Distroless currently tracks debian 10 (buster) for packages. Distroless images are updated as debian packages are updated. No updates are created for earlier releases.

Debian tracking information at https://github.com/GoogleContainerTools/distroless/blob/main/checksums.bzl is updated daily

If a distroless image you are using contains a CVE or other vulnerability, please let the team know by creating an issue and pointing to the CVE or vulnerability disclosure. Please include a link to the package in question from the debian package index for debian 10/buster (https://packages.debian.org/index)