These packages provide the OpenJDK 6 Java Runtime Environment and theOpenJDK 6 Software Development Kit.Multiple flaws were discovered in the CORBA (Common Object Request BrokerArchitecture) implementation in Java. A malicious Java application orapplet could use these flaws to bypass Java sandbox restrictions or modifyimmutable object data. (CVE-2012-1711, CVE-2012-1719)It was discovered that the SynthLookAndFeel class from Swing did notproperly prevent access to certain UI elements from outside the currentapplication context. A malicious Java application or applet could use thisflaw to crash the Java Virtual Machine, or bypass Java sandboxrestrictions. (CVE-2012-1716)Multiple flaws were discovered in the font manager's layout lookupimplementation. A specially-crafted font file could cause the Java VirtualMachine to crash or, possibly, execute arbitrary code with the privilegesof the user running the virtual machine. (CVE-2012-1713)Multiple flaws were found in the way the Java HotSpot Virtual Machineverified the bytecode of the class file to be executed. A specially-craftedJava application or applet could use these flaws to crash the Java VirtualMachine, or bypass Java sandbox restrictions. (CVE-2012-1723,CVE-2012-1725)It was discovered that the Java XML parser did not properly handle certainXML documents. An attacker able to make a Java application parse aspecially-crafted XML file could use this flaw to make the XML parser enteran infinite loop. (CVE-2012-1724)It was discovered that the Java security classes did not properly handleCertificate Revocation Lists (CRL). CRL containing entries with duplicatecertificate serial numbers could have been ignored. (CVE-2012-1718)It was discovered that various classes of the Java Runtime library couldcreate temporary files with insecure permissions. A local attacker coulduse this flaw to gain access to the content of such temporary files.(CVE-2012-1717)Note: If the web browser plug-in provided by the icedtea-web package wasinstalled, the issues exposed via Java applets could have been exploitedwithout user interaction if a user visited a malicious website.This erratum also upgrades the OpenJDK package to IcedTea6 1.11.3. Refer tothe NEWS file, linked to in the References, for further information.All users of java-1.6.0-openjdk are advised to upgrade to these updatedpackages, which resolve these issues. All running instances of OpenJDK Javamust be restarted for the update to take effect.