34987 – Firefox 140.7

Bug 34987 - Firefox 140.7

Summary: Firefox 140.7

Status:	RESOLVED FIXED

Alias:	None

Product:	Mageia
Classification:	Unclassified
Component:	Security (show other bugs)
Version:	9
Hardware:	All Linux

Priority:	Normal Severity: major
Target Milestone:	---
Assignee:	QA Team
QA Contact:	Sec team

URL:
Whiteboard:	MGA9-64-OK
Keywords:	advisory, validated_update

Depends on:
Blocks:	34993
	Show dependency tree / graph

Reported:	2026-01-13 16:28 CET by Nicolas Salguero
Modified:	2026-01-20 04:26 CET (History)
CC List:	6 users (show)

See Also:
Source RPM:	nss, firefox, firefox-l10n
CVE:	CVE-2026-0877, CVE-2026-0878, CVE-2026-0879, CVE-2026-0880, CVE-2026-0882, CVE-2025-14327, CVE-2026-0883, CVE-2026-0884, CVE-2026-0885, CVE-2026-0886, CVE-2026-0887, CVE-2026-0890, CVE-2026-0891
Status comment:

Flags:	andrewsfarm: test_passed_mga9_64+

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description Nicolas Salguero 2026-01-13 16:28:46 CET

Mozilla has released NSS 3.120 on January 8:
https://firefox-source-docs.mozilla.org/security/nss/releases/nss_3_120.html

Mozilla has released Firefox 140.7 on January 13:
https://www.firefox.com/en-US/firefox/140.7.0/releasenotes/

Security issues fixed:
https://www.mozilla.org/en-US/security/advisories/mfsa2026-03/

Nicolas Salguero 2026-01-13 16:31:05 CET

Source RPM: (none) => nss, firefox, firefox-l10n
Flags: (none) => affects_mga9+
CVE: (none) => CVE-2026-0877, CVE-2026-0878, CVE-2026-0879, CVE-2026-0880, CVE-2026-0882, CVE-2025-14327, CVE-2026-0883, CVE-2026-0884, CVE-2026-0885, CVE-2026-0886, CVE-2026-0887, CVE-2026-0890, CVE-2026-0891
Severity: normal => major
Whiteboard: (none) => MGA9TOO

Comment 1 Lewis Smith 2026-01-13 20:33:50 CET

You routinely do Firefox etc, so again assigning this back to you.

Assignee: bugsquad => nicolas.salguero

Nicolas Salguero 2026-01-14 08:11:39 CET

Blocks: (none) => 34993

Comment 2 Nicolas Salguero 2026-01-14 09:16:36 CET

Suggested advisory:
========================

The updated packages fix security vulnerabilities:

Mitigation bypass in the DOM: Security component. (CVE-2026-0877)

Sandbox escape due to incorrect boundary conditions in the Graphics: CanvasWebGL component. (CVE-2026-0878)

Sandbox escape due to incorrect boundary conditions in the Graphics component. (CVE-2026-0879)

Sandbox escape due to integer overflow in the Graphics component. (CVE-2026-0880)

Use-after-free in the IPC component. (CVE-2026-0882)

Spoofing issue in the Downloads Panel component. (CVE-2025-14327)

Information disclosure in the Networking component. (CVE-2026-0883)

Use-after-free in the JavaScript Engine component. (CVE-2026-0884)

Use-after-free in the JavaScript: GC component. (CVE-2026-0885)

Incorrect boundary conditions in the Graphics component. (CVE-2026-0886)

Clickjacking issue, information disclosure in the PDF Viewer component. (CVE-2026-0887)

Spoofing issue in the DOM: Copy & Paste and Drag & Drop component. (CVE-2026-0890)

Memory safety bugs fixed in Firefox ESR 140.7, Thunderbird ESR 140.7, Firefox 147 and Thunderbird 147. (CVE-2026-0891)

References:
https://firefox-source-docs.mozilla.org/security/nss/releases/nss_3_120.html
https://www.firefox.com/en-US/firefox/140.7.0/releasenotes/
https://www.mozilla.org/en-US/security/advisories/mfsa2026-03/
========================

