This is fixed in unstable. Question from a non-experienced DM: what's the procedure to get this into stable? It seems that I shouldn't file a bug to release.debian.org, and instead get in touch with the security team.
What's the workflow? Should I file a bug against the pseudo-package security.debian.org? Or should I just follow up on this bug and CC security? Thanks! Arnaud