Bug 35403 - Firefox 140.10.1
Summary: Firefox 140.10.1
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 9
Hardware: All Linux
Priority: Normal critical
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA9-32-OK MGA9-64-OK
Keywords: advisory, validated_update
Depends on:
Blocks: 35404
  Show dependency treegraph
 
Reported: 2026-04-27 10:00 CEST by Nicolas Salguero
Modified: 2026-05-09 18:25 CEST (History)
5 users (show)

See Also:
Source RPM: rootcerts, nss, firefox, firefox-l10n
CVE: CVE-2026-6746, CVE-2026-6747, CVE-2026-6748, CVE-2026-6749, CVE-2026-6750, CVE-2026-6751, CVE-2026-6752, CVE-2026-6753, CVE-2026-6754, CVE-2026-6757, CVE-2026-6759, CVE-2026-6761, CVE-2026-6762, CVE-2026-6763, CVE-2026-6764, CVE-2026-6765, CVE-2026-6766
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description Nicolas Salguero 2026-04-27 10:00:02 CEST 
Mozilla has released NSS 3.123 on April 16 and NSS 3.123.1 on April 23:
https://firefox-source-docs.mozilla.org/security/nss/releases/nss_3_123.html

Mozilla has released Firefox 140.10 on April 21:
https://www.firefox.com/en-US/firefox/140.10.0/releasenotes/

Security issues fixed:
https://www.mozilla.org/en-US/security/advisories/mfsa2026-32/
Comment 1 Nicolas Salguero 2026-04-27 10:08:20 CEST 
rootcerts also needs to be updated to 2026-04-12.

CVE: (none) => CVE-2026-6746, CVE-2026-6747, CVE-2026-6748, CVE-2026-6749, CVE-2026-6750, CVE-2026-6751, CVE-2026-6752, CVE-2026-6753, CVE-2026-6754, CVE-2026-6757, CVE-2026-6759, CVE-2026-6761, CVE-2026-6762, CVE-2026-6763, CVE-2026-6764, CVE-2026-6765, CVE-2026-6766,
Source RPM: (none) => rootcerts, nss, firefox, firefox-l10n
Whiteboard: (none) => MGA9TOO

Nicolas Salguero 2026-04-27 10:08:37 CEST

Flags: (none) => affects_mga9+

Nicolas Salguero 2026-04-29 09:33:57 CEST

Blocks: (none) => 35404

Comment 3 Nicolas Salguero 2026-04-29 09:37:20 CEST 
For Cauldron, I asked for a freeze move.

Version: Cauldron => 9
Whiteboard: MGA9TOO => (none)
Flags: affects_mga9+ => (none)
CVE: CVE-2026-6746, CVE-2026-6747, CVE-2026-6748, CVE-2026-6749, CVE-2026-6750, CVE-2026-6751, CVE-2026-6752, CVE-2026-6753, CVE-2026-6754, CVE-2026-6757, CVE-2026-6759, CVE-2026-6761, CVE-2026-6762, CVE-2026-6763, CVE-2026-6764, CVE-2026-6765, CVE-2026-6766, => CVE-2026-6746, CVE-2026-6747, CVE-2026-6748, CVE-2026-6749, CVE-2026-6750, CVE-2026-6751, CVE-2026-6752, CVE-2026-6753, CVE-2026-6754, CVE-2026-6757, CVE-2026-6759, CVE-2026-6761, CVE-2026-6762, CVE-2026-6763, CVE-2026-6764, CVE-2026-6765, CVE-2026-6766

Comment 4 Marja Van Waes 2026-04-29 22:35:09 CEST 
No registered maintainer for any of these packages, assigning to all.

Assignee: bugsquad => pkg-bugs
CC: (none) => marja11

Comment 5 Nicolas Salguero 2026-04-30 09:39:04 CEST 
Mozilla has released Firefox 140.10.1 on April 21:
https://www.firefox.com/en-US/firefox/140.10.1/releasenotes/

Security issues fixed:
https://www.mozilla.org/en-US/security/advisories/mfsa2026-36/

Summary: Firefox 140.10 => Firefox 140.10.1
Severity: major => critical
Whiteboard: (none) => MGA9TOO
Flags: (none) => affects_mga9+
Version: 9 => Cauldron

Comment 6 Nicolas Salguero 2026-04-30 10:01:56 CEST 
In fact, Mozilla has released Firefox 140.10.1 on April 28.
Comment 7 Nicolas Salguero 2026-04-30 13:23:22 CEST 
For Cauldron, I asked for a freeze move.

