Synopsis:	Moderate: java-1.6.0-openjdk security update
Issue date:	2011-01-25
CVE Names:	CVE-2010-3860 CVE-2010-4351

A public static field declaration allowed untrusted JNLP (Java Network
Launching Protocol) applications to read privileged data. A remote 
attacker could directly or indirectly read the values of restricted 
system properties, such as "user.name", "user.home", and "java.home", 
which untrusted applications should not be allowed to read. (CVE-2010-3860)

It was found that JNLPSecurityManager could silently return without
throwing an exception when permission was denied. If the javaws command 
was used to launch a Java Web Start application that relies on this 
exception being thrown, it could result in that application being run 
with elevated privileges, allowing it to bypass security manager 
restrictions and gain access to privileged functionality. (CVE-2010-4351)

Note: The previous java-1.6.0-openjdk update installed javaws by
mistake. As part of the fixes for CVE-2010-3860 and CVE-2010-4351, this
update removes javaws.


This erratum also upgrades the OpenJDK package to IcedTea6 1.7.7. Refer 
to the NEWS file, linked to in the References, for further information.

All running instances of OpenJDK Java must be restarted for the update 
to take effect.

SL 5.x

     SRPMS:
java-1.6.0-openjdk-1.6.0.0-1.17.b17.el5.src.rpm
     i386:
java-1.6.0-openjdk-1.6.0.0-1.17.b17.el5.i386.rpm
java-1.6.0-openjdk-demo-1.6.0.0-1.17.b17.el5.i386.rpm
java-1.6.0-openjdk-devel-1.6.0.0-1.17.b17.el5.i386.rpm
java-1.6.0-openjdk-javadoc-1.6.0.0-1.17.b17.el5.i386.rpm
java-1.6.0-openjdk-src-1.6.0.0-1.17.b17.el5.i386.rpm
     x86_64:
java-1.6.0-openjdk-1.6.0.0-1.17.b17.el5.x86_64.rpm
java-1.6.0-openjdk-demo-1.6.0.0-1.17.b17.el5.x86_64.rpm
java-1.6.0-openjdk-devel-1.6.0.0-1.17.b17.el5.x86_64.rpm
java-1.6.0-openjdk-javadoc-1.6.0.0-1.17.b17.el5.x86_64.rpm
java-1.6.0-openjdk-src-1.6.0.0-1.17.b17.el5.x86_64.rpm

-Connie Sieh
-Troy Dawson