited to bypass access restrictions. -- Guido Berhoerster -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
participants (4)
-
Achim Gratz -
Guido Berhoerster -
Ludwig Nussel -
Wolfgang Rosenauer