Georg311So... Under the premise that only #xz Version 5.6+ is compromised lts OS seem fine. Ubuntu is still using oder versions, Debian is only using newer ones in testing. Kali updated to 5.6 last week,but testing sources were already reverted to a 5.4 version so one can 'just upgrade'
shibayashi@Georg311 rolling release distros like Arch Linux and NixOS also seem to be safe. From the Arch security news:
> openssh does not directly use liblzma. However debian and several other
distributions patch openssh to support systemd notification, and libsystemd
does depend on lzma.
Arch does not directly link openssh to liblzma, and thus this attack vector is not possible.