Security issues were identified and fixed in openjdk and icedtea-web: IcedTea6 prior to 1.10.4 allows remote untrusted Java Web Start applications and untrusted Java applets to affect confidentiality via unknown vectors related to Networking . IcedTea6 prior to 1.10.4 allows remote untrusted Java Web Start applications and untrusted Java applets to affect confidentiality, integrity, and availability, related to AWT . IcedTea6 prior to 1.10.4 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to 2D . IcedTea6 prior to 1.10.4 allows remote attackers to affect integrity via unknown vectors related to Networking . IcedTea6 prior to 1.10.4 allows remote authenticated users to affect confidentiality, related to JAXWS . IcedTea6 prior to 1.10.4 allows remote untrusted Java Web Start applications and untrusted Java applets to affect confidentiality, integrity, and availability via unknown vectors related to Scripting . IcedTea6 prior to 1.10.4 allows remote untrusted Java Web Start applications and untrusted Java applets to affect confidentiality, integrity, and availability via unknown vectors related to Deserialization . IcedTea6 prior to 1.10.4 allows remote untrusted Java Web Start applications and untrusted Java applets to affect confidentiality, integrity, and availability via unknown vectors . A flaw was found in the way the SSL 3 and TLS 1.0 protocols used block ciphers in cipher-block chaining mode. An attacker able to perform a chosen plain text attack against a connection mixing trusted and untrusted data could use this flaw to recover portions of the trusted data sent over the connection . Note: This update mitigates the CVE-2011-3389 issue by splitting the first application data record byte to a separate SSL/TLS protocol record. This mitigation may cause compatibility issues with some SSL/TLS implementations and can be disabled using the jsse.enableCBCProtection boolean property. This can be done on the command line by appending the flag -Djsse.enableCBCProtection=false to the java command. IcedTea6 prior to 1.10.4 allows remote untrusted Java Web Start applications and untrusted Java applets to affect confidentiality via unknown vectors related to HotSpot . IcedTea6 prior to 1.10.4 allows remote attackers to affect confidentiality, integrity, and availability, related to RMI . IcedTea6 prior to 1.10.4 allows remote attackers to affect confidentiality, integrity, and availability, related to RMI . IcedTea6 prior to 1.10.4 allows remote untrusted Java Web Start applications and untrusted Java applets to affect confidentiality and integrity, related to JSSE . Deepak Bhole discovered a flaw in the Same Origin Policy implementation in the IcedTea project Web browser plugin. A malicious applet could use this flaw to bypass SOP protection and open connections to any sub-domain of the second-level domain of the applet's origin, as well as any sub-domain of the domain that is the suffix of the origin second-level domain. For example, IcedTea-Web plugin allowed applet from some.host.example.com to connect to other.host.example.com, www.example.com, and example.com, as well as www.ample.com or ample.com. .