The JNLPClassLoader implementation incorrectly assigns ALL_PERMISSIONS to untrusted code in multiple signer scenarios. An attacker could misuse this to elevate privileges.
Fixed in IcedTea6 1.7.10, IcedTea6 1.8.7 and IcedTea6 1.9.7: http://blog.fuseyism.com/index.php/2011/02/15/security-icedtea6-1710-187-and-197-released/
Statement: This issue did not affect the versions of the java-1.6.0-openjdk package as shipped with Red Hat Enterprise Linux 5 and 6.
I'm not sure why this bug is still open, but the product is separate from the java-1.x.0-openjdk packages these days and is called "IcedTea-Web".