What versions are supported, and for how long?

‘Obviously’ I keep my sites up to date with the latest version of WP.

However, it’s not clear to me which versions are supported in terms of being kept secure-ish as exploits are patched.

The Codex’s entry on ‘supported versions’ implies that all official releases from here are “supported”… which is clearly not true in terms of back-ported security fixes.

In contrast, the release archive/ says that ‘None of these are safe to use, except the latest in the 4.2 series, which is actively maintained.’

But the latest batch of fixes for the appalling XSS exploits have been back-ported to 3.7, 3.8, 3.9, 4.0 and 4.1, i.e. all the versions where minor upgrades are done by default.

So which is it:

* These versions will be supported with security fixes until… when? A date? Until it’s not possible to have a new ‘minor’ update version? (Looking at the source, it assumes that versions are of the form x.y.z and it’s getting very close to running out of digits for 3.7.z and 3.8.z! What’s next? 3.7.a?)

* Unless you’re running the latest version, WP.org doesn’t care if you’re hacked because of a known exploit?

Either is fine with me, but I’d like some clarity.