@GossiTheDog Debian Sid's and testing's liblzma has the backdoor, although it looks like it was reverted already. I don't think any official releases of Debian or Ubuntu had the compromised packaging. https://metadata.ftp-master.debian.org/changelogs//main/x/xz-utils/xz-utils_5.6.1+really5.4.5-1_changelog