It was discovered that the HTTPUrlConnection classes in OpenJDK did not properly handle newlines. An attacker could use this to convince a Java application or applet to inject headers into http requests.