Mozilla has released NSS 3.108 on February 5:
https://firefox-source-docs.mozilla.org/security/nss/releases/nss_3_108.html#mozilla-projects-nss-nss-3-108-release-notes

Moreover, rootcerts needs an update (seems like the latest files date from 2025-01-30).

Suggested advisory:
========================

The updated packages fix a security vulnerability:

Use-after-free in XSLT. (CVE-2025-1009)

Use-after-free in Custom Highlight. (CVE-2025-1010)

A bug in WebAssembly code generation could result in a crash. (CVE-2025-1011)

Use-after-free during concurrent delazification. (CVE-2025-1012)

Potential double-free vulnerability in PKCS#7 decryption handling. (CVE-2024-11704)

Potential opening of private browsing tabs in normal browsing windows. (CVE-2025-1013)

Certificate length was not properly checked. (CVE-2025-1014)

Memory safety bugs fixed in Firefox 135, Thunderbird 135, Firefox ESR 115.20, Firefox ESR 128.7, Thunderbird 115.20, and Thunderbird 128.7. (CVE-2025-1016)

Memory safety bugs fixed in Firefox 135, Thunderbird 135, Firefox ESR 128.7, and Thunderbird 128.7. (CVE-2025-1017)

References:
https://www.mozilla.org/en-US/firefox/128.7.0/releasenotes/
https://www.mozilla.org/en-US/security/advisories/mfsa2025-09/
https://firefox-source-docs.mozilla.org/security/nss/releases/nss_3_108.html#mozilla-projects-nss-nss-3-108-release-notes
========================

Updated packages in core/updates_testing:
========================
rootcerts-20250130.00-1.mga9
rootcerts-java-20250130.00-1.mga9

lib(64)nss3-3.108.0-1.mga9
lib(64)nss-devel-3.108.0-1.mga9
lib(64)nss-static-devel-3.108.0-1.mga9
nss-3.108.0-1.mga9
nss-doc-3.108.0-1.mga9

firefox-128.7.0-1.mga9
firefox-af-128.7.0-1.mga9
firefox-an-128.7.0-1.mga9
firefox-ar-128.7.0-1.mga9
firefox-ast-128.7.0-1.mga9
firefox-az-128.7.0-1.mga9
firefox-be-128.7.0-1.mga9
firefox-bg-128.7.0-1.mga9
firefox-bn-128.7.0-1.mga9
firefox-br-128.7.0-1.mga9
firefox-bs-128.7.0-1.mga9
firefox-ca-128.7.0-1.mga9
firefox-cs-128.7.0-1.mga9
firefox-cy-128.7.0-1.mga9
firefox-da-128.7.0-1.mga9
firefox-de-128.7.0-1.mga9
firefox-el-128.7.0-1.mga9
firefox-en_CA-128.7.0-1.mga9
firefox-en_GB-128.7.0-1.mga9
firefox-en_US-128.7.0-1.mga9
firefox-eo-128.7.0-1.mga9
firefox-es_AR-128.7.0-1.mga9
firefox-es_CL-128.7.0-1.mga9
firefox-es_ES-128.7.0-1.mga9
firefox-es_MX-128.7.0-1.mga9
firefox-et-128.7.0-1.mga9
firefox-eu-128.7.0-1.mga9
firefox-fa-128.7.0-1.mga9
firefox-ff-128.7.0-1.mga9
firefox-fi-128.7.0-1.mga9
firefox-fr-128.7.0-1.mga9
firefox-fur-128.7.0-1.mga9
firefox-fy_NL-128.7.0-1.mga9
firefox-ga_IE-128.7.0-1.mga9
firefox-gd-128.7.0-1.mga9
firefox-gl-128.7.0-1.mga9
firefox-gu_IN-128.7.0-1.mga9
firefox-he-128.7.0-1.mga9
firefox-hi_IN-128.7.0-1.mga9
firefox-hr-128.7.0-1.mga9
firefox-hsb-128.7.0-1.mga9
firefox-hu-128.7.0-1.mga9
firefox-hy_AM-128.7.0-1.mga9
firefox-ia-128.7.0-1.mga9
firefox-id-128.7.0-1.mga9
firefox-is-128.7.0-1.mga9
firefox-it-128.7.0-1.mga9
firefox-ja-128.7.0-1.mga9
firefox-ka-128.7.0-1.mga9
firefox-kab-128.7.0-1.mga9
firefox-kk-128.7.0-1.mga9
firefox-km-128.7.0-1.mga9
firefox-kn-128.7.0-1.mga9
firefox-ko-128.7.0-1.mga9
firefox-lij-128.7.0-1.mga9
firefox-lt-128.7.0-1.mga9
firefox-lv-128.7.0-1.mga9
firefox-mk-128.7.0-1.mga9
firefox-mr-128.7.0-1.mga9
firefox-ms-128.7.0-1.mga9
firefox-my-128.7.0-1.mga9
firefox-nb_NO-128.7.0-1.mga9
firefox-nl-128.7.0-1.mga9
firefox-nn_NO-128.7.0-1.mga9
firefox-oc-128.7.0-1.mga9
firefox-pa_IN-128.7.0-1.mga9
firefox-pl-128.7.0-1.mga9
firefox-pt_BR-128.7.0-1.mga9
firefox-pt_PT-128.7.0-1.mga9
firefox-ro-128.7.0-1.mga9
firefox-ru-128.7.0-1.mga9
firefox-sc-128.7.0-1.mga9
firefox-si-128.7.0-1.mga9
firefox-sk-128.7.0-1.mga9
firefox-sl-128.7.0-1.mga9
firefox-sq-128.7.0-1.mga9
firefox-sr-128.7.0-1.mga9
firefox-sv_SE-128.7.0-1.mga9
firefox-szl-128.7.0-1.mga9
firefox-ta-128.7.0-1.mga9
firefox-te-128.7.0-1.mga9
firefox-tg-128.7.0-1.mga9
firefox-th-128.7.0-1.mga9
firefox-tl-128.7.0-1.mga9
firefox-tr-128.7.0-1.mga9
firefox-uk-128.7.0-1.mga9
firefox-ur-128.7.0-1.mga9
firefox-uz-128.7.0-1.mga9
firefox-vi-128.7.0-1.mga9
firefox-xh-128.7.0-1.mga9
firefox-zh_CN-128.7.0-1.mga9
firefox-zh_TW-128.7.0-1.mga9