Updated packages in core/updates_testing:
========================
lib(64)nss-devel-3.120.0-1.mga9
lib(64)nss-static-devel-3.120.0-1.mga9
lib(64)nss3-3.120.0-1.mga9
nss-3.120.0-1.mga9
nss-doc-3.120.0-1.mga9

firefox-140.7.0-1.mga9

firefox-af-140.7.0-1.mga9
firefox-an-140.7.0-1.mga9
firefox-ar-140.7.0-1.mga9
firefox-ast-140.7.0-1.mga9
firefox-az-140.7.0-1.mga9
firefox-be-140.7.0-1.mga9
firefox-bg-140.7.0-1.mga9
firefox-bn-140.7.0-1.mga9
firefox-br-140.7.0-1.mga9
firefox-bs-140.7.0-1.mga9
firefox-ca-140.7.0-1.mga9
firefox-cs-140.7.0-1.mga9
firefox-cy-140.7.0-1.mga9
firefox-da-140.7.0-1.mga9
firefox-de-140.7.0-1.mga9
firefox-el-140.7.0-1.mga9
firefox-en_CA-140.7.0-1.mga9
firefox-en_GB-140.7.0-1.mga9
firefox-en_US-140.7.0-1.mga9
firefox-eo-140.7.0-1.mga9
firefox-es_AR-140.7.0-1.mga9
firefox-es_CL-140.7.0-1.mga9
firefox-es_ES-140.7.0-1.mga9
firefox-es_MX-140.7.0-1.mga9
firefox-et-140.7.0-1.mga9
firefox-eu-140.7.0-1.mga9
firefox-fa-140.7.0-1.mga9
firefox-ff-140.7.0-1.mga9
firefox-fi-140.7.0-1.mga9
firefox-fr-140.7.0-1.mga9
firefox-fur-140.7.0-1.mga9
firefox-fy_NL-140.7.0-1.mga9
firefox-ga_IE-140.7.0-1.mga9
firefox-gd-140.7.0-1.mga9
firefox-gl-140.7.0-1.mga9
firefox-gu_IN-140.7.0-1.mga9
firefox-he-140.7.0-1.mga9
firefox-hi_IN-140.7.0-1.mga9
firefox-hr-140.7.0-1.mga9
firefox-hsb-140.7.0-1.mga9
firefox-hu-140.7.0-1.mga9
firefox-hy_AM-140.7.0-1.mga9
firefox-ia-140.7.0-1.mga9
firefox-id-140.7.0-1.mga9
firefox-is-140.7.0-1.mga9
firefox-it-140.7.0-1.mga9
firefox-ja-140.7.0-1.mga9
firefox-ka-140.7.0-1.mga9
firefox-kab-140.7.0-1.mga9
firefox-kk-140.7.0-1.mga9
firefox-km-140.7.0-1.mga9
firefox-kn-140.7.0-1.mga9
firefox-ko-140.7.0-1.mga9
firefox-lij-140.7.0-1.mga9
firefox-lt-140.7.0-1.mga9
firefox-lv-140.7.0-1.mga9
firefox-mk-140.7.0-1.mga9
firefox-mr-140.7.0-1.mga9
firefox-ms-140.7.0-1.mga9
firefox-my-140.7.0-1.mga9
firefox-nb_NO-140.7.0-1.mga9
firefox-nl-140.7.0-1.mga9
firefox-nn_NO-140.7.0-1.mga9
firefox-oc-140.7.0-1.mga9
firefox-pa_IN-140.7.0-1.mga9
firefox-pl-140.7.0-1.mga9
firefox-pt_BR-140.7.0-1.mga9
firefox-pt_PT-140.7.0-1.mga9
firefox-ro-140.7.0-1.mga9
firefox-ru-140.7.0-1.mga9
firefox-sat-140.7.0-1.mga9
firefox-sc-140.7.0-1.mga9
firefox-si-140.7.0-1.mga9
firefox-sk-140.7.0-1.mga9
firefox-skr-140.7.0-1.mga9
firefox-sl-140.7.0-1.mga9
firefox-sq-140.7.0-1.mga9
firefox-sr-140.7.0-1.mga9
firefox-sv_SE-140.7.0-1.mga9
firefox-szl-140.7.0-1.mga9
firefox-ta-140.7.0-1.mga9
firefox-te-140.7.0-1.mga9
firefox-tg-140.7.0-1.mga9
firefox-th-140.7.0-1.mga9
firefox-tl-140.7.0-1.mga9
firefox-tr-140.7.0-1.mga9
firefox-uk-140.7.0-1.mga9
firefox-ur-140.7.0-1.mga9
firefox-uz-140.7.0-1.mga9
firefox-vi-140.7.0-1.mga9
firefox-xh-140.7.0-1.mga9
firefox-zh_CN-140.7.0-1.mga9
firefox-zh_TW-140.7.0-1.mga9

from SRPM:
nss-3.120.0-1.mga9.src.rpm
firefox-140.7.0-1.mga9.src.rpm
firefox-l10n-140.7.0-1.mga9.src.rpm

Whiteboard: MGA9TOO => (none)
Status: NEW => ASSIGNED
Flags: affects_mga9+ => (none)
Version: Cauldron => 9
Assignee: nicolas.salguero => qa-bugs

Comment 3 Brian Rockwell 2026-01-14 14:53:04 CET

Gnome, Ryzen, Nvidia

The following 6 packages are going to be installed:

- firefox-140.7.0-1.mga9.x86_64
- firefox-en_CA-140.7.0-1.mga9.noarch
- firefox-en_GB-140.7.0-1.mga9.noarch
- firefox-en_US-140.7.0-1.mga9.noarch
- lib64nss3-3.120.0-1.mga9.x86_64
- nss-3.120.0-1.mga9.x86_64

356KB of additional disk space will be used.
 
