Hi Tim,
Please don't top-post, we don't do that in Debian, and also:
Apologies!
FYI, I'm sad too, but there's nothing I can do but pinging again the
stable release team about this. You hear me well: the stable release
team. Not the security team since they do not want to do a security
announcement and an update through stable-security (so it shall be done
through a point release, dealing with the stable release team).
This means writing to 1002956@bugs.debian.org. That's the only email
address that has influence on accepting the fixed version. Feel free to
ping that email address until you get a reply. I agree that no reply
since the 29th of Jan is sad...
I still don't understand why the determination was made to not do a security announcement for this bug, given that it makes a Debian system that installs this package vulnerable to remote RCE without manual intervention.
-Tim Abbott