When using debsecan on a fully updated stretch machine I get a whole list of CVEs. The kernel package is the latest from stretch-updates/main, but that is not matched in the security-tracker output.
It is also odd that the 'stretch (security)' version is so behind the normal stretch version (4.9.110-3+deb9u6 vs 4.9.144-3).
# debsecan --suite stretch --only-fixed --no-obsolete --format summary
CVE-2017-0786 linux-image-4.9.0-8-amd64 (fixed, remotely exploitable, medium urgency)
CVE-2017-0861 linux-image-4.9.0-8-amd64 (fixed, medium urgency)
CVE-2017-1000 linux-image-4.9.0-8-amd64 (fixed)
CVE-2017-1000111 linux-image-4.9.0-8-amd64 (fixed, high urgency)
CVE-2017-1000112 linux-image-4.9.0-8-amd64 (fixed, medium urgency)
CVE-2017-1000251 linux-image-4.9.0-8-amd64 (fixed, remotely exploitable, high urgency)
CVE-2017-1000252 linux-image-4.9.0-8-amd64 (fixed, low urgency)
CVE-2017-1000255 linux-image-4.9.0-8-amd64 (fixed, medium urgency)
CVE-2017-1000364 linux-image-4.9.0-8-amd64 (fixed, medium urgency)
CVE-2017-1000365 linux-image-4.9.0-8-amd64 (fixed, high urgency)
...
# dpkg -l 'linux-image-*'
Desired=Unknown/Install/Remove/Purge/Hold
| Status=Not/Inst/Conf-files/Unpacked/halF-conf/Half-inst/trig-aWait/Trig-pend
|/ Err?=(none)/Reinst-required (Status,Err: uppercase=bad)
||/ Name Version Architecture Description
+++-=========================-=============-============-===================================
ii linux-image-4.9.0-8-amd64 4.9.144-3.1 amd64 Linux 4.9 for 64-bit PCs
ii linux-image-amd64 4.9+80+deb9u6 amd64 Linux for 64-bit PCs (meta-package)