I recently saw a post from Debian Security Announce  talking about "The project no longer releases information on fixed security issues which allow back-porting them to released versions of Debian and actively discourages from doing so."
I am curious. Is this statement still true? If not, is there a place where I can read about the current procedures for how CVEs are disseminated to the community?
If it is true, is there community documentation describing why this was decided? If there isn't any documentation, how are folks handling this?