35165 – Firefox 140.8

Bug 35165 - Firefox 140.8

Summary: Firefox 140.8

Status:	RESOLVED FIXED

Alias:	None

Product:	Mageia
Classification:	Unclassified
Component:	Security (show other bugs)
Version:	9
Hardware:	All Linux

Priority:	Normal Severity: major
Target Milestone:	---
Assignee:	QA Team
QA Contact:	Sec team

URL:
Whiteboard:	MGA9-64-OK MGA9-32-OK
Keywords:	advisory, validated_update

Depends on:
Blocks:	35166
	Show dependency tree / graph

Reported:	2026-03-02 09:22 CET by Nicolas Salguero
Modified:	2026-03-09 18:50 CET (History)
CC List:	7 users (show)

See Also:
Source RPM:	rootcerts, nss, firefox, firefox-l10n
CVE:	CVE-2026-275[7-9], CVE-2026-276[0-9], CVE-2026-277[0-9], CVE-2026-278[0-9], CVE-2026-279[0-3]
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description Nicolas Salguero 2026-03-02 09:22:04 CET

Mozilla has released NSS 3.121 on February 19:
https://firefox-source-docs.mozilla.org/security/nss/releases/nss_3_121.html

rootcerts must be updated to 2026-02-06 for that version of NSS.

Mozilla has released Firefox 140.8 on February 24:
https://www.firefox.com/en-US/firefox/140.8.0/releasenotes/

Security issues fixed:
https://www.mozilla.org/en-US/security/advisories/mfsa2026-15/

Nicolas Salguero 2026-03-02 09:25:13 CET

Blocks: (none) => 35166

Nicolas Salguero 2026-03-02 09:31:16 CET

Source RPM: (none) => rootcerts, nss, firefox, firefox-l10n
CVE: (none) => CVE-2026-275[7-9], CVE-2026-276[0-9], CVE-2026-277[0-9], CVE-2026-278[0-9], CVE-2026-279[0-3]
Flags: (none) => affects_mga9+
Whiteboard: (none) => MGA9TOO

Comment 1 Nicolas Salguero 2026-03-02 14:37:14 CET

For Cauldron and Mageia 9, rootcerts, nss and firefox-l10n are built but firefox failed to build.

Comment 2 katnatek 2026-03-02 19:54:09 CET

(In reply to Nicolas Salguero from comment #1)
> For Cauldron and Mageia 9, rootcerts, nss and firefox-l10n are built but
> firefox failed to build.

If I remember well in line 301 I did conditional not apply the patch for ix86
because fail to compile the same component so now could be

%ifnarch %{ix86} aarch64
%patch -P2003 -p1
%endif

Comment 3 katnatek 2026-03-02 19:58:17 CET

Sorry I was seeing the cauldron fail, checking the mageia 9 now

Comment 4 katnatek 2026-03-02 20:25:51 CET

The mozilla-bmo patches of opensuse could help
https://build.opensuse.org/package/show/openSUSE:Factory/firefox-esr

As I can see are related with skia

katnatek 2026-03-02 20:28:43 CET

CC: (none) => j.alberto.vc

Comment 5 Lewis Smith 2026-03-02 20:52:03 CET

Leaving with you, Nicolas. José is CC'd.

Assignee: bugsquad => nicolas.salguero

Comment 6 katnatek 2026-03-03 21:20:51 CET

(In reply to katnatek from comment #2)
> %ifnarch %{ix86} aarch64
> %patch -P2003 -p1
> %endif

For cauldron
The fix for aarch64 works the test build is in 128:02.53 , as soon as posible
I'll test if is necessary for i686

