Sun describes a 1.6.0-only (1.4, 1.5 not affected) XML processing vulnerability (insecure default) at http://sunsolve.sun.com/search/document.do?assetkey=1-66-231246-1. This bug may cause effects similar to CVE-2007-5461. Vendor Description: The Java Runtime Environment (JRE) by default allows external entity references to be processed. To turn off processing of external entity references, sites can set the "external general entities" property to FALSE. This property is provided since it may be possible to leverage the processing of external entity references to access certain URL resources (such as some files and web pages) or create a Denial of Service (DoS) condition on the system running the JRE. A defect in the JRE allows external entity references to be processed even when the "external general entities" property is set to FALSE. For this vulnerability to be exploited, a trusted application needs to process XML data that contains malicious content. This vulnerability cannot be exploited through an untrusted applet or untrusted Java Web Start application.
bugs.sun.com isn't showing me the cited bug report. I've asked my Sun contact how to map vulnerability fixes to OpenJDK commits.
This bug does not affect IcedTea. The OpenJDK release incorporated by the current IcedTea releases contains the fix. In general, Sun plans to implement a security update scheme whereby fixes are applied and reported at the same time across all their JDK products including OpenJDK. When this plan is implemented it will be easier to map security fixes to OpenJDK releases. In the meantime, I'll ask my Sun contact about each one.
See also: http://scary.beasts.org/security/CESA-2007-002.html
The list of fixed products with their respective errata is here: https://access.redhat.com/security/cve/CVE-2008-0628