Hello! Because of the vagueness of Oracle CVEs, I cannot judge if this warrants a DSA or not.
I am happy to prepare a security update for you if you so request. Currently https://release.debian.org/ states: > stable (10.5) Not yet planned > oldstable (9.13) Not yet planned ..so I will not rush to make stable update preparations. I am currently preparing MariaDB 10.4/10.5 for unstable, so there will not be a MariaDB 10.3 upload to unstable anymore. I am happy to do stable updates on your request for 10.3 and 10.1. Related: Currently the CVE https://security-tracker.debian.org/tracker/CVE-2020-13249 is marked to apply to MariaDB 10.1. That version however does not include libmariadb3, so I think it does not apply there.