CVE-2020-5202 is reserved but details are available on the oss-security ml.
According to the [URL] <net-misc/apt-cacher-ng-3.3.1_p2 are vulnerable.
The changes in Debian patch level 2 concern mostly the runtime configuration files which the ebuilds do not install. Upstream is working toward more general changes to mitigate the issue. I guess we'll have to wait for an official release.
um, like that