Hi Lynoure, all
Lynoure, thank you for your help. I have got the answers I need. Much appreciated!
Moritz, Lyonoure, for the future, is there any way I could have improved the questions in my initial email? I have re-read the CVEs quite a bit now and I do not see how I could have formulated myself much differently.
To my knowledge there is no information in the security tracker whether there are plans to update the package or not and whether you would object to an upload. Just because it is marked as no-dsa does not mean that the package maintainer does not plan to do an update. All it means is that the security team will not take any further actions. There are plenty of cases when the maintainer does an update even if the security team has marked the CVE as no-dsa.
The reason I sent this email was to make sure the LTS team does not do anything that you do not want us to do.
In any case, thank you for your help. Now I know that there are no such plans and you would not object to the LTS team doing an update on stable/buster. This was exactly what I wanted to know.
Best regards
// Ola