The xz package (used by SSHD) has been backdoored
The xz package (used by SSHD) has been backdoored
The upstream release tarballs for xz version 5.6.0 and 5.6.1 contain malicious code which adds a backdoor.
ArchLinux and most rolling release distro are affected.
Debian Testing/Sid/Experimental are affected, Debian Stable ISN'T AFFECTED.
Short summary by the ArchLinux team: https://archlinux.org/news/the-xz-package-has-been-backdoored/
Your distro should have a blog post/message to tell you what to do, either update (if they provide an updated version) or downgrade to a known-good version.
Analysis: https://www.openwall.com/lists/oss-security/2024/03/29/4
More Infos: https://archlinux.org/news/the-xz-package-has-been-backdoored/ https://lists.debian.org/debian-security-announce/2024/msg00057.html https://github.com/tukaani-project/xz/issues/92