Backdoor in xz: What We Know So Far
Many people are patching a hole, a deliberate hole, and many have not done so yet (many are on holiday so they don't even know). Set aside the fact that the hole can be traced back to Microsoft's GitHub (proprietary) and those developers who didn't rush to grab the latest from Microsoft's GitHub are generally safe.
It's not really an issue attributed to Microsoft's GitHub. The choice of Microsoft's GitHub is a symptom however.
All the major distros, save Debian, issued a statement on the matter (see the links here or coverage in Gemini; we've collected about 20 references).
Right now in IRC (of Techrights and SoylentNews) people talk about it. Some wish to know who's responsible for this.
We don't have all the answers yet (many haven't patched their systems either) and "the media" isn't very active right now. Here is one interesting take on it: "Here’s what we know so far: some time ago, an unknown party evidently noticed that liblzma (aka xz) — a relatively obscure open-source compression library — was a dependency of OpenSSH, a security-critical remote administration tool used to manage millions of servers around the world. This dependency existed not because of a deliberate design decision by the developers of OpenSSH, but because of a kludge added by some Linux distributions to integrate the tool with the operating system’s newfangled orchestration service, systemd." (via Peter N. M. Hansteen)
BSDs and operating systems without systemd (Linux is not impacted) have nothing to worry about. I've updated my Debian systems. Have you? Hurry up. █