Finally thew new 3.6.x Debian packages are out (https://github.com/matomo-org/matomo-package/issues/81) and the 3.7.0 is in preparation as far as I can read. They both contain security fixes for XSS vulnerabilities and upstream suggests to upgrade asap.
Changelog:
https://matomo.org/changelog/matomo-3-6-0/
https://matomo.org/changelog/matomo-3-6-1/
https://matomo.org/changelog/matomo-3-7-0/