http://www.securityfocus.com/bid/7109 says Sun's JRE and Java SDKs versions less than 1.4.1_02 are vulnerable as well as IBM's JDK.
The BID seems to indicate the vulnerability is in java.util.zip I'm not sure which versions of Java JRE's and SDKs are in Debian, but it seems to me that in Contrib there's an IBM JDK installer that might install an affected version. Can someone check into these? Don't contact [EMAIL PROTECTED] until you are confident that stable or oldstable is affected. Drew Daniels