Hello,
Package icingaweb2 (2.4) in stretch have around 9 open CVEs. Most of them fixed in upstream v2.6. There isn't isolated patches available for CVE-2018-18246 to CVE-2018-18250. The changes from 2.4 .. 2.6 is pretty large and not much descriptive to comb through and cherry pick. I have pinged upstream security team to help, unfortunately they couldn't single out the patches. So I was wondering whether its ok to upload v2.6 from stretch-backports to -security and fix remaining CVEs on top of that. PS: Its not a priority package for us. --abhijith