Debian security advisory - impacts Testing and Unstable. Stable unaffected. (Debian is upstream of A LOT of other distributions, such as Ubuntu)

Red Hat CVE - impacts Fedora 41 and Rawhide

Arch Linux announcement - Impacted, upgrade immediately

Gentoo bug - Package was in the Gentoo repository, masked by ~arch (unstable) keyword. Children who wildcard-unmask everything are impacted.

Surely there are more.

This is pretty bad.

Show

Perhaps worth mentioning: Some unknown person added malware to their tarball releases, specifically to backdoor ssh, which on most Linux distros was patched to load some systemd library, which in turn loads liblzma.