According to this announcement:
The problem is that passwords may in certain cases be logged to /var/log/messages while running GNOME Display Manager in debug mode (disabled by default)
This was originally reported on 02-15-2009 here:
A patch was issued the same day. A supported patch was issued 05-14-2010.
The secunia advisory did not have many details.
The sunblog link provided did not have very much information.
The CVE is reserved and not available yet.
The rest of the information is apparently in the Customer Are.
Does this mean we can count on a no public disclosure policy for SUN products now that Oracle owns them?
(c) SANS Internet Storm Center. http://isc.sans.org Creative Commons Attribution-Noncommercial 3.0 United States License.