icedtea-web is vulnerable to information disclosure. The vulnerability exists as a flaw was discovered in the JNLP implementation in IcedTea-Web. An unsigned Java Web Start application or Java applet could use this flaw to determine the path to the cache directory used to store downloaded Java class and archive files, and therefore determine the user’s login name.
icedtea.classpath.org/hg/release/icedtea-web-1.0/rev/b29fdd0f4d04
icedtea.classpath.org/hg/release/icedtea-web-1.1/rev/c7ce6c0e6227
mail.openjdk.java.net/pipermail/distro-pkg-dev/2011-July/015170.html
mail.openjdk.java.net/pipermail/distro-pkg-dev/2011-July/015171.html
rhn.redhat.com/errata/RHSA-2011-1100.html
securitytracker.com/id?1025854
ubuntu.com/usn/usn-1178-1
access.redhat.com/errata/RHSA-2011:1100
access.redhat.com/security/updates/classification/#moderate
bugzilla.redhat.com/show_bug.cgi?id=718164