Whiteboard: MGA9TOO => (none)
Version: Cauldron => 9
Flags: affects_mga9+ => (none)

Comment 8 Morgan Leijström 2026-05-02 16:00:28 CEST 
i586 OK on my Thinkpad T43 while testing kernel kernel-desktop586-6.6.137-1 and kernel-desktop-6.6.137-1
firefox-140.10.1-1.mga9.i586, the i18n, rootcerts, nss

Swedish localisation OK
Restored tabs
Played video from internet in small dimension
Writing this.

CC: (none) => fri

Comment 9 Morgan Leijström 2026-05-03 22:38:58 CEST 
All Firefox, rootcerts, nss and Thunderbird Bug 35404 were built days ago.
Need files lists and to set to QA.
Comment 10 Nicolas Salguero 2026-05-04 10:12:30 CEST 
Suggested advisory:
========================

The updated packages fix security vulnerabilities:

Use-after-free in the DOM: Core & HTML component. (CVE-2026-6746)

Use-after-free in the WebRTC component. (CVE-2026-6747)

Uninitialized memory in the Audio/Video: Web Codecs component. (CVE-2026-6748)

Information disclosure due to uninitialized memory in the Graphics: Canvas2D component. (CVE-2026-6749)

Privilege escalation in the Graphics: WebRender component. (CVE-2026-6750)

Uninitialized memory in the Audio/Video: Web Codecs component. (CVE-2026-6751)

Incorrect boundary conditions in the WebRTC component. (CVE-2026-6752)

Incorrect boundary conditions in the WebRTC component. (CVE-2026-6753)

Use-after-free in the JavaScript Engine component. (CVE-2026-6754)

Invalid pointer in the JavaScript: WebAssembly component. (CVE-2026-6757)

Use-after-free in the Widget: Cocoa component. (CVE-2026-6759)

Privilege escalation in the Networking component. (CVE-2026-6761)

Spoofing issue in the DOM: Core & HTML component. (CVE-2026-6762)

Mitigation bypass in the File Handling component. (CVE-2026-6763)

Incorrect boundary conditions in the DOM: Device Interfaces component. (CVE-2026-6764)

Information disclosure in the Form Autofill component. (CVE-2026-6765)

Incorrect boundary conditions in the Libraries component in NSS. (CVE-2026-6766)

Other issue in the Libraries component in NSS. (CVE-2026-6767)

Privilege escalation in the Debugger component. (CVE-2026-6769)

Other issue in the Storage: IndexedDB component. (CVE-2026-6770)

Mitigation bypass in the DOM: Security component. (CVE-2026-6771)

Incorrect boundary conditions in the Libraries component in NSS. (CVE-2026-6772)

Incorrect boundary conditions in the WebRTC: Networking component. (CVE-2026-6776)

Memory safety bugs fixed in Firefox ESR 115.35, Firefox ESR 140.10, Thunderbird ESR 140.10, Firefox 150 and Thunderbird 150. (CVE-2026-6785)

Memory safety bugs fixed in Firefox ESR 140.10, Thunderbird ESR 140.10, Firefox 150 and Thunderbird 150. (CVE-2026-6786)

Information disclosure due to incorrect boundary conditions in the Audio/Video component. (CVE-2026-7320)

Sandbox escape due to incorrect boundary conditions in the WebRTC: Networking component. (CVE-2026-7321)

Memory safety bugs fixed in Firefox ESR 115.35.1, Firefox ESR 140.10.1 and Firefox 150.0.1. (CVE-2026-7322)

Memory safety bugs fixed in Firefox ESR 140.10.1 and Firefox 150.0.1. (CVE-2026-7323)

References:
https://firefox-source-docs.mozilla.org/security/nss/releases/nss_3_123.html
https://firefox-source-docs.mozilla.org/security/nss/releases/nss_3_123_1.html
https://www.firefox.com/en-US/firefox/140.10.0/releasenotes/
https://www.mozilla.org/en-US/security/advisories/mfsa2026-32/
https://www.firefox.com/en-US/firefox/140.10.1/releasenotes/
https://www.mozilla.org/en-US/security/advisories/mfsa2026-36/
========================

