You've probably seen it elsewhere already, but: xz-utils 5.6.0 and 5.6.1 release tarballs contain an elaborate exploit that injects a backdoor into SSH. #Gentoo systems shouldn't be affected since our OpenSSH doesn't link to liblzma — apparently the exploit targets distributions that patch OpenSSH to link with libsystemd, which in turn may link to liblzma. However, it's not clear if the exploits doesn't do anything else, so we've masked the new versions.

lzip is not affected.

openwall.com/lists/oss-securit