Jonathan,
I'm definitely open to working with debian to find a way to get you early access. We've guessed that was something some distributions would like, but I haven't worked with each distro to figure out their needs yet. Thanks for bringing the subject up.
For the March 4th release, I get a CVSS score of 1.8 and 3.5 for the non-public bugs (if you have another preferred webapp scoring system, I'm happy to generate a score for you). Additionally, already publicly in the release branches are patches to pass '2' to CURLOPT_SSL_VERIFYHOST instead of 'true' for outbound curl connections.
Hope that helps!
Chris