Comment 7 katnatek 2026-03-04 03:37:39 CET

RPMS:
firefox-140.8.0-1.mga9
firefox-af-140.8.0-1.mga9.noarch.rpm
firefox-an-140.8.0-1.mga9.noarch.rpm
firefox-ar-140.8.0-1.mga9.noarch.rpm
firefox-ast-140.8.0-1.mga9.noarch.rpm
firefox-az-140.8.0-1.mga9.noarch.rpm
firefox-be-140.8.0-1.mga9.noarch.rpm
firefox-bg-140.8.0-1.mga9.noarch.rpm
firefox-bn-140.8.0-1.mga9.noarch.rpm
firefox-br-140.8.0-1.mga9.noarch.rpm
firefox-bs-140.8.0-1.mga9.noarch.rpm
firefox-ca-140.8.0-1.mga9.noarch.rpm
firefox-cs-140.8.0-1.mga9.noarch.rpm
firefox-cy-140.8.0-1.mga9.noarch.rpm
firefox-da-140.8.0-1.mga9.noarch.rpm
firefox-de-140.8.0-1.mga9.noarch.rpm
firefox-el-140.8.0-1.mga9.noarch.rpm
firefox-en_CA-140.8.0-1.mga9.noarch.rpm
firefox-en_GB-140.8.0-1.mga9.noarch.rpm
firefox-en_US-140.8.0-1.mga9.noarch.rpm
firefox-eo-140.8.0-1.mga9.noarch.rpm
firefox-es_AR-140.8.0-1.mga9.noarch.rpm
firefox-es_CL-140.8.0-1.mga9.noarch.rpm
firefox-es_ES-140.8.0-1.mga9.noarch.rpm
firefox-es_MX-140.8.0-1.mga9.noarch.rpm
firefox-et-140.8.0-1.mga9.noarch.rpm
firefox-eu-140.8.0-1.mga9.noarch.rpm
firefox-fa-140.8.0-1.mga9.noarch.rpm
firefox-ff-140.8.0-1.mga9.noarch.rpm
firefox-fi-140.8.0-1.mga9.noarch.rpm
firefox-fr-140.8.0-1.mga9.noarch.rpm
firefox-fur-140.8.0-1.mga9.noarch.rpm
firefox-fy_NL-140.8.0-1.mga9.noarch.rpm
firefox-ga_IE-140.8.0-1.mga9.noarch.rpm
firefox-gd-140.8.0-1.mga9.noarch.rpm
firefox-gl-140.8.0-1.mga9.noarch.rpm
firefox-gu_IN-140.8.0-1.mga9.noarch.rpm
firefox-he-140.8.0-1.mga9.noarch.rpm
firefox-hi_IN-140.8.0-1.mga9.noarch.rpm
firefox-hr-140.8.0-1.mga9.noarch.rpm
firefox-hsb-140.8.0-1.mga9.noarch.rpm
firefox-hu-140.8.0-1.mga9.noarch.rpm
firefox-hy_AM-140.8.0-1.mga9.noarch.rpm
firefox-ia-140.8.0-1.mga9.noarch.rpm
firefox-id-140.8.0-1.mga9.noarch.rpm
firefox-is-140.8.0-1.mga9.noarch.rpm
firefox-it-140.8.0-1.mga9.noarch.rpm
firefox-ja-140.8.0-1.mga9.noarch.rpm
firefox-ka-140.8.0-1.mga9.noarch.rpm
firefox-kab-140.8.0-1.mga9.noarch.rpm
firefox-kk-140.8.0-1.mga9.noarch.rpm
firefox-km-140.8.0-1.mga9.noarch.rpm
firefox-kn-140.8.0-1.mga9.noarch.rpm
firefox-ko-140.8.0-1.mga9.noarch.rpm
firefox-lij-140.8.0-1.mga9.noarch.rpm
firefox-lt-140.8.0-1.mga9.noarch.rpm
firefox-lv-140.8.0-1.mga9.noarch.rpm
firefox-mk-140.8.0-1.mga9.noarch.rpm
firefox-mr-140.8.0-1.mga9.noarch.rpm
firefox-ms-140.8.0-1.mga9.noarch.rpm
firefox-my-140.8.0-1.mga9.noarch.rpm
firefox-nb_NO-140.8.0-1.mga9.noarch.rpm
firefox-nl-140.8.0-1.mga9.noarch.rpm
firefox-nn_NO-140.8.0-1.mga9.noarch.rpm
firefox-oc-140.8.0-1.mga9.noarch.rpm
firefox-pa_IN-140.8.0-1.mga9.noarch.rpm
firefox-pl-140.8.0-1.mga9.noarch.rpm
firefox-pt_BR-140.8.0-1.mga9.noarch.rpm
firefox-pt_PT-140.8.0-1.mga9.noarch.rpm
firefox-ro-140.8.0-1.mga9.noarch.rpm
firefox-ru-140.8.0-1.mga9.noarch.rpm
firefox-sat-140.8.0-1.mga9.noarch.rpm
firefox-sc-140.8.0-1.mga9.noarch.rpm
firefox-si-140.8.0-1.mga9.noarch.rpm
firefox-sk-140.8.0-1.mga9.noarch.rpm
firefox-sl-140.8.0-1.mga9.noarch.rpm
firefox-sq-140.8.0-1.mga9.noarch.rpm
firefox-sr-140.8.0-1.mga9.noarch.rpm
firefox-sv_SE-140.8.0-1.mga9.noarch.rpm
firefox-szl-140.8.0-1.mga9.noarch.rpm
firefox-ta-140.8.0-1.mga9.noarch.rpm
firefox-te-140.8.0-1.mga9.noarch.rpm
firefox-tg-140.8.0-1.mga9.noarch.rpm
firefox-th-140.8.0-1.mga9.noarch.rpm
firefox-tl-140.8.0-1.mga9.noarch.rpm
firefox-tr-140.8.0-1.mga9.noarch.rpm
firefox-uk-140.8.0-1.mga9.noarch.rpm
firefox-ur-140.8.0-1.mga9.noarch.rpm
firefox-uz-140.8.0-1.mga9.noarch.rpm
firefox-vi-140.8.0-1.mga9.noarch.rpm
firefox-xh-140.8.0-1.mga9.noarch.rpm
firefox-zh_CN-140.8.0-1.mga9.noarch.rpm
firefox-zh_TW-140.8.0-1.mga9.noarch.rpm

