Is a Debian security update expected to come out for it?Yes. Nginx team has already submitted updated package to security team.
Thanks for the information! I've actually found the bug stating this: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=730012
And what's the Debian process for such updates? Is it described somewhere? I.e. what are the next steps that are done with such updates?