status of CVE-2009-1885 in 2.x branch

SVN revision 781488 fixes CVE-2009-1885 and has description, "Avoid recursion when parsing simply nested DTD structures." The patch generated from this revision applies cleanly to the released 3.0.1 sources, but it (not at all surprisingly) does not apply well at all to 2.8.0. Debian maintains packages for both 3.0.1 and 2.8.0 since many software packages have not yet migrated from 2.x to 3.x. Is there any intention of backporting this fix to the 2.x series, or are the 2.x releases now considered unsupported? I'd like to try to get a feel for how much effort I or possibly members of the debian security team should put into backporting this. Thanks for any input. I was unable to find an issue already in JIRA relating to this. I apologize if I overlooked it.