lib(64)nss-devel-3.121.0-1.mga9
lib(64)nss-static-devel-3.121.0-1.mga9
lib(64)nss3-3.121.0-1.mga9
nss-3.121.0-1.mga9
nss-doc-3.121.0-1.mga9.noarch.rpm

rootcerts-20260206.00-1.mga9.noarch.rpm
rootcerts-java-20260206.00-1.mga9.noarch.rpm


SRPMS:
firefox-140.8.0-1.mga9
firefox-l10n-140.8.0-1.mga9
rootcerts-20260206.00-1.mga9
nss-3.121.0-1.mga9

Nicolas, please provide advisory

Version: Cauldron => 9
Whiteboard: MGA9TOO => (none)

katnatek 2026-03-04 03:38:11 CET

Assignee: nicolas.salguero => qa-bugs
Status: NEW => ASSIGNED

Comment 8 Nicolas Salguero 2026-03-04 09:12:16 CET

Suggested advisory:
========================

The updated packages fix security vulnerabilities:

Incorrect boundary conditions in the WebRTC: Audio/Video component. (CVE-2026-2757)

Use-after-free in the JavaScript: GC component. (CVE-2026-2758)

Incorrect boundary conditions in the Graphics: ImageLib component. (CVE-2026-2759)

Sandbox escape due to incorrect boundary conditions in the Graphics: WebRender component. (CVE-2026-2760)

Sandbox escape in the Graphics: WebRender component. (CVE-2026-2761)

Integer overflow in the JavaScript: Standard Library component. (CVE-2026-2762)

Use-after-free in the JavaScript Engine component. (CVE-2026-2763)

JIT miscompilation, use-after-free in the JavaScript Engine: JIT component. (CVE-2026-2764)

Use-after-free in the JavaScript Engine component. (CVE-2026-2765)

Use-after-free in the JavaScript Engine: JIT component. (CVE-2026-2766)

Use-after-free in the JavaScript: WebAssembly component. (CVE-2026-2767)

Sandbox escape in the Storage: IndexedDB component. (CVE-2026-2768)

Use-after-free in the Storage: IndexedDB component. (CVE-2026-2769)

Use-after-free in the DOM: Bindings (WebIDL) component. (CVE-2026-2770)

Undefined behavior in the DOM: Core & HTML component. (CVE-2026-2771)

Use-after-free in the Audio/Video: Playback component. (CVE-2026-2772)

Incorrect boundary conditions in the Web Audio component. (CVE-2026-2773)

Integer overflow in the Audio/Video component. (CVE-2026-2774)

Mitigation bypass in the DOM: HTML Parser component. (CVE-2026-2775)

Sandbox escape due to incorrect boundary conditions in the Telemetry component in External Software. (CVE-2026-2776)

Privilege escalation in the Messaging System component. (CVE-2026-2777)

Sandbox escape due to incorrect boundary conditions in the DOM: Core & HTML component. (CVE-2026-2778)

Incorrect boundary conditions in the Networking: JAR component. (CVE-2026-2779)

Privilege escalation in the Netmonitor component. (CVE-2026-2780)

Integer overflow in the Libraries component in NSS. (CVE-2026-2781)

