The command array passed to the ProcessBuilder was accessible to an application after parameter checking was performed. This allowed the application to misuse a TOCTOU condition for the command array members. This is a defense in depth fix.
This issue has been addressed in following products: Red Hat Enterprise Linux 5 Via RHSA-2010:0339 https://rhn.redhat.com/errata/RHSA-2010-0339.html
Upstream does not consider this fix to be a security fix but rather a preventive hardening patch. Therefore, no CVE is planned to be assigned to this issue.
java-1.6.0-openjdk-1.6.0.0-34.b17.fc11 has been submitted as an update for Fedora 11. http://admin.fedoraproject.org/updates/java-1.6.0-openjdk-1.6.0.0-34.b17.fc11
java-1.6.0-openjdk-1.6.0.0-37.b17.fc12 has been submitted as an update for Fedora 12. http://admin.fedoraproject.org/updates/java-1.6.0-openjdk-1.6.0.0-37.b17.fc12
java-1.6.0-openjdk-1.6.0.0-36.b17.fc13 has been submitted as an update for Fedora 13. http://admin.fedoraproject.org/updates/java-1.6.0-openjdk-1.6.0.0-36.b17.fc13
java-1.6.0-openjdk-1.6.0.0-37.b17.fc12 has been pushed to the Fedora 12 stable repository. If problems still persist, please make note of it in this bug report.
java-1.6.0-openjdk-1.6.0.0-34.b17.fc11 has been pushed to the Fedora 11 stable repository. If problems still persist, please make note of it in this bug report.
java-1.6.0-openjdk-1.6.0.0-37.b17.fc13 has been submitted as an update for Fedora 13. http://admin.fedoraproject.org/updates/java-1.6.0-openjdk-1.6.0.0-37.b17.fc13
java-1.6.0-openjdk-1.6.0.0-37.b17.fc13 has been pushed to the Fedora 13 stable repository. If problems still persist, please make note of it in this bug report.