Currently, GitHub security advisories is not activated on eclipse project.

To report a vulnerability, your need to open a bugzilla ticket.

For more details, please look at https://www.eclipse.org/security/.

There is no final release of leshan for now. So security fixes are applied in master branch and then available in next milestone release.