The security tracker still shows openjdk-6 as "needs to be checked", e.g.: http://security-tracker.debian.org/tracker/CVE-2011-0872 OTOH, Ubuntu has issued a Security Notice for openjdk-6 on June 17: http://www.ubuntu.com/usn/usn-1154-1/ So I should assume the Debian stable package to be vulnerable? Cheers Harry