I'm not familiar with how to report security issues regarding packages under LTS/Extended LTS support. I've reported this issue on poppler-utils (included in poppler package, listed here:
https://deb.freexian.com/extended-lts/docs/supported-packages/) few months ago: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=942391.
Is this security issue supported by Extended LTS program?
If I found other security issues (such as this one https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=944979 which is not supported by Extended LTS), shall I report the issue on the Debian bug tracker or send it here (or both)?