Tuesday, August 30, 2011

6.0.1 chemspill imminent

Mozilla has decided to release a 6.0.1 chemspill due to a nasty issue with more fraudulent SSL certificates being issued through a compromised certificate authority (DigiNotar). Unlike the earlier issue that brought us 4.0s back in the day, this one actually requires the entire root certificate to be withdrawn because it is believed that the CA is completely pwned (rather than just a matter of blacklisting a few rogue certs). These malicious certificates are believed to already be in the wild, and there's apparently quite a few as Google Chrome's bad certificate count is up by 247! Mozilla is tracking the issue as bug 682927, but it is currently sec-locked pending release.

Obviously this is a serious enough compromise that we will also be issuing a 6.0.1 which is being built on the G5 as you read this. (Classilla users, this fix will be ported to 9.2.3 when I can get the G4 MDD system back online; unfortunately Classilla development is stalled entirely until my connectivity is restored.) I plan to have 6.0.1 available either tomorrow or Thursday. Although issue 85 has a fix, I do not plan to have it ride along with this release because it may increase memory pressure on marginal systems. More about that when the 7 beta emerges, which I plan to work on as soon as Mozilla certifies beta 3 (probably this week also).


  1. Just built TFF7.0b2 using gcc-4.6.1 and this is being posted running it!
    The patchset against fx7.0a2 applied without any changes needed and there weren't any further patches needed for fx7.0b2.

  2. Excellent :)

    I hope to make a run at this later this week.


Due to an increased frequency of spam, comments are now subject to moderation.