These packages provide the OpenJDK 7 Java Runtime Environment and theOpenJDK 7 Software Development Kit.Multiple flaws were discovered in the CORBA (Common Object Request BrokerArchitecture) implementation in Java. A malicious Java application orapplet could use these flaws to bypass Java sandbox restrictions or modifyimmutable object data. (CVE-2012-1711, CVE-2012-1719)It was discovered that the SynthLookAndFeel class from Swing did notproperly prevent access to certain UI elements from outside the currentapplication context. A malicious Java application or applet could use thisflaw to crash the Java Virtual Machine, or bypass Java sandboxrestrictions. (CVE-2012-1716)Multiple flaws were discovered in the font manager's layout lookupimplementation. A specially-crafted font file could cause the Java VirtualMachine to crash or, possibly, execute arbitrary code with the privilegesof the user running the virtual machine. (CVE-2012-1713)Multiple flaws were found in the way the Java HotSpot Virtual Machineverified the bytecode of the class file to be executed. A specially-craftedJava application or applet could use these flaws to crash the Java VirtualMachine, or bypass Java sandbox restrictions. (CVE-2012-1723,CVE-2012-1725)It was discovered that java.lang.invoke.MethodHandles.Lookup did notproperly honor access modes. An untrusted Java application or applet coulduse this flaw to bypass Java sandbox restrictions. (CVE-2012-1726)It was discovered that the Java XML parser did not properly handle certainXML documents. An attacker able to make a Java application parse aspecially-crafted XML file could use this flaw to make the XML parser enteran infinite loop. (CVE-2012-1724)It was discovered that the Java security classes did not properly handleCertificate Revocation Lists (CRL). CRL containing entries with duplicatecertificate serial numbers could have been ignored. (CVE-2012-1718)It was discovered that various classes of the Java Runtime library couldcreate temporary files with insecure permissions. A local attacker coulduse this flaw to gain access to the content of such temporary files.(CVE-2012-1717)This update also fixes the following bug:error: the frame size of 272 bytes is larger than 256 bytesThis update corrects the jstack tapset and resolves this issue. (BZ#833035)This erratum also upgrades the OpenJDK package to IcedTea7 2.2.1. Refer tothe NEWS file, linked to in the References, for further information.All users of java-1.7.0-openjdk are advised to upgrade to these updatedpackages, which resolve these issues. All running instances of OpenJDK Javamust be restarted for the update to take effect.