The IcedTea-Web project provides a Java web browser plug-in and animplementation of Java Web Start, which is based on the Netx project. Italso contains a configuration tool for managing deployment settings for theplug-in and Web Start implementations.A flaw was discovered in the JNLP (Java Network Launching Protocol)implementation in IcedTea-Web. An unsigned Java Web Start applicationcould use this flaw to manipulate the content of a Security Warningdialog box, to trick a user into granting the application unintended accesspermissions to local files. (CVE-2011-2514)An information disclosure flaw was discovered in the JNLP implementation inIcedTea-Web. An unsigned Java Web Start application or Java applet coulduse this flaw to determine the path to the cache directory used to storedownloaded Java class and archive files, and therefore determine the user'slogin name. (CVE-2011-2513)All icedtea-web users should upgrade to these updated packages, whichcontain backported patches to correct these issues.