I recently saw a post from Debian Security Announce  talking about "The project no longer releases information on fixed security issues which allow back-porting them to released versions of Debian and actively discourages from doing so."
I am curious. Is this statement still true? If not, is there a place where I can read about the current procedures for how CVEs are disseminated to the community?
If it is true, is there community documentation describing why this was decided? If there isn't any documentation, how are folks handling this?
Yes. The critical part is
This is because Debian wanted to backport security fixes to a very very old version instead of picking up new versions with the fixes. Elasticsearch as a project cuts new deb and rpm files whenever it cuts a new release and recommends those instead of anything your distribution ships.
In general you'll have to stay more up to date than something like Debian is willing to do. A year old version of Elasticsearch is quite old, for example.
For what it is worth 2.x is much, much more paranoid than 1.x was, using things like seccomp to drop exec privileges and java's security sandbox. That isn't to say it is perfect just that we take security very seriously.
So one note on CVE, the https://www.elastic.co/community/security link claims they can't get CVE's due to MITRE policy changes which is absolutely not true, but I can see how they might misunderstand the Mitre Swimlanes document https://cve.mitre.org/cve/data_sources_product_coverage.html anyways I've reached out to email@example.com with information and an offer to help with respect to getting CVEs.