Lasse Collin (long-time maintainer of xz-utils) now has a dediated page on the xz-utils backdoor (CVE-2024-3094):

This page is short for now but it will get updated as I learn more about the incident. Most likely it will be during the first week of April 2024.

The Git repositories of XZ projects are on git.tukaani.org.

xz.tukaani.org DNS name (CNAME) has been removed. The XZ projects currently don’t have a home page. This will be fixed in a few days.

There also exists a FAQ on the xz-utils backdoor by thesamesame.

Thankfully this was caught before the affected xz-utils tarballs (5.6.0 and 5.6.1) were pulled into major distribution releases. If you were running pre-release Fedora Linux 40 beta, Fedora Rawhide, Debian Testing, Arch or similar should immediately downgrade to a stable version until these have been updated to fix the affected versions.

asking for a friend

Original report: oss-security - backdoor in upstream xz/liblzma leading to ssh server compromise
Red Had advisory: Urgent security alert for Fedora Linux 40 and Fedora Rawhide users
Debian advisory: [SECURITY] [DSA 5649-1] xz-utils security update

If you know any other distributions that use .deb or .rpm packages, and have shipped xz or liblzma versions 5.5.* or 5.6.*, include information in the comments