Comment 6 for bug 1848709

> but Debian does not include matrix-synapse in Debian Stable releases.

[citation needed]

matrix-synapse /was not/ included in the most recent Debian release. But there are no open release-critical bugs against it and it is in Debian testing, so there is nothing to indicate that /as a policy/ it is not being included in Debian releases.

And the bug originally reported here was against the version of the package in bionic, a year and a half after bionic released. That security vulnerabilities were discovered in a package over the life cycle of a stable release is also not a reason for us to remove it.

I would certainly accept guidance from the Security Team that this package should be removed so that it does not have to be supported under ESM.

But https://ubuntu.com/security/cves?q=&package=matrix-synapse&priority=&version=&status= also shows none of these CVEs are scored above 'medium' priority.