Looking at their SCM, they updated to the newest upstream less than two days ago [1]. However, the change appears trivial, so it might be feasible to track upstream if building from source as long as their customization scripts remain compatible.
> that bug would have bitten you on ESR as well
Sorry, I didn't word that clearly. ESR was affected, but the signature check could be disabled from about:config. The release channel had that flag listed, but it had no effect.
Ah, I didn't realize ESR did that. (And frankly I'm surprised it does.) One of the things I change when I build Firefox for myself is allowing the disabling of addon signings via about:config.
> that bug would have bitten you on ESR as well
Sorry, I didn't word that clearly. ESR was affected, but the signature check could be disabled from about:config. The release channel had that flag listed, but it had no effect.
[1] http://git.savannah.gnu.org/cgit/gnuzilla.git/log/