From invidious matrix room:
*PSA: The xz package (used by SSHD) has been backdoored @room
The upstream release tarballs for xz version 5.6.0 and 5.6.1 contain malicious code which adds a backdoor.
ArchLinux and most rolling release distro are affected. Debian Testing/Sid/Experimental are affected, Debian Stable ISN’T AFFECTED.
Short summary by the ArchLinux team: https://archlinux.org/news/the-xz-package-has-been-backdoored/
Your distro should have a blog post/message to tell you what to do, either update (if they provide an updated version) or downgrade to a known-good version.
Analysis: https://www.openwall.com/lists/oss-security/2024/03/29/4
More Infos: https://archlinux.org/news/the-xz-package-has-been-backdoored/ https://lists.debian.org/debian-security-announce/2024/msg00057.html https://github.com/tukaani-project/xz/issues/92*