libtiff has been updated on master, but I'm not sure what the status of the backport is
ckauhaus: iirc I merged the backport like a few hours ago :p
guaraqe: typically, find the commit applying it to master, and `git cherry-pick -x the-commit` to a branch off of release-18.09, and test that the package builds.
though it'd need checking that all the CVEs listed there are actually solved by 4.1.0
Even if that consists of upgrading the version? I'm not sure what are the constraints for fixed-version NixOS updates
if upstream maintainers release a security point release, it is usually ok to include that new version
guaraqe: basically, minor or patch-level releases should be OK (with careful changelog for minor-level releases), other than that it may become interesting to port the patch if possible (and if not… well, it's a hard problem)