Is it possible that some versions of Ubuntu are affected from different vulnerabilities with respect to the respective upstream Debian?

For my job, I am using a series of devices mounting Debian 9 stretch. I hear about the rsync's vulnerability, which our devices use. I read in the Debian announcement that Bullseye (11) is not affected. However, in the announcement about the same topic for Ubuntu, it is said that the affected versions upstream of rsync are from 3.1.0 to at least 3.2.7, i.e. from 2014 to now, so I would expect also the upstream Debian versions to be affected as well. For instance, I can see my devices use rsync 3.1.2. So my question is: can I be sure that pre-Bullseye versions of Debian are unaffected (due to, I guess, different patches applied with respect to Ubuntu?), or should I compile from source the new version of rsync, to be sure?