It was discovered that the AlgorithmChecker and SignatureAndHashAlgorithm classes did not properly prevent the SIGNATURE_PRIMITIVE_SET set from being modified. An untrusted Java application or applet could possibly use this flaw to alter the content of the SIGNATURE_PRIMITIVE_SET set.
Fixed now in Oracle Java SE 7u55 and 8u5 via Oracle Critical Patch Update Advisory - April 2014. Fixed in IcedTea7 2.4.7: http://mail.openjdk.java.net/pipermail/distro-pkg-dev/2014-April/027222.html External References: http://www.oracle.com/technetwork/topics/security/cpuapr2014-1972952.html#AppendixJAVA
This issue has been addressed in following products: Red Hat Enterprise Linux 5 Via RHSA-2014:0407 https://rhn.redhat.com/errata/RHSA-2014-0407.html
This issue has been addressed in following products: Red Hat Enterprise Linux 6 Via RHSA-2014:0406 https://rhn.redhat.com/errata/RHSA-2014-0406.html
This issue has been addressed in following products: Oracle Java for Red Hat Enterprise Linux 6 Oracle Java for Red Hat Enterprise Linux 5 Via RHSA-2014:0413 https://rhn.redhat.com/errata/RHSA-2014-0413.html
This issue has been addressed in following products: Supplementary for Red Hat Enterprise Linux 6 Supplementary for Red Hat Enterprise Linux 5 Via RHSA-2014:0412 https://rhn.redhat.com/errata/RHSA-2014-0412.html
OpenJDK upstream commit: http://hg.openjdk.java.net/jdk8u/jdk8u/jdk/rev/e1d0f947faa0
This issue has been addressed in following products: Supplementary for Red Hat Enterprise Linux 5 Supplementary for Red Hat Enterprise Linux 6 Via RHSA-2014:0486 https://rhn.redhat.com/errata/RHSA-2014-0486.html
This issue has been addressed in following products: Red Hat Enterprise Linux 7 Via RHSA-2014:0675 https://rhn.redhat.com/errata/RHSA-2014-0675.html
This issue has been addressed in following products: Supplementary for Red Hat Enterprise Linux 7 Via RHSA-2014:0705 https://rhn.redhat.com/errata/RHSA-2014-0705.html