Backdoor only gets inserted when building RPM or DEB. So while updating frequently is a good idea, it won’t change anything for Arch users today.
I think that was a precaution. The malicious build script ran during the build, but the backdoor itself was most likely not included in the resuling package as it checked for specific packaging systems.
when building RPM or DEB.
Which ones? Everything I run seems to be clear.
https://access.redhat.com/security/cve/CVE-2024-3094
Products / Services | Components | State |
---|---|---|
Enterprise Linux 6 | xz | Not affected |
Enterprise Linux 7 | xz | Not affected |
Enterprise Linux 8 | xz | Not affected |
Enterprise Linux 9 | xz | Not affected |
(and thus all the bug-for-bug clones)