full report: https://www.openwall.com/lists/oss-security/2024/03/29/4
tl;dr: liblzma/xz has been compromised upstream. the github releases 5.6.0/5.6.1 (since feb 24) contain malicious code, significantly slows down sshd and runs code on pubkey login. checker script is available, please check your distro's repository to see if you have those versions of xz, and if yes upgrade if a rollback is packaged or roll it back yourself.
here is how you can tell if you're running the affected version:
xz --version
here is what the output on the vulnerable version looks like:
$ xz --version
xz (XZ Utils) 5.6.1
liblzma 5.6.1
OR
$ xz --version
xz (XZ Utils) 5.6.0
liblzma 5.6.0
if you want to be a bit safer, try the detection script from the full report!
