https://gist.github.com/thesamesam/223949d5a074ebc3dce9ee78b...:

>Lasse regularly has internet breaks and is on one at the moment, started before this all kicked off. He has posted an update at https://tukaani.org/xz-backdoor/ and is working with the community.

OpenSSH and Linux were not targeted/affected.

xz and the Debian distribtion of OpenSSH were targeted.

The core source of the vulnerability (symbol lookup order allowing a dependency to preempt a function) might theoretically be fixed at the Linux+OpenSSH level.

Damien Miller (OpenSSH maintainer, OpenBSD committer) has written a patch that implements the relevant libsystemd functionality without libsystemd: https://bugzilla.mindrot.org/show_bug.cgi?id=2641#c13

It's in their ecosystem; they should be concerned about other similar attacks and about addressing the fears of many users, developers, etc.

Fedora too.