[0x0]

Almost all linux distros that use the concept of a "release" will stay on the version numbers they originally released for. Security fixes are backported but no other functionality is imported, thereby keeping the feature set fixed to the version numbers in the original release.

If you are maintaining or developing any kind of server and services where you need an uptime guarantee above 0%, you will appreciate this. Otherwise you will need staff on standby 24/7 being ready to develop fixes for breaking backwards compatibility changes. Imagine if you had to deal with funky errors like these every minute of the day - https://gitlab.com/gitlab-org/gitlab-ce/issues/36028

For Ubuntu, you should follow their "usn" security notices and you would stay informed: https://usn.ubuntu.com/usn/

For Debian, likewise there is a "debian-security-announce" mailing list https://lists.debian.org/debian-security-announce/

Also for Debian, you can check up on the status for known vulnerabilities on their security tracker. For example, for this particular git exploit, you could look up https://security-tracker.debian.org/tracker/CVE-2017-8386