Of course, and it was sloppy of me to call it "out of date", that goes for all serious Linux distributions with official life cycles, the "official" packages provided follow the life cycle of the distribution. This is a very common gripe with security scanners that flag "old" versions of Apache and the like within a supported OS release, they only look at the apparent version of Apache, not what security patches have actually been installed -- because it would, of course, be completely incorrect to increment the actual version of the software for backported fixes.
Of course, and it was sloppy of me to call it "out of date", that goes for all serious Linux distributions with official life cycles, the "official" packages provided follow the life cycle of the distribution. This is a very common gripe with security scanners that flag "old" versions of Apache and the like within a supported OS release, they only look at the apparent version of Apache, not what security patches have actually been installed -- because it would, of course, be completely incorrect to increment the actual version of the software for backported fixes.