These packages provide the OpenJDK 6 Java Runtime Environment and theOpenJDK 6 Software Development Kit. The javaws command can be used tolaunch Java Web Start applications.A public static field declaration allowed untrusted JNLP (Java NetworkLaunching Protocol) applications to read privileged data. A remote attackercould directly or indirectly read the values of restricted systemproperties, such as "user.name", "user.home", and "java.home", whichuntrusted applications should not be allowed to read. (CVE-2010-3860)It was found that JNLPSecurityManager could silently return withoutthrowing an exception when permission was denied. If the javaws command wasused to launch a Java Web Start application that relies on this exceptionbeing thrown, it could result in that application being run with elevatedprivileges, allowing it to bypass security manager restrictions and gainaccess to privileged functionality. (CVE-2010-4351)Note: The RHSA-2010:0339 java-1.6.0-openjdk update installed javaws bymistake. As part of the fixes for CVE-2010-3860 and CVE-2010-4351, thisupdate removes javaws.Red Hat would like to thank the TippingPoint Zero Day Initiative projectfor reporting CVE-2010-4351. The original issue reporter wishes to stayanonymous.This erratum also upgrades the OpenJDK package to IcedTea6 1.7.7. Refer tothe NEWS file, linked to in the References, for further information.All users of java-1.6.0-openjdk are advised to upgrade to these updatedpackages, which resolve these issues. All running instances of OpenJDK Javamust be restarted for the update to take effect.