I noticed the CVE for xz while updating (CVE was created just hours before) so I reverted to older version just in case. There are several factors which would have made the backdoor not work in Sailfish (based on current information): we don’t use patched openssh, the architectures affected are rare or non-existent for Sailfish, and most importantly we build xz from git and since one of the critical parts for enabling the backdoor is only in the release tarball it wouldn’t have been enabled.