from SRPMS:
rootcerts-20250130.00-1.mga9.src.rpm
nss-3.108.0-1.mga9.src.rpm
firefox-128.7.0-1.mga9.src.rpm
firefox-l10n-128.7.0-1.mga9.src.rpm

Assignee: bugsquad => qa-bugs
Whiteboard: MGA9TOO => (none)
Version: Cauldron => 9
Status: NEW => ASSIGNED

6.6.74-desktop-1.mga9  x86_64
AMD Ryzen 7 5700U

Clean update.  Restored previous session.  Visited Jezero Crater on Mars and a number of familiar websites.  Had a quick look at gmail Inbox.  Played Youtube scifi video - sound and vision OK.  Online banking OK.  Displayed local photo in the browser using the command-line.  Rearranged a few bookmarks in the index list.  Looks good.

CC: (none) => tarazed25

MGA9-64, Xfce, AMD apu

Installed rootcerts, nss3, and firefox (English lanugage)

===rebooted

$ firefox -version
Mozilla Firefox 128.7.0esr


email
websites
video work

CC: (none) => brtians1

mga9-64 OK
Plasma, Intel CPU, AMD GPU

Closed FF, updated, start again.

Help -> about say "128.7.0esr (64-bitars)", and "mageia - 9.0"

Restored previous tabs, settings kept, Swedish localisation OK.
Used banking sites, tax office, shops, video sites, syncthing and nextcloud web UI, app.element.io, facebook, Mageia bugzilla....  saved file, opened-viewed-printed pdf to network printer.

CC: (none) => fri
Source RPM: firefox, firefox-l10n => rootcerts, nss, firefox, firefox-l10n, nss

Installed in mga-x64

Works fine for the moment.

Banks ok.
Certificates ok.
Spanish translations ok.
Addons and settings ok.
Video and audio ok.

From terminal:

[jose@localhost ~]$ firefox
ATTENTION: default value of option mesa_glthread overridden by environment.
[Parent 13188, Main Thread] WARNING: /usr/share/applications/kde-mimeapps.list contains a [Added Associations] group, but it is not permitted here.  Only the non-desktop-specific mimeapps.list file may add or remove associations.: 'glib warning', file /home/iurt/rpmbuild/BUILD/firefox-128.7.0/toolkit/xre/nsSigHandlers.cpp:187

(firefox:13188): GLib-GIO-WARNING **: 08:27:09.719: /usr/share/applications/kde-mimeapps.list contains a [Added Associations] group, but it is not permitted here.  Only the non-desktop-specific mimeapps.list file may add or remove associations.

Greetings!

CC: (none) => Joselp

MGA9-64 Plasma Wayland on Compaq H000SB
No installation issues.
Text and video OK, but no sound. May have to do with same problems on this laptop with the qt5 and qt6 updates.

CC: (none) => herman.viaene

MGA9-64 on two machines. No installation issues.

Read the local newspaper, browsed a few minutes on Amazon, watched a few minutes of the classic "Broken Arrow" on Youtube, checked in here. No issues so far.

CC: (none) => andrewsfarm

OK also on three half-old laptops running x86_64 Plasma X11, tested incl qt update.
Thinkpad T510, Acer Aspire A717, Asus G75V

And on my i586 Thinkpad T43 lxqt, with all updates in testing.  This one do not cope showing video, but some surfing and pod.

Yeah, Foolishness doesn't do online videos well, either. But I think your T43 test is good enough for a 32-bit OK.

Several tests, no issues - This is good to go.

Validating.

Whiteboard: (none) => MGA9-64-OK MGA9-32-OK
Keywords: (none) => validated_update
CC: (none) => sysadmin-bugs

MGA9-64, ‎AMD Ryzen 5 2600, Nvidia 1650 super, GNOME

The following 10 packages are going to be installed:

- firefox-128.7.0-1.mga9.x86_64
- firefox-en_CA-128.7.0-1.mga9.noarch
- firefox-en_GB-128.7.0-1.mga9.noarch
- firefox-en_US-128.7.0-1.mga9.noarch
- lib64nss-devel-3.108.0-1.mga9.x86_64
- lib64nss-static-devel-3.108.0-1.mga9.x86_64
- lib64nss3-3.108.0-1.mga9.x86_64
- nss-3.108.0-1.mga9.x86_64
- rootcerts-20250130.00-1.mga9.noarch
- rootcerts-java-20250130.00-1.mga9.noarch

80KB of additional disk space will be used.

----

rebooted

sound working
Websites working as expected

works for me


-------
Thanks TJ

An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2025-0045.html

Status: ASSIGNED => RESOLVED
Resolution: (none) => FIXED