PublicDateAtUSN: 2016-12-13
Candidate: CVE-2016-9900
PublicDate: 2018-06-11 21:29:00 UTC
References: 
 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9900
 https://www.mozilla.org/en-US/security/advisories/mfsa2016-94/
 https://ubuntu.com/security/notices/USN-3155-1
 https://ubuntu.com/security/notices/USN-3165-1
Description:
 External resources that should be blocked when loaded by SVG images can
 bypass security restrictions through the use of "data:" URLs. This could
 allow for cross-domain data leakage. This vulnerability affects Firefox <
 50.1, Firefox ESR < 45.6, and Thunderbird < 45.6.
Ubuntu-Description: 
Notes: 
Bugs: 
Priority: medium
Discovered-by:
Assigned-to: chrisccoulson
CVSS:
 nvd: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N [7.5 HIGH]

Patches_firefox: 
upstream_firefox: released (released 50.1.0)
precise_firefox: released (50.1.0+build2-0ubuntu0.12.04.1)
trusty_firefox: released (50.1.0+build2-0ubuntu0.14.04.1)
trusty/esm_firefox: DNE (trusty was released [50.1.0+build2-0ubuntu0.14.04.1])
vivid/ubuntu-core_firefox: DNE
vivid/stable-phone-overlay_firefox: DNE
xenial_firefox: released (50.1.0+build2-0ubuntu0.16.04.1)
esm-infra/xenial_firefox: released (50.1.0+build2-0ubuntu0.16.04.1)
yakkety_firefox: released (50.1.0+build2-0ubuntu0.16.10.1)
devel_firefox: released (50.1.0+build2-0ubuntu1)

Patches_thunderbird:
Priority_thunderbird: low
upstream_thunderbird: needs-triage
precise_thunderbird: released (1:45.7.0+build1-0ubuntu0.12.04.1)
trusty_thunderbird: released (1:45.7.0+build1-0ubuntu0.14.04.1)
trusty/esm_thunderbird: DNE (trusty was released [1:45.7.0+build1-0ubuntu0.14.04.1])
vivid/ubuntu-core_thunderbird: DNE
vivid/stable-phone-overlay_thunderbird: DNE
xenial_thunderbird: released (1:45.7.0+build1-0ubuntu0.16.04.1)
esm-infra/xenial_thunderbird: released (1:45.7.0+build1-0ubuntu0.16.04.1)
yakkety_thunderbird: released (1:45.7.0+build1-0ubuntu0.16.10.1)
devel_thunderbird: released (1:45.7.0+build1-0ubuntu1)