Except this isn’t true at all.
https://security-tracker.debian.org/tracker/CVE-2024-6387
Regresshion impacted bookworm and trixie both. Buster was too old.
With the downside of me doing an apt update and seeing that openssh-server was on 1:9.2p1-2+deb12u3
and I had no idea at a glance if this included the fix or not (qualys’s page states version 8.5p1-9.8p1 were vulnerable).
If you are running debian bookworm or trixie, you absolutely should update your openssh-server package.
Should they? Yes. They should also be searching for previous bug reports. I’m sure a lot of people do. But if you have enough users, even if 1% of people don’t use good reporting behaviors, you wind up with a lot of duplicate or bad reports.
There are plenty of blog posts out there that basically can be summarized as talking about how grueling open source work can be because users are often aggressive in their demands.
But this is a prime example of debian “stable” doesn’t mean “no crashes” but instead it means “unchanging, which means any bugs and crashes will remain for the whole release”