The only people who will have this vulnerability AFAIK (and have it be actionable with the ssh backdoor) are folks running Debian unstable on a ssh server. The shitty part about this is a rupture in trust for the maintainers at xz.
Honestly, the attacker picked a really shitty time frame considering their payload isn’t in any important point releases where they could have the most effect.
The only people who will have this vulnerability AFAIK (and have it be actionable with the ssh backdoor) are folks running Debian unstable on a ssh server. The shitty part about this is a rupture in trust for the maintainers at xz.
Honestly, the attacker picked a really shitty time frame considering their payload isn’t in any important point releases where they could have the most effect.