java is vulnerable to information disclosure. The vulnerability exists as an information leak was found in the way the TimeZone.getTimeZone method was handled. This method could load time zone files that are outside of the [JRE_HOME]/lib/zi/ directory, allowing a remote attacker to probe the local file system.
blogs.sun.com/security/entry/advance_notification_of_security_updates6
java.sun.com/j2se/1.5.0/ReleaseNotes.html
java.sun.com/javase/6/webnotes/6u17.html
lists.apple.com/archives/security-announce/2009/Dec/msg00000.html
lists.apple.com/archives/security-announce/2009/Dec/msg00001.html
secunia.com/advisories/37386
secunia.com/advisories/37581
security.gentoo.org/glsa/glsa-200911-02.xml
support.apple.com/kb/HT3969
support.apple.com/kb/HT3970
www.mandriva.com/security/advisories?name=MDVSA-2010:084
www.redhat.com/security/updates/classification/#important
access.redhat.com/errata/RHSA-2009:1584
bugzilla.redhat.com/show_bug.cgi?id=530300
oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A11686
oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A6960