No, it doesn't affect ZSH.
You still MUST update bash as most of the system scripts are written for bash and vulnerable to the shellshock bug.
To test your ZSH do this:
env x='() { :;}; echo vulnerable' zsh -c 'echo hello'
What exactly does this code do?
env x='() { :;}; echo vulnerable'
creates an environment variable with known bug using command in the end of variablezsh -c 'echo hello'
launches ZSH shell with simple hello (and evaluating all env variables including x)
If you see output:
vulnerable hello
Then your ZSH is vulnerable. Mine (5.0.2) is not:
$ env x='() { :;}; echo vulnerable' zsh -c 'echo hello' hello