Those reading earlier entries will notice I was puzzling over two strange commits attached to a (then) sec-locked bug that forced an RC2 and appeared limited in scope. They were indeed limited in scope, but to deal with a problem that has now become public; namely, a certificate authority had credentials stolen enabling an Iranian-based attacker to sign multiple bogus certs. At least one, and possibly more, escaped.
This is one of those cases where I question why something where the exploit was, technically, already in the wild was not publicly disclosed and I would have probably held the release for it at the time.
It is now unclear exactly how much of an impact this bug has because everyone knows about the bogus certs that got released and they are already revoked at the OCSP level. Still, there is the possibility they could be used for nefarious purposes under certain circumstances and I will be releasing a "4.0s" later today with display-version 4.0 but updated build-IDs incorporating this fix. This will coincide with 3.6.16 nicely in any case. For Classilla users who follow this blog, this will be part of Classilla 9.2.2 as well.