Over the years, I've seen the GOS twitter account mention some issues with "stable" distributions (most notably Debian). Among the mentioned issues is the fact that security patches developed by the developer of the application for the latest version are backported to the version packaged for the distribution by the package maintainer. This is an issue because it has caused:
- improper application of the patch allowing it to be bypassed in the packaged version when it is not possible in the official (up-to-date) release
- improper application of the patch create a completely new vulnerability which never existed in the official release
I believe the GOS twitter account said both of these cases have happened multiple times and I'm looking for actual examples of this. While I feel like I've seen some myself, I'm currently coming up short. Do any of you remember specific cases of this happening?