Note that OP found this in Debian sid as well, which means it's highly unlikely this issue will find its way into any Debian stable systems.
My Arch system was not vulnerable because openssh was not linked to xz.
IMO every single commit from JiaT75 should be reviewed and maybe even rolled back, as they have obliterated their trust.
edit:
https://github.com/google/oss-fuzz/pull/10667
Even this might be nefarious.
Have you come across an outline or graph of systemd that you really like, or maybe a good example of a minimal setup?
Also, only users on sid (unstable) and maybe testing seem to have been affected. I doubt there are many Debian servers out there running sid.
Debian stable (bookworm) has xz-utils version 5.4.1: https://packages.debian.org/bookworm/xz-utils
Monocrops are more vulnerable to disease because the same (biological) exploit works on the entire population. In our Linux biosphere where there are dozens of major, varied configurations sharing parts but not all of their code (and hundreds or thousands of minor variations), a given exploit is likely to fail somewhere, and that failure is likely to create a bug that someone can notice.
It's not foolproof, but it helps keep the ecosystem healthy.
Guess who released 5.4.1? JiaT75!
