If upstream does not provide security fixes for a particular release, and if backporting the fix would be impractical, then the package maintainer(s) *MUST* open a FESCo ticket for approval to rebase the package to a version that upstream supports.
FESCo will review the ticket in a timely manner and give guidance as to how the package maintainer(s) should proceed. By way of information, several common items that would make it less likely for FESCo to grant a rebase request are listed below. Please note, however, that this list is not exhaustive.