$ firefox -version
Mozilla Firefox 140.7.0esr


common sites work

Looks good on this box

CC: (none) => brtians1

Comment 4 Brian Rockwell 2026-01-14 16:51:26 CET

MGA9-32, AMD A6-3420M APU with Radeon(tm) HD Graphics, old Laptop

The following 6 packages are going to be installed:

- firefox-140.7.0-1.mga9.i586
- firefox-en_CA-140.7.0-1.mga9.noarch
- firefox-en_GB-140.7.0-1.mga9.noarch
- firefox-en_US-140.7.0-1.mga9.noarch
- libnss3-3.120.0-1.mga9.i586
- nss-3.120.0-1.mga9.i586

511KB of additional disk space will be used.


$ firefox -version
Mozilla Firefox 140.7.0esr

spending time using firefox, etc.  
- general sites work
- youtube / audio working

Comment 5 Herman Viaene 2026-01-15 11:09:41 CET

MGA9 server Plasma Wayland on Compaq H000SB
No installation issues.
Used newspaper site with text, images and sound.
Video in youtube, all OK.

CC: (none) => herman.viaene

Comment 6 Jose Manuel López 2026-01-15 21:09:30 CET

Hi,

Updated in mga9 Plasma x64 without issues.

Works fine for the moment. 
Addons ok
Audio and video ok.
Banks ok.
Spanish ok.
Digital certificates ok.

I am using it all day whitout problems.

CC: (none) => Joselp

Comment 7 Morgan Leijström 2026-01-15 21:17:45 CET

mga9-64 OK here 
Plasma, X11.
Swedish localisation.
Settings and tabs kept.
Various sites including shops, video, banking.
Viewing and printing pdf to network printer.

$ firefox --version
Mozilla Firefox 140.7.0esr

$ inxi -SMCG
System:
  Host: svarten.tribun Kernel: 6.6.120-desktop-1.mga9 arch: x86_64 bits: 64
  Desktop: KDE Plasma v: 5.27.10 Distro: Mageia 9
Machine:
  Type: Desktop Mobo: ASRock model: P55 Pro serial: <superuser required>
    BIOS: American Megatrends v: P2.60 date: 08/20/2010
CPU:
  Info: quad core model: Intel Core i7 870 bits: 64 type: MT MCP cache:
    L2: 1024 KiB
  Speed (MHz): avg: 1205 min/max: 1200/2934 cores: 1: 1205 2: 1205 3: 1205
    4: 1205 5: 1205 6: 1205 7: 1205 8: 1205
Graphics:
  Device-1: Advanced Micro Devices [AMD/ATI] Navi 24 [Radeon RX 6400/6500
    XT/6500M] driver: amdgpu v: kernel
  Display: x11 server: X.org v: 1.21.1.21 with: Xwayland v: 22.1.9 driver:
    X: loaded: amdgpu,v4l dri: radeonsi gpu: amdgpu resolution: 3840x2160~60Hz
  API: EGL v: 1.5 drivers: kms_swrast,radeonsi,swrast
    platforms: gbm,x11,surfaceless,device
  API: OpenGL v: 4.6 compat-v: 4.5 vendor: amd mesa v: 25.0.7 renderer: AMD
    Radeon RX 6400 (radeonsi navi24 LLVM 15.0.6 DRM 3.54
    6.6.120-desktop-1.mga9)

CC: (none) => fri

katnatek 2026-01-17 01:56:59 CET

Keywords: (none) => advisory

Comment 8 Morgan Leijström 2026-01-19 01:52:01 CET

i586 OK
Tested while testing kernel 6.6.120
OK i586 6.6.120-1 on Thinkpad T43, lxde
Details in Bug 35022 Comment 4

Comment 9 Thomas Andrews 2026-01-20 02:22:55 CET

MGA9-64 Plasma. Been using the US English version for four days of general browsing with no issues.

Looks good - I think it's ready to go. Validating.

Whiteboard: (none) => MGA9-64-OK
Flags: (none) => test_passed_mga9_64+
CC: (none) => andrewsfarm, sysadmin-bugs
Keywords: (none) => validated_update

Comment 10 Mageia Robot 2026-01-20 04:26:26 CET

An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2026-0013.html

Resolution: (none) => FIXED
Status: ASSIGNED => RESOLVED

Note You need to log in before you can comment on or make changes to this bug.