Please see Section 7.5 of this paper:
This has been assigned CVE-2012-5783. I'm not sure if we can backport more
correct certificate validation to 3.x, but independent of that it might
make sense to introduce the 4.x codebase to the archive?
This is the maintainer address of Debian's Java team
debian-j...@lists.debian.org for discussions and questions.