The only people who will have this vulnerability AFAIK (and have it be actionable with the ssh backdoor) are folks running Debian unstable on a ssh server. The shitty part about this is a rupture in trust for the maintainers at xz.
Honestly, the attacker picked a really shitty time frame considering their payload isn’t in any important point releases where they could have the most effect.
Mods should sticky this. This is the third post in this comm about the vulnerability.
The only people who will have this vulnerability AFAIK (and have it be actionable with the ssh backdoor) are folks running Debian unstable on a ssh server. The shitty part about this is a rupture in trust for the maintainers at xz.
Honestly, the attacker picked a really shitty time frame considering their payload isn’t in any important point releases where they could have the most effect.