icedtea-web is vulnerable to arbitrary code execution. The vulnerability exists as a flaw was discovered in the JNLP (Java Network Launching Protocol) implementation in IcedTea-Web. An unsigned Java Web Start application could use this flaw to manipulate the content of a Security Warning dialog box, to trick a user into granting the application unintended access permissions to local files.
icedtea.classpath.org/hg/release/icedtea-web-1.0/rev/b99f9a9769e0
icedtea.classpath.org/hg/release/icedtea-web-1.1/rev/512de5d90388
mail.openjdk.java.net/pipermail/distro-pkg-dev/2011-July/015170.html
mail.openjdk.java.net/pipermail/distro-pkg-dev/2011-July/015171.html
rhn.redhat.com/errata/RHSA-2011-1100.html
securitytracker.com/id?1025854
ubuntu.com/usn/usn-1178-1
access.redhat.com/errata/RHSA-2011:1100
access.redhat.com/security/updates/classification/#moderate
bugzilla.redhat.com/show_bug.cgi?id=718170