Privilege escalation in the Netmonitor component. (CVE-2026-2782)

Information disclosure due to JIT miscompilation in the JavaScript Engine: JIT component. (CVE-2026-2783)

Mitigation bypass in the DOM: Security component. (CVE-2026-2784)

Invalid pointer in the JavaScript Engine component. (CVE-2026-2785)

Use-after-free in the JavaScript Engine component. (CVE-2026-2786)

Use-after-free in the DOM: Window and Location component. (CVE-2026-2787)

Incorrect boundary conditions in the Audio/Video: GMP component. (CVE-2026-2788)

Use-after-free in the Graphics: ImageLib component. (CVE-2026-2789)

Same-origin policy bypass in the Networking: JAR component. (CVE-2026-2790)

Mitigation bypass in the Networking: Cache component. (CVE-2026-2791)

Memory safety bugs fixed in Firefox ESR 140.8, Thunderbird ESR 140.8, Firefox 148 and Thunderbird 148. (CVE-2026-2792)

Memory safety bugs fixed in Firefox ESR 115.33, Firefox ESR 140.8, Thunderbird ESR 140.8, Firefox 148 and Thunderbird 148. (CVE-2026-2793)

References:
https://firefox-source-docs.mozilla.org/security/nss/releases/nss_3_121.html
https://www.firefox.com/en-US/firefox/140.8.0/releasenotes/
https://www.mozilla.org/en-US/security/advisories/mfsa2026-15/

Nicolas Salguero 2026-03-04 09:12:36 CET

Flags: affects_mga9+ => (none)

katnatek 2026-03-04 20:20:02 CET

CC: j.alberto.vc => (none)

katnatek 2026-03-05 03:25:28 CET

Keywords: (none) => advisory

Comment 9 Herman Viaene 2026-03-05 14:25:59 CET

Teste on newspaper site with video ans sound, all OK.

CC: (none) => herman.viaene

Comment 10 Thomas Andrews 2026-03-07 23:07:06 CET

I've been using this and the accompanying Thunderbird on two different computers for close to three days with no issues showing yet.

CC: (none) => andrewsfarm

Comment 11 Len Lawrence 2026-03-08 00:30:32 CET

mga9, x86_64
Just installed Firefox and recovered sidebar bookmarks menu.
Visited madb, APOD, local Downloads directory and Google maps.
Added tab for ftp.fi.muni.cz and visited release directory for Mageia9.
Back to desktop, installed stellarium and launched it successfully.
Network running fine on ethernet and wifi.  NFS OK.  Falkon and Thunderbird are OK.  Having a little trouble connecting audio on Bluetooth though - a definite regression.

CC: (none) => tarazed25

Comment 12 Len Lawrence 2026-03-08 01:05:01 CET

Regarding comment 11.  Ignore the "Back to desktop.....".  Senility again.

Comment 13 katnatek 2026-03-08 02:13:12 CET

RH x86_64
installing lib64nss3-3.121.0-1.mga9.x86_64.rpm rootcerts-20260206.00-1.mga9.noarch.rpm rootcerts-java-20260206.00-1.mga9.noarch.rpm nss-3.121.0-1.mga9.x86_64.rpm from //home/katnatek/qa-testing/x86_64
Preparing...                     ###################################################################################################
      1/4: nss                   ###################################################################################################
      2/4: lib64nss3             ###################################################################################################
      3/4: rootcerts-java        ###################################################################################################
      4/4: rootcerts             ###################################################################################################
      1/4: removing lib64nss3-2:3.120.0-1.mga9.x86_64
                                 ###################################################################################################
      2/4: removing rootcerts-java-1:20251003.00-1.mga9.noarch
                                 ###################################################################################################
      3/4: removing rootcerts-1:20251003.00-1.mga9.noarch
                                 ###################################################################################################
      4/4: removing nss-2:3.120.0-1.mga9.x86_64
                                 ###################################################################################################

LC_ALL=C urpmi firefox firefox-es_MX


installing firefox-es_MX-140.8.0-1.mga9.noarch.rpm firefox-140.8.0-1.mga9.x86_64.rpm from //home/katnatek/qa-testing/x86_64
Preparing...                     ###################################################################################################
      1/2: firefox               ###################################################################################################
      2/2: firefox-es_MX         ###################################################################################################


Backup my profile and start firefox (I use the Mozilla's Desktop version)
Start firefox
install ublock
browse youtube
login in mail.com
send this comment

Looks good

Comment 14 Thomas Andrews 2026-03-08 12:54:53 CET

(In reply to Len Lawrence from comment #12)
> Regarding comment 11.  Ignore the "Back to desktop.....".  Senility again.

