-------- Original Message --------
Subject: Out of cycle 3.6.3 release to fix the Pwn2Own bug
Date: Wed, 31 Mar 2010 18:21:45 -0700
From: Daniel Veditz <dve...@mozilla.com>
CC: security-group <securit...@mozilla.org>
As many of you no doubt heard, Firefox was one of the browsers
exploited last week at the annual Pwn2Own contest during the
CanSecWest security conference. We've identified the fix (and the
fix for a nasty memory leak regression) and plan to ship an out of
cycle 3.6.3 release as soon as we can. The earliest would be
Thursday evening, but most likely it will be Friday.
The patch was only available for testing starting with this
morning's test builds. There is always the chance testing will find
a problem that will cause a slip to early next week.
The exploit does not affect Firefox 3.5 and we do not at this point
plan to release an emergency fix for that branch. The affected code
is similar, though, so we will fix that branch when we issue the
next stability update (early May?) just to be safe. We continue to
investigate the exploit and affected code to make sure the
vulnerability is truly unreachable in 3.5 so I don't entirely rule
out an emergency 3.5.x update, but we are not planning one for 3.5
at this time.
Firefox 3.0.19 was our last planned release for the 3.0.x line and
we don't see any additional risk from this vulnerability that would
make us reconsider that at this time.
Security-group mailing list