You're viewing a single thread.
So if I have been using arch with infected xz library to connect to a Debian LTS server, am I compromised?
Assume yes until you can prove otherwise.
From what I've read both arch and debian stable aren't vulnerable to this. It targeted mostly debian-testing.
Arch put out a statement saying users should update to a non infected binary even though it doesn’t appear to affect Arch https://archlinux.org/news/the-xz-package-has-been-backdoored/
However, out of an abundance of caution, we advise users to remove the malicious code from their system by upgrading either way. This is because other yet-to-be discovered methods to exploit the backdoor could exist.
Arch stable had it apprently, but thats not the commonly used version of arch.
As I heard it - the (naughty) build tooling looked for rpm and deb, and bailed out if they were absent.
I would pay attention to the news. You definitely want to upgrade immediately if you have not already