According to this announcement:
http://secunia.com/advisories/40780/
"The problem is that passwords may in certain cases be logged to "/var/log/messages" while running GNOME Display Manager in debug mode (disabled by default)"

This was originally reported on 02-15-2009 here:
https://bugzilla.gnome.org/show_bug.cgi?id=571846
A patch was issued the same day. A "supported" patch was issued 05-14-2010.

The secunia advisory did not have many details.
The sunblog link provided did not have very much information.
http://blogs.sun.com/security/entry/cve_2010_2387_password_disclosure

The CVE is reserved and not available yet.
The rest of the information is apparently "in the Customer Are"”.

Does this mean we can count on a "no public disclosure policy" for SUN products now that Oracle owns them?