That's the beauty of Debian. If the dev doesn't backport a fix, the maintainer might. It's not uncommon.
One additional data point to consider... there are folks who have
exploits written for vulnerabilities that the community does not know
about.
Generally speaking, the older the software, the more exploits are
available. Developers generally don't work on old versions of their
software. Instead, they fix some things, release a new version and
move on. The only chance to fix the vulnerability is move to a newer
version of the software by building it yourself or using the latest
distro release.
Folks who deal in vulnerabilities and exploits adore the old software
because nothing gets fixed, so their exploits continue to work on old
versions of software. As Greg Kroah-Hartman noted: [1]
We have a very bad history of keeping bugs alive for a long time.
Somebody did a check of it, most known bugs live for five years in
systems. These are things that people know and know how to exploit.
They’re not closed. That’s a problem in our infrastructure...
CVE tracking is not the answer because that assumes every exploitable
bug is tagged with a CVE. There are lots of bugs out there that are
not tracked with a CVE, yet are exploitable. See, for example, the
TTY1 layer bug discussed in [1]. It took over 3 years to figure out it
was exploitable and for the patches to be backported.
(I have first hand knowledge of how one firm operates. The firm sells
their exploits to Northrop Grumman Electronic Warfare Division.)
[1] https://thenewstack.io/design-system-can-update-greg-kroah-hartman-linux-security/
Jeff