The tracker for CVE-2017-17689 doesn't list anything related to kdepim or
src:meta-kde for buster. Is the issue fixed in the binary kdepim (produced
by src:meta-kde) in buster? If so, that should probably be stated explicitly
in the tracker.
For buster the affected code is in src:kf5-messagelib and fixed in 4:18.08.1-1
In stretch the affected code is in src:kdepim
In Buster the binary package kdepim is now built out of src:meta-kde, but that
was never affected. That's we don't track src:meta-kde at all in
https://security-tracker.debian.org/tracker/CVE-2017-17689
Does that clarify?