Firefox 4.0.1 is now available to beta testers (basically people that were running Firefox 4 Betas before it hit GA).
The release notes (as they currently stand) are quite sparse:
- Fixed several security issues.
- Fixed several stability issues.
No, Mozilla has not disclosed what those security issues might be and nor should they. The disclosure and advisories will not come until the Firefox 4.0.1 release is generally available. Mozilla does not want to put users at risk by revealing security details for items that most users have not patched for.
On the stability front, by my count there are at least 52 fixed bugs in 4.0.1 that will improve the stability of the open source web browser.
Another similar flaw is detailed in Bugzilla entry #640901 which is another critical crash condition issue.
One other issue that caught my eye is Bug # 644012 “crash with an empty issuer name in SSL certificate, +leak fix [@ strcmp | AuthCertificateCallback(void*, PRFileDesc*, int, int)]”
Considering the grief of the Commodo SSL cert flaw last month, this flaw is particularly interesting (and critical).
According to the entry: “Firefox crashes when trying to access a HTTPS website with a certificate that does not contain the fields issuerName.” Yes, that’s a critical flaw and yes I strongly suspect that it will end up as a named security advisory as well.
Firefox 4.0.1 is not expected to become generally available until April 26th.