The server was reportedly running 2.4.57 and the CVE was fixed in 2.4.60, so it’s definitely present in the software.

Overall, I don’t get your point about stable releases and backports.

Clearly. Hint: it’s what Enterprise Linux has done for 20 years.