When the Debian security team ends security support for packages, and an affected package is already installed, those packages will by default not be reported. Therefore the user will likely continue to use those eventually vulnerable packages. This also applies to Debian `stable`.
The [debian-security-support](https://packages.debian.org/search?keywords=debian-security-support) package helps to solve this issue. It provides a [`check-support-status`](http://manpages.debian.org/cgi-bin/man.cgi?query=check-support-status&apropos=0&sektion=0&manpath=Debian+testing+jessie&format=html&locale=en) command that can list those packages as well as automatically runs during `apt-get dist-upgrade`.
As of Debian `wheezy`, examples include kde4libs, pidgin, qtwebkit, webkit. (Check output of `debian-security-support`.)
* This is something, that needs to be documented in [updating documentation](https://www.whonix.org/wiki/Security_Guide#Updates).
* Needs research, if it would be sane to install `debian-security-support` by default. Having loads of users being concerned about non-issues (non-network facing, only locally exploitable) wouldn't help.