16.0.1 chemspill (and 17 beta) imminent

For a high priority security bug (see today's Planning meeting notes) and a couple of ridealongs, Mozilla will chemspill 16.0.1. We never released a 10.4Fx 16.0, and 15.0.1 is not vulnerable, but 17a2 is and I will try to release our beta as soon as possible even though issue 180 (Mozilla bug 794337) is still not yet repaired. In the meantime, 10.0.8 is unaffected and would be the recommended workaround until the revised beta. 10.0.8 is in fact vulnerable to a variation attack: see 10.0.9 post Note for our AuroraFox users that AuroraFox 16 and 17 are vulnerable, and I will defer their mitigation to Tobias. SeaMonkey PPC 2.13 is also vulnerable.

Riding along with the 17 beta will be a prospective blacklist on Type 1 PostScript fonts, which Chris and one of our users demonstrated don't work with Harfbuzz and may be the underlying cause of this Tenderapp issue and this Tenderapp issue. However, I have a remarkably small amount of replies from users for whom this was allegedly a crippling issue. It would really help me if those of you affected would chime in and say if you see the same thing, because the fixes are shots in the dark as I have not been able to replicate them on my internal test systems. The specific workarounds for Arial, Helvetica and Times will stay in, just in case.

10.0.8 was made official Monday night, btw. Remember, 10.0.9 will be the last 10.x release.

In other news, 16.0.1 will probably be the last official Firefox release supporting 10.5 ("adieu, spotted cat"), assuming no further chemspills. For those of you still making PPC builds directly from source without modification, that will break when 17 comes out, including the current incarnation of SeaMonkey PPC.