Endless reading for me. (it appears there may be some malware side cases, where other apps / libs are included, so this story may not be over yet - but I’ll not delve there).
I just checked my two TW desktops, which I last booted on Mar 11:
probably vulnerable
I’ve removed the ssh-server package and downgraded xz and liblzma.
Why was my Mar 11 last-accessed TW vulnerable? See the timeline below, esp the two Tumbleweed acquisition entries of xz I’ve bolded.
Timeline quote from an article at JFrog
==== quote plus URL ====
2024, February 24th – JiaT75 releases version 5.6.0 with the malicious build-to-host.m4. At this stage, the malicious payload is fully operational (any subsequent XZ version is compromised). Malicious xz-utils version 5.6.0 pulled by Debian, Gentoo and Arch Linux.
2024, February 27th – Malicious xz-utils version 5.6.0 pulled by Fedora.
2024, March 5th – Malicious xz-utils version 5.6.0 pulled by openSUSE.
2024, March 9th – JiaT75 updates the backdoor’s binaries to an improved version, and releases version 5.6.1. Malicious xz-utils version 5.6.1 pulled by Fedora, Gentoo and Arch Linux
2024, March 10th – Malicious xz-utils version 5.6.1 pulled by openSUSE.
2024, March 11th – Malicious xz-utils version 5.6.1 pulled by Alpine.
2024, March 26th – Malicious xz-utils version 5.6.1 pulled by Debian.
2024, March 29th – A detailed account of the malicious activity found in XZ utils was published on the oss-security mailing list by Andres Freund.
==== end quote ====