The WebStart (javaws) that ships with IcedTea in Fedora has a flaw
in its security model, which allows it to run unsigned code as signed under
What happens is that the current NetX code assumes that the entire
application is trusted if any of the listed jars are. This means that if
someone puts a signed jar whose cert has already been permanently
accepted, NetX will run the untrusted code as trusted, too.
java-1.6.0-openjdk-126.96.36.199-27.b16.fc11 has been pushed to the Fedora 11 stable repository. If problems still persist, please make note of it in this bug report.
java-1.6.0-openjdk-188.8.131.52-20.b16.fc10 has been pushed to the Fedora 10 stable repository. If problems still persist, please make note of it in this bug report.