There are 2 open security issues in buster.
2 issues left for the package maintainer to handle:
FontForge 20190801 has a use-after-free in SFD_GetFontMetaData in sfd.c.
FontForge 20190801 has a heap-based buffer overflow in the Type2NotDefSplines() function in splinesave.c.
You can find information about how to handle these issues in the security team's documentation.