AndresFreundTecI accidentally found a security issue while benchmarking postgres changes.
If you run debian testing, unstable or some other more "bleeding edge" distribution, I strongly recommend upgrading ASAP.
I was doing some micro-benchmarking at the time, needed to quiesce the system to reduce noise. Saw sshd processes were using a surprising amount of CPU, despite immediately failing because of wrong usernames etc. Profiled sshd, showing lots of cpu time in liblzma, with perf unable to attribute it to a symbol. Got suspicious. Recalled that I had seen an odd valgrind complaint in automated testing of postgres, a few weeks earlier, after package updates.
Really required a lot of coincidences.
sweet@AndresFreundTec its kind of sad reading the mailing list for the old maintainer to xz-utils / liblzma. Dude was single-handedly maintaining it after creating it as a hobby project, he got driven into the ground and he passed the project off to the culprit after being urged to (rudely) to give it up. This should be a wake up call tbh this shouldn't happen to projects that have on maintainer and that literally hold the entire tech industry and linux ecosystem on their shoulders
Serinus