I'm definitely open to working with debian to find a way to get you
early access. We've guessed that was something some distributions
would like, but I haven't worked with each distro to figure out their
needs yet. Thanks for bringing the subject up.
For the March 4th release, I get a CVSS score of 1.8 and 3.5 for the
non-public bugs (if you have another preferred webapp scoring system,
I'm happy to generate a score for you). Additionally, already publicly
in the release branches are patches to pass '2' to
CURLOPT_SSL_VERIFYHOST instead of 'true' for outbound curl
Hope that helps!