Just to be clear, this means the regression you mentioned is not related to Firefox?

Comment 15 Len Lawrence 2026-03-08 13:51:36 CET

(In reply to Thomas Andrews from comment #14)

Yes, it is unrelated.  Forgot that it was Firefox and not the kernel which was being tested.  My apologies.  (It may be wise for me to retire)

Comment 16 Thomas Andrews 2026-03-08 14:20:55 CET

No need to apologise, Len. We ALL have our lapses. I don't track such things, but I have the impression that I've seen more of those "lapses" from younger folks that are a little too eager than from those of us who are more experienced.

As for retirement, that has to be up to you, because only you know your full situation. Just know that I, for one, am not looking to push you out - I value your experience and friendship far too much to do that.

Comment 17 Thomas Andrews 2026-03-08 19:28:42 CET

On Foolishness, my Dell Inspiron 5100 32-bit Xfce session, Firefox works OK, eventually, but is horribly slow. Probably would be better if I were using Ethernet rather than wifi, but it has always been this way. Today's Internet pages are just too complex.

Anyway, I'm going to validate it.

CC: (none) => sysadmin-bugs
Whiteboard: (none) => MGA9-64-OK MGA9-32-OK
Keywords: (none) => validated_update

Comment 18 Morgan Leijström 2026-03-08 21:47:50 CET

mga9-64 OK here 

Plasma, X11, GeForce GTX 1070 Ti using modesetting

Swedish localisation.
Settings and tabs kept.
Various sites including shops, video, banking.
Viewing and printing pdf to network printer.

[morgan@svarten ~]$ firefox --version
Mozilla Firefox 140.8.0esr

[morgan@svarten ~]$ inxi -SG
System:
  Host: svarten.tribun Kernel: 6.18.4-desktop-3.stabletesting.mga9
    arch: x86_64 bits: 64
  Desktop: KDE Plasma v: 5.27.10 Distro: Mageia 9
Graphics:
  Device-1: NVIDIA GP104 [GeForce GTX 1070 Ti] driver: nouveau v: kernel
  Display: x11 server: X.org v: 1.21.1.21 with: Xwayland v: 22.1.9 driver:
    X: loaded: modesetting,v4l dri: nouveau gpu: nouveau
    resolution: 3840x2160~60Hz
  API: EGL v: 1.5 drivers: nouveau,swrast
    platforms: gbm,x11,surfaceless,device
  API: OpenGL v: 4.5 compat-v: 4.3 vendor: mesa v: 25.0.7 renderer: NV134

CC: (none) => fri

Comment 19 Jose Manuel López 2026-03-09 09:57:03 CET

Installed in Mageia 9 Plasma x86_64, 

Pc Intel I3 with mesa drivers.

Works fine for the moment

Audio and video ok.
Youtube ok.
Banks ok.
Addons ok.
Spanish locale ok.
Digital certificates ok.

CC: (none) => Joselp

Comment 20 Jose Manuel López 2026-03-09 09:57:40 CET

Installed in Mageia 9 Plasma x86_64, 

Laptop Slimbook Essential Intel I5 with mesa intel iris drivers.

Works fine for the moment

Audio and video ok.
Youtube ok.
Banks ok.
Addons ok.
Spanish locale ok.
Digital certificates ok.

Comment 21 Dan Fandrich 2026-03-09 18:07:06 CET

The CVE list in the advisory needs to have one CVE per line. The tooling doesn't handle shell-style (or any other style) of expansions like CVE-2026-275[7-9]. I've pushed that change to the advisory.

CC: (none) => dan

Comment 22 katnatek 2026-03-09 18:11:14 CET

(In reply to Dan Fandrich from comment #21)
> The CVE list in the advisory needs to have one CVE per line. The tooling
> doesn't handle shell-style (or any other style) of expansions like
> CVE-2026-275[7-9]. I've pushed that change to the advisory.

Take note of that, thanks

Comment 23 Mageia Robot 2026-03-09 18:50:20 CET

An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2026-0052.html

Resolution: (none) => FIXED
Status: ASSIGNED => RESOLVED

Note You need to log in before you can comment on or make changes to this bug.