Excellent news, and I like all the focus on security fixes in the system.
I do have to say though, it roughly looks like 25% of those issues wouldn't exist in memory safe languages. It's one reason why I'm so excited for Rust in the systems arena.
In general package maintainers only take existing software projects, and apply some glue to make them fit into the Debian distribution (think: build framework, file system location policies, documentation policies, etc.) so that the whole open-source ecosystem can be presented in a uniform distribution.
Rewriting the ecosystem in Rust would require no small effort. Luckily Debian isn't a giant monolith, and you can focus on one package at a time. If you're really serious about digging in, then choose a package that you think would be a good balance between security gain (e.g. something with a history of memory-type security bugs) and effort required, start with that.
The existing maintainer of that project (I mean the software maintainer, not the Debian package maintainer) may or may not be open to a Rust rewrite. But this is open-source, and if they aren't, you can just fork (if calling a rewrite a 'fork' makes sense...) and publish your code somewhere. Then you can work with Debian folks to get your version packaged, and it will be available as a safer alternative for people who want to use it.
Over time, and as this starts happening to more and more software, Debian can start migrating to using these packages by default instead of the older unsafe ones.
And if they don't, again, it's open-source. Someone can make a Debian derivative (there are many already, including most famously Ubuntu) that uses the Rust versions of all packages when possible by default.
Disclaimer: this post presents just one possible version of future events, with the goal of clarifying what steps are required if you really believe in this, and want to see it happen. I am not affiliated with the Debian project other than as a user and software author with packages in the Debian archive.
The reason I want they to be open to it, be it the Debian maintainers or the OSS maintainer, is that while I could fork the world, it might be a completely wasted effort if there is no support in the community to use it.
If on the other hand there was a ground swell, I'd prefer to help it along and scale up the effort. I'm only one person, with limited spare time to focus on these things.
I would love to have a well-tested and fully RFC-compliant DHCP client (IPv4 to start with) written in e.g. Rust, for use both on my dev machines and also on the embedded systems I build.
Many of these rewrite attempts are quick hacks that are abandonded once very basic functionality is present.
For most users Rust vs C/C++ doesn't matter so your rewrite has to be better, not only in security (which is very abstract for users), but better performance / easier to configure / smaller / etc.
It is definitely about time, many small tools and utils that has existed for 15-20 years are very crufty when you open the hood and dive into the source.
This is an open source and community driven project. It is your job/responsibility to improve things and try to submit them upstream and convince people that your solution is better than the existing one.
I do have to say though, it roughly looks like 25% of those issues wouldn't exist in memory safe languages. It's one reason why I'm so excited for Rust in the systems arena.