When the Debian security team ends security support for packages, and an affected package is already installed, those packages will by default not be reported. Therefore the user will likely continue to use those eventually vulnerable packages. This also applies to Debian `stable`.
The [debian-security-support](https://packages.debian.org/search?keywords=debian-security-support) package helps to solve this issue. It provides a [`check-support-status`](http://manpages.debian.org/cgi-bin/man.cgi?query=check-support-status&apropos=0&sektion=0&manpath=Debian+testing+jessie&format=html&locale=en) command that can list those packages as well as automatically runs during `apt-get dist-upgrade`.
As of Debian `wheezy`, examples include kde4libs, pidgin, qtwebkit, webkit. (Check output of `debian-security-support`.)
Installing `debian-security-support` would cause more confusion than gain. Reporting something like `kde4libs` and a bunch of libs, tells the user nothing. [showing reverse depends](https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=776548) is a missing feature in `debian-security-support`.
* This is something, that needs to be documented in [updating documentation](https://www.whonix.org/wiki/Security_Guide#Updates).
* Implement [showing reverse depends](https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=776548) into `debian-security-support`.
* Think about whatever else is missing in `debian-security-support` to make it useful for the user.
* Needs research, if it would be sane to install `debian-security-support` by default.* Finally, Having loads of users being concerned about non-issues (non-network facingafter improving `debian-security-support`, only locally exploitable) wouldn't helpinstall it by default.