Updated packages in core/updates_testing:
========================
firefox-140.10.1-1.mga9
firefox-af-140.10.1-1.mga9.noarch.rpm
firefox-an-140.10.1-1.mga9.noarch.rpm
firefox-ar-140.10.1-1.mga9.noarch.rpm
firefox-ast-140.10.1-1.mga9.noarch.rpm
firefox-az-140.10.1-1.mga9.noarch.rpm
firefox-be-140.10.1-1.mga9.noarch.rpm
firefox-bg-140.10.1-1.mga9.noarch.rpm
firefox-bn-140.10.1-1.mga9.noarch.rpm
firefox-br-140.10.1-1.mga9.noarch.rpm
firefox-bs-140.10.1-1.mga9.noarch.rpm
firefox-ca-140.10.1-1.mga9.noarch.rpm
firefox-cs-140.10.1-1.mga9.noarch.rpm
firefox-cy-140.10.1-1.mga9.noarch.rpm
firefox-da-140.10.1-1.mga9.noarch.rpm
firefox-de-140.10.1-1.mga9.noarch.rpm
firefox-el-140.10.1-1.mga9.noarch.rpm
firefox-en_CA-140.10.1-1.mga9.noarch.rpm
firefox-en_GB-140.10.1-1.mga9.noarch.rpm
firefox-en_US-140.10.1-1.mga9.noarch.rpm
firefox-eo-140.10.1-1.mga9.noarch.rpm
firefox-es_AR-140.10.1-1.mga9.noarch.rpm
firefox-es_CL-140.10.1-1.mga9.noarch.rpm
firefox-es_ES-140.10.1-1.mga9.noarch.rpm
firefox-es_MX-140.10.1-1.mga9.noarch.rpm
firefox-et-140.10.1-1.mga9.noarch.rpm
firefox-eu-140.10.1-1.mga9.noarch.rpm
firefox-fa-140.10.1-1.mga9.noarch.rpm
firefox-ff-140.10.1-1.mga9.noarch.rpm
firefox-fi-140.10.1-1.mga9.noarch.rpm
firefox-fr-140.10.1-1.mga9.noarch.rpm
firefox-fur-140.10.1-1.mga9.noarch.rpm
firefox-fy_NL-140.10.1-1.mga9.noarch.rpm
firefox-ga_IE-140.10.1-1.mga9.noarch.rpm
firefox-gd-140.10.1-1.mga9.noarch.rpm
firefox-gl-140.10.1-1.mga9.noarch.rpm
firefox-gu_IN-140.10.1-1.mga9.noarch.rpm
firefox-he-140.10.1-1.mga9.noarch.rpm
firefox-hi_IN-140.10.1-1.mga9.noarch.rpm
firefox-hr-140.10.1-1.mga9.noarch.rpm
firefox-hsb-140.10.1-1.mga9.noarch.rpm
firefox-hu-140.10.1-1.mga9.noarch.rpm
firefox-hy_AM-140.10.1-1.mga9.noarch.rpm
firefox-ia-140.10.1-1.mga9.noarch.rpm
firefox-id-140.10.1-1.mga9.noarch.rpm
firefox-is-140.10.1-1.mga9.noarch.rpm
firefox-it-140.10.1-1.mga9.noarch.rpm
firefox-ja-140.10.1-1.mga9.noarch.rpm
firefox-ka-140.10.1-1.mga9.noarch.rpm
firefox-kab-140.10.1-1.mga9.noarch.rpm
firefox-kk-140.10.1-1.mga9.noarch.rpm
firefox-km-140.10.1-1.mga9.noarch.rpm
firefox-kn-140.10.1-1.mga9.noarch.rpm
firefox-ko-140.10.1-1.mga9.noarch.rpm
firefox-lij-140.10.1-1.mga9.noarch.rpm
firefox-lt-140.10.1-1.mga9.noarch.rpm
firefox-lv-140.10.1-1.mga9.noarch.rpm
firefox-mk-140.10.1-1.mga9.noarch.rpm
firefox-mr-140.10.1-1.mga9.noarch.rpm
firefox-ms-140.10.1-1.mga9.noarch.rpm
firefox-my-140.10.1-1.mga9.noarch.rpm
firefox-nb_NO-140.10.1-1.mga9.noarch.rpm
firefox-nl-140.10.1-1.mga9.noarch.rpm
firefox-nn_NO-140.10.1-1.mga9.noarch.rpm
firefox-oc-140.10.1-1.mga9.noarch.rpm
firefox-pa_IN-140.10.1-1.mga9.noarch.rpm
firefox-pl-140.10.1-1.mga9.noarch.rpm
firefox-pt_BR-140.10.1-1.mga9.noarch.rpm
firefox-pt_PT-140.10.1-1.mga9.noarch.rpm
firefox-ro-140.10.1-1.mga9.noarch.rpm
firefox-ru-140.10.1-1.mga9.noarch.rpm
firefox-sat-140.10.1-1.mga9.noarch.rpm
firefox-sc-140.10.1-1.mga9.noarch.rpm
firefox-si-140.10.1-1.mga9.noarch.rpm
firefox-sk-140.10.1-1.mga9.noarch.rpm
firefox-sl-140.10.1-1.mga9.noarch.rpm
firefox-sq-140.10.1-1.mga9.noarch.rpm
firefox-sr-140.10.1-1.mga9.noarch.rpm
firefox-sv_SE-140.10.1-1.mga9.noarch.rpm
firefox-szl-140.10.1-1.mga9.noarch.rpm
firefox-ta-140.10.1-1.mga9.noarch.rpm
firefox-te-140.10.1-1.mga9.noarch.rpm
firefox-tg-140.10.1-1.mga9.noarch.rpm
firefox-th-140.10.1-1.mga9.noarch.rpm
firefox-tl-140.10.1-1.mga9.noarch.rpm
firefox-tr-140.10.1-1.mga9.noarch.rpm
firefox-uk-140.10.1-1.mga9.noarch.rpm
firefox-ur-140.10.1-1.mga9.noarch.rpm
firefox-uz-140.10.1-1.mga9.noarch.rpm
firefox-vi-140.10.1-1.mga9.noarch.rpm
firefox-xh-140.10.1-1.mga9.noarch.rpm
firefox-zh_CN-140.10.1-1.mga9.noarch.rpm
firefox-zh_TW-140.10.1-1.mga9.noarch.rpm

