The WebStart (javaws) that ships with IcedTea in Fedora has a flaw in its security model, which allows it to run unsigned code as signed under some cases. What happens is that the current NetX code assumes that the entire application is trusted if any of the listed jars are. This means that if someone puts a signed jar whose cert has already been permanently accepted, NetX will run the untrusted code as trusted, too.
java-1.6.0-openjdk-1.6.0.0-27.b16.fc11 has been pushed to the Fedora 11 stable repository. If problems still persist, please make note of it in this bug report.
java-1.6.0-openjdk-1.6.0.0-20.b16.fc10 has been pushed to the Fedora 10 stable repository. If problems still persist, please make note of it in this bug report.