lib(64)nss-devel-3.123.1-1.mga9
lib(64)nss-static-devel-3.123.1-1.mga9
lib(64)nss3-3.123.1-1.mga9
nss-3.123.1-1.mga9
nss-doc-3.123.1-1.mga9.noarch.rpm

rootcerts-20260412.00-1.mga9.noarch.rpm
rootcerts-java-20260412.00-1.mga9.noarch.rpm

from SRPMS:
firefox-140.10.1-1.mga9
firefox-l10n-140.10.1-1.mga9
rootcerts-20260412.00-1.mga9
nss-3.123.1-1.mga9

Assignee: pkg-bugs => qa-bugs
Status: NEW => ASSIGNED

Comment 11 Herman Viaene 2026-05-04 11:31:59 CEST 
MGA9-64 server Plasma Wayland on Compaq H000SB
No installation issues.
Tested by opening and commenting on this bug, read some Google News item en listening to concerto on Youtube with video, all OK.

CC: (none) => herman.viaene

Comment 12 Morgan Leijström 2026-05-04 12:06:21 CEST 
x86_64 OK here in normal use for a few days on several machines
Plasma, nouveau / intel / radeon

Swedish localisation
Open tabs kept
Various banking sites, video sites
Downloading files, open local pdf file and printing it
Comment 13 Thomas Andrews 2026-05-06 00:03:08 CEST 
No installation issues. Watched a Youtube video about the 10 deadliest tractors of all time, and was relieved that none of ours was on the list. Tried some other sites with no issues except for our madb, which I'm told is "unavailable."

Looks OK here.

CC: (none) => andrewsfarm

katnatek 2026-05-07 04:03:25 CEST

Keywords: (none) => advisory

Comment 14 Thomas Andrews 2026-05-09 17:04:58 CEST 
No issues have come up, giving this an OK and validating.

Keywords: (none) => validated_update
CC: (none) => sysadmin-bugs
Whiteboard: (none) => MGA9-32-OK MGA9-64-OK

Comment 15 Mageia Robot 2026-05-09 18:25:31 CEST 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2026-0124.html

Status: ASSIGNED => RESOLVED
Resolution: (none) => FIXED
Note You need to log in before you can comment on or make changes to this bug.